Saturday, March 31, 2007

Remote Microsoft Outlook and Vista Exploit

A new vulnerability is being exploited against Microsoft Outlook and all Microsoft Windows Operating Systems: Windows 2000 SP4 through Vista.

The exploit allows remote attackers to execute programs on your system or create a denial of service. There is no patch available for this exploit.

This is the first remote exploit against Vista and the security community is concerned that this vulnerability may be converted into a wide-spread attack worm.

The Community recommends:
  1. All users make sure their Anti-virus software and detection files are up to date.
  2. Spread of this exploit by email may be prevented by blocking all .ani, .cur, .ico and .jpg files at your email gateway.

Additional information about this vulnerability may be found at these links:

UPDATE: 4/2/2007, Microsoft plans early patch update to address this flaw:
Microsoft Response Center Update
UPDATE: 4/3/2007, Microsoft has released a patch.

I will update this blog post as more information becomes available.

Tuesday, March 13, 2007

Request to exit

The industry calls it a Request-To-Exit (RTE). Some are motion sensitive, others require the push of a button, and a very few require another wave of the badge. We’d examined the client’s public areas. Some of their RTEs were motion sensitive, and some used a button. What about the data center? We knew that the RTE could be a weak spot. The security system might log the RTE, but even here at the data center, it would probably not trigger an alarm. The motion sensitive types unlock at any close approach, and pressing a button is a normal event. If we could trigger an RTE and avoid forcing the door, we would have more time to work.

Our view was limited. We had a four-by-eight-inch view above the door handle. We could see another camera, a blank stretch of wall and a small corner of a lit room. We watched for shadows and assembled our tools.

We knew the probable height and position of the button. Could we reach it? The door was not the automatic-opening type. The dead bolt was open, but the electromagnetic lock was closed. We’d taken our MacGyver shopping list to a local hardware store, our $40 worth of spare parts versus a multi-million dollar data center. We made the viewing scope from 1/2 inch narrow pipe, carpet tape, and a convex mirror. We bent the pipe and squeezed the mirror below and past the door. The data center was on a raised floor, and we had a three-fourth-inch clearance. We had our window. In the three-inch mirror, there was the button! We quickly assembled the “finger.” The mirror became a problem because we needed to have both of our devices in view, as we squeezed down next to the door. Two pairs of hands blindly working, while a third pair of eyes directed, and a fourth kept watch. You know what they say about convex mirrors: “Objects in mirror are closer than they appear.”

Part 5 of 7, (to be continued)

Friday, March 9, 2007

ICANN Factsheet: Root server attack on 6 February 2007

I'm reading through the the ICANN factsheet (08mar07.pdf) and this paragraph jumps out at me.
A third category is the huge increase in individual Internet users installing routers in their homes, usually to provide wireless access or to link up several computers in the house. These consumer products usually come with the same password and a large percentage of home users never change this default password, making it easy for hackers to seize control of them for their own ends. If consumers were encouraged to change the default password or if router manufacturers were persuaded to provide each unit with a different password, then future attacks against the Net’s infrastructure could be tackled at (the) source.
(my emphasis)
I know there has already been quite a bit said about this topic here, here and here. However, this particular paragraph is written by the people who make sure that the wheels stay on the Internet's bus. This is really a very important issue and it's time the router vendors solve this problem.

The factsheet is well written and introduces a lot of information regarding the attack. Now that is has been published I can speak a little about it here. (Full disclosure: Catbird performs DNS monitoring for some of the root service providers.)

After the attack I reviewed our aggregate DNS and web performance data. Catbird gathers over one million data samples each day so I had more than enough to choose from. I chose a random samples of our monitors and developed the two charts included in this post.

The Feb 6 attack occurs around the midpoint of each chart. The attack hit two of the thirteen root servers very hard, but as you can see from these graphs the downstream DNS providers and the web sites they serve were not affected.

I make this point because I do not believe the attackers intended to bring down the Internet. I think that this was the performance test of an attack botnet. This attack combines good advertising with a live product demo. I will not be surprised to hear about a rise in DDOS attacks and extortion demands made against high-value commerce web sites.

I recommend that we all brush up on our understanding of anycast, GeoDNS and related defenses against DDOS.

Thursday, March 8, 2007

Airline Security Since 9/11

Over on Schneier's blog, there is a lively discussion about an article link Bruce posted. I posted a comment, but have more to say below.

What real security improvements have been made?
  1. Stronger cockpit doors
  2. Air Marshals
  3. Passengers (and crew) who know that resisting the hijacker may be the best course of action
Regarding number three, it is not always necessary to fight the hijacker. In 2004, Eritrean hijackers seeking political asylum, diverted a plane to the Sudan.

However, in the continuing to fight the last war department, we have multi-million dollar projects to build a hijack-proof plane.

SAFEE coordinator Daniel Gaultier said: "You never reach zero level of threat, no risk, but if you equip planes with on-board electronics, it will make them very difficult to hijack."
<sarcasm>Sure, electronics will make it better. Just like the on-board electronics in RFID equipped
passports. Electronics always make you safer.</sarcasm>

It is important that we address known threats and act to make
people feel safer on airplanes but what are we doing about the next threat?

We could be loading baggage into blast-proof cargo containers, but as I pointed out in my comment, this is being fought by the airlines themselves. The airlines must believe it is much cheaper to just pay-off the relatives or sue Libya.

What else? Protecting our ports of entry? You could ship an entire tank division through one of our ports, let alone a chemical, biological or nuclear weapon. Meanwhile people think building a 2000-mile fence to keep out our gardeners, housekeepers and building contractors is a good idea. Hello, New Orleans, sorry all those folks actually helping you rebuild the city... Please send them back to Mexico. If I were Bin Laden, I would be driving a taxi in New York, availing myself of our excellent hemodialysis care, while personally selecting the next target.

Does anyone really think that a terrorist will risk dying of thirst crossing the Mexican border, when they can just as easily enter the country on a Princess Cruise? Am I the only person who saw Speed 2?

The latest craze with liquids on airplanes, is an example of the hype involved here. These activities do not make us safer and will most likely lead us to ignore the real warning signs. After all, smokers are (warning: may be inappropriate for some viewers) still finding ways around the system.

If individual safety is more important than lobbyist dollars or inconvenience, then we should be building safer planes, blast-proof cargo containers, banning most carry-ons and getting rid of those awful snacks. We also need a homeland security organization that consults with people like the Tofflers, Vinges and Harlan Ellison.

Sunday, March 4, 2007

Popular Blog Software Cracked

A successful attack was made on the WordPress 2.1.1 download. The attacker modified the files theme.php and feed.php. These modifications created a backdoor which would allow a user to gain privileged access to any server running WordPress 2.1.1.

All users have been requested to update immediately to WordPress 2.1.2. Users who access updates through the Subversion repository were not compromised.