Oct
13th

Microsoft finds published exploit of Vista privilege elevation hole

Posted by Mark

A less-than-critical Vista hole could become more critical, as Microsoft’s security team says it’s aware of a published exploit that could enable an ordinary process to pass itself off as a system process with unrestricted access.

Last April, Microsoft admitted to a serious, though perhaps not critical, security hole in all modern versions of Windows including XP and Vista. But a notice posted last Thursday to the company’s Security Response Center blog, warning of a published exploit using that same technique, is an indication that the hole has gone unplugged all this time.

Tomorrow being “Patch Tuesday,” Microsoft has advised admins to prepare for four “critical” and six “important” patches, and among that latter group are three related to elevation of privilege in Windows. That’s all the general public is allowed to know for now, as Microsoft is now limiting the degree of information it shares prior to Patch Tuesday in an effort to thwart “zero-day” exploits. One of those patches could pertain to this particular exploit.

Microsoft made its original acknowledgement last spring after an independent researcher named Cesar Cerrudo gave a presentation in Dubai (PDF available here). There, Cerrudo demonstrated how a process Windows can obtain service-level privileges just by making any old API call that communicates with a service. In Windows, a service is a continually running program that provides functions to the operating system; there are typically dozens of services running in Windows at any one time. A technique with the unfortunate name of impersonation is legitimately used for that process to have the appearance of being qualified to communicate with that service.

Cerrudo showed how, in Windows XP, if the process can impersonate a service in order to talk with a service, it can trick the impersonation technique into giving it system-level privileges instead, which are the same as being completely unrestricted. He then demonstrated how Windows Vista implemented firewall techniques to prevent this from happening. Those prevention measures are largely successful, except in the case of so-called thread pool processes. For multithreaded applications, a single thread pool can be established for the legitimate purpose of performing certain functions on behalf of multiple threads, thus helping to make code tighter and more manageable. Vista’s service-impersonation protection, Cerrudo showed, did not extend to thread pools.

The Microsoft security team’s Bill Fisk said in a blog post Thursday he is unaware of any active attacks using the published exploit, adding, “Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory.” Those workarounds for admins involve IIS 6.0 and IIS 7.0, and include setting up provisions for so-called worker process identities, which would conceivably prevent a remote process from being able to pass itself off as a local process, in order to start impersonating a service or system-level process later.

Oct
12th

World Bank Hacking - Great Timing

Posted by Mark

The world bank has been hacked repeatedly over the last year according to a report on Dark Reading, which once again brings out the question, where was the information security team on this one?

With the banks in crisis and contributing to a generalized distrust of the banking system, the news of the breech could not come at a worse time. While many in the information security world wondering who is running the servers and managing the security at many of the banking companies as they consolidate and shut down, news of a world bank hack, with five servers that contained sensitive data for a year comes as stunning information.

The data raids are not a matter of stealing inconsequential bits and bytes. The World Bank’s data center is literally a treasure trove of vital financial information from around the globe. As a clearinghouse for financial data from both governments and companies, the bank’s computers could provide intruders with both a financial and intelligence gold mine — from inside information on bids and contracts to the minutes of confidential board meetings. Source: Fox News

You can read the memos here and here, the dark reading article is right here.

In all this is going to end up not just compromising people, but compromising governmental information about money, how money is used, and where it is going around the world. The interesting part is that not just money movements, if you know what the World Bank is going to invest in next that can give a company a competitive advantage, or allow the hackers to follow the money to other banks where the security is much poorer than they were at the World Bank.

They also do not know what was stolen as they are still trying to figure out who got in, or how they compromised the systems. Dark Reading is calling it a spyware hack, but then that means that it would have to come in either via image, USB, or someone was surfing from the computer and did not have it patched, or patches were lacking and there was a hole that was exploited. There are any numbers of ways that the intruder got into the system.

There might just need to be a complete overhaul of the World Bank networks and systems to make sure that any additional back doors or other systems were not compromised. What is more worrisome though is that the key server for the bank was also hacked, meaning they have the keys that were stored on that system. This means that all the keys issued by that server are also going to have to be reissued. Interesting story, with many ideas on whom, what, and how. The cleanup is going to be very hard, and they will need to have a security crew that is capable of cleaning up the mess.

Jul
7th

MPAA approves “military strength” encryption for video streaming

Posted by Mark

The MPAA has approved the use of DreamSteam “military strength” 2048-bit encryption to protect online video streaming content in an effort to stop the unauthorized downloads of the content.

“We are very excited to have the MPAA stand behind our technology,” said Ulf Diebel, chief development officer for DreamStream. “The MPAA understands the need to be proactive - rather than reactive — in addressing the chokehold that piracy has on the motion picture industry. Their recommendation is not something that Hollywood will take lightly.”

Since being introduced to the system in March of this year, the MPAA has been reviewing the technology and has finally decided that it is a viable system for securing online content.

“We are very excited about our breakthrough technology. For the first time, digital content can be distributed without fear of piracy. By making it possible for studios and other copyright holders to secure their content, we can make it impossible for movies to be digitally pirated,” said Diebel. “DreamStream can restore property rights to their owners and restore the commercial success of music and video recordings with a solution that benefits both producers and consumers.”

As with all digital content, online media, including streaming, has fallen prey to piracy, but DreamSteam now feels they have the solution.

“The existing systems are broken,” said Diebel. “If studios and artists want to confront the problem of piracy they must embrace a comprehensive restructuring of their distribution methods.”

DreamSteam also says its media system gives users instant access to HD-quality content, including no processing delays. The technology also offers encryption never before seen for streaming content. Current systems use 128 bit encryption whereas DS uses 2048-bit encryption, and is considered military grade.
The company says its encryption has never been compromised by hackers or pirates. “Pirates are not just found in the movies anymore. Today’s pirate is a twelve-year-old sitting on a couch in Hong Kong. Or, worse yet, an unmanned fleet of Xbox’s all aimed at your server. Hacker attempts are no longer measured in how many per day but how many per second. It is just a matter of time until the pirate comes aboard your ship and breaks into the treasure chest. Unless they cannot see the ship. With DreamStream, your digital information is invisible. Your treasure chest is secured, and the key to it is encrypted with a 2048 bit encryption. Yes, a true digital fortress. A fortress that fits on a very small chip or hard drive!,” reads DS’ website.

“To win the war on piracy, the studios need DreamStream’s military grade capabilities,” concluded Diebel.

Jul
7th

Microsoft Snapshot Viewer Exposes Users To Trouble

Posted by Mark

An ActiveX control used to view Microsoft Access report snapshots poses a potential avenue for exploitation.

Microsoft confirmed the existence of a flaw in one of its complementary products. Advisory 955179 highlighted the issue with the ActiveX control for the Snapshot Viewer for Microsoft Access.

The flaw leaves unprotected users at risk from specifically crafted web pages aimed at breaking in through the exploit. If attacked, people run the risk of arbitrary code being executed on their machines.

“The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003,” Microsoft said.

“The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.”

US CERT said it knows of no “practical solution” for the problem. Instead, people may wish to try disabling the problematic ActiveX control by setting its kill bit in the registry. Such changes should be undertaken only by people who are comfortable with backing up and editing the Windows registry.

Running as a user with reduced privileges may mitigate the exploit until it is patched. However, Microsoft offered no guarantee that running with limited rights will completely protect against potential exploits against this vulnerability.

The recent holiday weekend also proved difficult from a security perspective from another avenue. Security vendor Symantec said it had blocked 3.5 million junk emails with 4th of July themes.

Since the Microsoft vulnerability could be exploited through an emailed link, people should continue to toss out suspicious emails, even from known senders, and avoid clicking links in messages.

Jul
4th

Next Patch Tuesday has few security updates, big Vista reliability fix

Posted by Mark

In its monthly advance notice the weekend before the second Tuesday of the month, Microsoft said it will only be addressing four security issues this time around, two dealing with Windows. But a surprisingly big Vista bug fix is under way.

If you think about it, the relative security of Windows Vista hasn’t been the subject of much debate recently. If there’s any problem consumers have with it, whether it’s born out of market perception or real-world experience, it’s a feeling that it’s not all that reliable.

So perhaps it’s not such a bad thing that next week’s Patch Tuesday round of fixes from Microsoft will focus less on security — with only four issues in that category to be addressed there — and more on Vista’s overall reliability. A single performance update announced by Microsoft on June 24 will tackle some real-world problems that Vista users have been facing, according to automated feedback the company’s servers receive when Internet-connected Vista users crash.Here’s a little annoyance: Have you ever tried to delete a user account from Vista’s Control Panel, only to be responded to by your system sitting there in an endless loop, doing nothing? Then when you reboot, the account’s not gone? That’s one of the issues this performance update will address.

And what is it about Vista, after you leave your computer on for an “extended period of time” (A day? Two days?) makes it decide that Excel is no longer a valid application for you to run? How many times has this happened to you, to paraphrase a TV infomercial? That’s another bug Vista users should find gone, hopefully.

There’s also interesting little problems such as certain builds of NVidia drivers that cause high-definition audio streams to sound like they’ve been fed through a chipper-shredder, and Windows Mail (the replacement for Outlook Express) triggering a crash when traffic monitoring is enabled through Windows, and e-mail security through ZoneAlarm is active at the same time. These are the little, everyday affairs that some people really look forward to seeing gone. Quite possibly, they impact more users than the average newly discovered vulnerability.

It’ll be nice to see how well this latest round of patches addresses these and a host of other Vista-related issues.

Jun
17th

Australia tops cyber crime list

Posted by Mark

Australia has the highest incidence of cyber crime in the world, according to a global survey of nine countries by software security vendor, AVG.

The study, which canvassed 1000 users each in Australia, the US, France, Germany, Italy, Spain, Sweden, Brazil, and the Czech Republic, found that more than 39 per cent of Australians had been the victim of cyber crime, compared to 32 per cent in Italy, 28 per cent of Americans, and just 14 per cent in Sweden and Spain.

The most common forms of cyber theft experienced by Australians were:

  • Not receiving goods paid for at an online auction (16 per cent);
  • Fraudulent e-mails that resulted in financial damage (14 per cent);
  • Phishing (10 per cent);
  • Not receiving goods ordered online (eight per cent);
  • Credit card fraud (five per cent); and
  • Unauthorised bank transfers (three per cent).

    Lloyd Borrett, marketing manager of AVG (AU/NZ), said the fact that Australia experienced more cyber crime was a little surprising, although it might have been impacted by the fact that Australians are more active online users than most other nations.

    “While we don’t know whether Australians are actually targeted more heavily than other countries, these results highlight the importance of comprehensive security solutions to protect users from obvious threats like phishing and e-mail scams, as well as good education to warn people of the danger,” Borrett said.

    Forty-seven per cent of Australians said they were more likely to experience cyber crime than to experience burglary, assault, or robbery, and 37 cent of said that cyber crime was a strong concern.

    The AVG survey found that Australians had relatively high awareness of Internet security and demonstrated the second highest level of confidence (70.5 per cent after the US’s 73.3 per cent) in the protection provided by their software security vendor.

  • Jun
    13th

    Software glitch leaves utilities open to attack

    Posted by Mark

    Attackers could gain control of water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities, security researchers reported Wednesday.

    Experts with Boston’s Core Security Technologies, who discovered the deficiency and described it to the Associated Press before they issued a security advisory, said there’s no evidence anyone else found or exploited the flaw.

    Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.

    But the vulnerability could have counterparts in other supervisory control and data acquisition, or SCADA, systems. And it’s not clear whether all Citect clients have installed the patch.

    SCADA systems remotely manage computers that control machinery, including water supply valves, industrial baking equipment and security systems at nuclear power plants.

    Customers that use CitectSCADA include natural gas pipelines in Chile, major copper and diamond mines in Australia and Botswana, a large pharmaceutical plant in Germany, and water treatment plants in Louisiana and North Carolina.

    For an attack involving this vulnerability that Core Security revealed Wednesday to occur, the target network would have to be connected to the Internet. That goes against industry policy but can happen when companies have lax security measures, such as connecting control systems’ computers and computers with Internet access to the same routers.

    A rogue employee could also access the system internally.

    Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment or cause a nuclear power plant to malfunction by attacking the utility’s controls.

    That possibility has grown in recent years as more of those systems are connected to the Internet.

    The Citect vulnerability is of a common type. Called a buffer overflow, it allows a hacker to gain control of a program by sending a computer too much data.

    “It’s not a very elaborate problem,” said Ivan Arce, Core Security’s chief technology officer. “If we found this thing - and this was not that hard - it would be easy for someone else to do it.”

    May
    13th

    Hacker exposes six million Chilean’s data to make a point

    Posted by Mark

    A Chilean hacker posted sensitive information about six million of his compatriots on the Internet, apparently in an act of protest against the government’s lax data security.

    According to Chilean newspaper El Mercurio, details including people’s address’, phone numbers, ID numbers, email addresses and even academic records were all laid bare for the world to see on a popular technology blog called FayerWayer. Links to additional information was also posted on a website called “ElAntro”.

    The information was mined from various different Chilean government and military sites, including the Ministry of Education, state telephone firms and the Electoral Service website. “Nobody bothers protecting that information”, the hacker allegedly wrote in explanation of why he felt the urge to expose six million of his countrymen to identity theft.

    Chilean Police commissioner Jaime Jara told El Mercurio that the police were investigating, however, the fact that it took the slow poke Chilean authorities hours to twig what had happened, and then several more hours to get round to removing the private data, goes quite a way to proving the hacker’s point. µ

    L’Inq AFP

    May
    6th

    Yahoo partners with McAfee

    Posted by Mark

    YahooYahoo opened the beta test of SearchScan in several countries to help safeguard people against potentially dangerous links in their search results. Searchers may notice something different about the search results in Yahoo. The company partnered with security vendor McAfee, which runs the SiteAdvisor service, to power a new feature called SearchScan. “While SearchScan will be on by default, users have control over how they use the feature,” said the Yahoo Search blog. “In preferences, users can choose to turn the feature off or choose to filter out all sites with warnings from their search results.” SearchScan compares links with an index of ones it has checked for possible problems, like browser exploits, unsafe downloads, or just the likelihood the site spams visitors who give it an email address. McAfee said its site ratings are based on automated safety tests of websites, and include feedback from volunteer reviewers and its analysts. Yahoo’s Vish Makhijani, SVP & GM for their search engine, noted on the official Yahoo blog how they are the only search site providing this type of advance warning today. People will see these warnings appear in red with the listing SearchScan flags. SearchScan should be of great benefit to people whose less than perfect spelling leads them to mistype a query, which could return a link or two that direct people to a dangerous website. Some scammers register incorrectly spelled domains in the hopes of bringing in visitors who hit a wrong letter or two. Other search sites may want to consider similar initiatives. Google for one has been vexed for months with SEO poisoning attacks that drop links to infected pages into its listings. Their work with StopBadware.org doesn’t seem to notice these links, and that’s not good for visitors.

    Apr
    17th

    Hackers issue BT Home Hub warning

    Posted by Mark

    BT Home HubEthical hacking group GNUCitizen.org has warned that the default settings on one of the UK’s most widely used wireless routers is leaving customers open to attack.

    The group showed in a blog posting that the BT Home Hub, the wireless router supplied to BT Broadband customers, uses algorithms that make the device easy to crack when in default mode.

    Using reverse-engineering techniques the group said that the hub’s Wired Equivalent Privacy (WEP) keys can be predicted in just 80 guesses, but had decided against making its automated guessing program publicly available.

    GNUCitizen’s findings appear to confirm long-term concerns about the security of the WEP encryption protocol.

    “It is quite likely that the bad guys can break into your network if you are using the default encryption key. Our advice is to use WPA rather than WEP and change the default encryption key now,” GNUCitizen said.

    Responding to the criticisms, BT denied that real-life users of the device were in any serious danger of hack attacks.

    “It is important to realise that, although it has been possible to demonstrate a scenario where the hub may be vulnerable, we do not believe it is something that should affect the majority of BT customers in real life,” the company said in a statement.

    BT, which has published details on how to more effectively secure the router, said that other operators supplying the Thomson-manufactured device were also affected by the issue.