May 30, 2006
The flaw, which affects recent versions of its Client Security and Antivirus Corporate Edition products is considered serious, and could be exploited by hackers to run unauthorized software on unpatched PCs.
The patches are for English language versions of Symantec's products only, and a Symantec spokesman could not say when the complete line of products would be patched.
So, if you use the effected products, you are now free to apply patches.
May 26, 2006
Researchers at eEye Digital Security, the company that discovered the flaw, said it could be exploited by remote hackers to take complete control of the target machine "without any user action."
"This is definitely wormable. Once exploited, you get a command shell that gives you complete access to the machine. You can remove, edit or destroy files at will," said eEye Digital Security spokesperson Mike Puterbaugh.
"We have confirmed that an attacker can execute code without the user clicking or opening anything," Puterbaugh said.
I headed over to the Symantec site to see what they had to say.
So far, they are saying this effects their Corporate Customers, not Norton Home Anti-virus customers. If that is the case, it's not as bad as it could have been.
Symantec engineers have verified that this vulnerability exists in the product versions listed above. We are continuing to evaluate other versions of our software. This advisory will be updated when additional information is available.
They have a list of things their clients can do until they come up with a fix. I'm wondering why this went public so quickly. It has been the practice in recent years to give a company time to fix a flaw before reporting it to the general public. Thus having a fix ready for everyone to download when they hear the news. That doesn't seem to be the case this time, so I wonder what's going on. Interesting.
My question. Will it float or does it work under water?
May 24, 2006
The Trojan surfaced last Thursday and arrives buried in a Word file attached to an e-mail message (see "E-mail attacks target unpatched Word hole" ). It secretly installs software on a user's PC that could be used to execute remote commands, download other malware or monitor keystrokes and gather passwords, among other mischief.
For the Trojan to do its work, however, users must first be tricked into opening the Word attachment. And the incidents reported so far suggest that hackers are still using the Trojan in a very targeted fashion rather than sending it in mass e-mail, said Erkki Mustonen, a security researcher at F-Secure.
In other words, this would suck pond water if you happen to open an offending Word Doc, but the incidents seem to be at a fairly low level. For now - the suggested work around is the following.
In the meantime,Word's safe mode won't fix the vulnerability but will prevent the vulnerable code from being exploited, Microsoft said.
The first step is to disable the Outlook feature that uses Word for editing e-mails. The second involves creating a new desktop shortcut that adds "/safe" to the Word command line. Detailed instructions are available online.
Today, I see there is a story on Computerworld asking Microsoft why they aren't jumping all over this latest exploit and releasing a patch outside of the regular cycle.
What are Microsoft's plans to address the flaw? The plan right now is to release a patch on June 13 as part of the regular update. We are monitoring the number of infections and what the impacts to the customers are. At this point, we recognize the seriousness of the issue. We are going through our regression testing which is, of course, to make sure that we have the right fix and it is of the right quality. The worst thing to do is to install something out of band and then having to redo it again the second or third time. So we balance that with what the current threat level is.
I believe if you look at what the virus vendors' current reading of the issue is, it is low to moderate because of the current infection rate.
Personally, after the last patch fiasco I had to figure out and fix, I would certainly prefer they get this right. Nothing is worse than rushing something out and having the fix be worse than the original problem, especially if few people are having issues. So, I hope they're working hard and testing any patch against as many variables as possible.
As usual, be careful what attachments you open.
May 23, 2006
The disks contain the names, Social Security numbers and dates of birth of all living veterans who served and were discharged since 1976. The disks are among the items stolen from the home. In a letter to veterans, the VA explained what information was on the disks.[emph mine --ed]
Why do I bring this up? Right now they still don't know who has the info and what will be done with it - if anything. We can predict worst case scenarios. But I did want to mention to everyone what happens in the case of a data breach like this.
They will send you a LETTER. The letter will detail what information was stolen and what processes have been put in place to help you.
They will not be calling you on the phone or even coming to your door. Anyone who does that is out to scam you! Even if it were for real, you would be well within your rights to tell the people to go jump off a cliff and get in touch with the agency directly.
Anything other than a letter directly from Veterans Affairs should be treated with suspicion and reported to the police. When something this big happens it's a big playground for the bad boys. They never saw the data, never touched it, don't know where it is. But they will be happy to use this uproar to get what they can out of it.
UPDATE: Almost forgot. I have seen two different dates for the early years of theft 1975 and 1976. If you are a retired vet and fall in the date range of retiring from 1975 to the present, and you do not receive a letter within a month. Get in touch with the agency. Ask them if you were effected and have them send you the information again. Mail is often misdirected.
UPDATE 2: Blackfive has more info about protecting yourself from identity theft. Since it's happened to him, he knows what he's talking about. Head over and click the links, find out what you can do before it happens to you.
May 19, 2006
The hard drive was damaged and had been sent out for repair by an employee in direct violation of the Institutes's internal control policies and procedures.
This could be a case of the employee trying to steal data, but I have a feeling it is more likely that the employee was simply careless. I find that most people do not understand even the basic aspects of data security.
The reason this caught my eye? I was having a conversation with a local bank manager yesterday. I want to move my account to a new bank because the bank I currently use has no branch office closer than 10 miles from my house (something I didn't realize when I moved here). I want a bank that is closer to me, so I'm talking to the ones close to home to see what they offer.
The manager, a very nice woman, was very enthusiastic about their online banking. Which is when I had to gently break it to her, that I am not at all comfortable with online banking. I'm sure they have a lovely setup and they have lots of security in place on their end, but (even though I am very careful) who knows when I will pick up a nasty virus or worm that will manage to send out my personal data to some server for data thieves to use at will.
She admitted she had never thought of that. She even admitted that she is not allowed to log in and do her own banking from home because she is an employee. Any online banking must be done from her work computer. As an employee and especially as a manager, she has too many privileges to make it safe for her to log in from outside the network. I had to explain to her that if someone has your log in info, the computer doesn't know it's not you accessing the accounts.
This is simple security stuff. If a bank manager is unfamiliar with something so fundamental, why would we expect an IT employee to take security seriously in regard to a disk merely containing names and addresses? It seems incredibly silly on the face of it.
We won't see a drop in these types of incidents until we can educate and convince employees that they need to treat data as they would the money in the safe at the bank. Even now I'm willing to bet, there are employees watching this fiasco and wondering what all the fuss is about.
For that matter I don't know if we can make most people understand the importance of protecting information. More and more I think the way to go is for people in computer security to find ways to protect data that do not rely on the willingness of employees to take data theft seriously. I'm not sure how to accomplish that feat, but I think it must be considered in light of the continual loss of disk drives and tapes.
Hat Tip: Instapundit
May 10, 2006
... Last week, Dale Frantz, CIO at Auto Warehousing Co., brought to my attention an alarming business practice that shows Microsoft at its shoddy and arrogant worst.
AWC was contacted several weeks ago by Janet Lawless, a software asset management engagement manager at Microsoft, who claimed that "a preliminary review of [AWC's software licensing] information indicates that your company may not be licensed properly." Lawless urged AWC to "understand that the potential inconsistency in licensing is an urgent matter and needs immediate attention." She wanted to send a consultant to AWC to conduct an inventory of its installed software.
Frantz was stunned. He says he always errs on the side of caution with respect to software licenses. He does regular audits and maintains extensive records of purchases, license keys and registration codes. Frantz had no doubt that he was 100% compliant. When he told Lawless that, she ratcheted up the threatening tone of her e-mail correspondence.
This is disgusting. So Microsoft thinks that calling a company, any company, and trying to strong-arm your way into their computer room is a good way to do business? This is the method they want to use to sell their product? Are any businesses out there thinking maybe they should move off the Microsoft platform BEFORE they have to go to court to keep them out of their private business?
"Simply commenting on your licensing environment does not address our concerns in a tangible, proven manner," she wrote. "We continue to believe that Auto Warehousing may not be licensed properly. Since this is a compliance issue, I am obligated to notify an officer of Auto Warehousing of the situation and the significant risk your organization may be subject to by not resolving this situation in a timely manner."
At that point, Frantz got his corporate attorney involved. The attorney suggested that an olive branch be proffered to avoid legal action, so Frantz offered to send Lawless detailed records of all purchases of Microsoft software in the past five years. But Lawless blew that off as well. She seemed determined to get a consultant into the IT bowels of AWC.
So, it doesn't matter if you've always done the right thing, shelled out all the mega-bucks for Microsoft's operating system and peripherals. No, they're going to accuse you of being a thief and they are going to worm their way into the building if they can.
Indeed, according to Microsoft's Web site, the responsibility of someone with Lawless' title of "engagement manager" is to "perform as an integrated member of the account team, drive business development and closing of new services engagements in targeted accounts." So why was someone in a sales position leaning so hard on AWC about a supposed licensing compliance concern?
When I phoned Lawless to find out, she referred me to Microsoft's PR machine. The responses I got through that channel stressed that Microsoft's aim is to help customers navigate the complexities of software licensing and that one of the roles of engagement managers is to assist in that effort by informing customers of a potential licensing risk. I was told to attribute the responses to Lawless.
That's right, she's there to try and sell Microsoft products. That's it! This makes used car salesmen look like your sainted grandma sitting in the church pew on Sunday.
Like the Recording Industry and the Motion Picture Industry, Microsoft is fast grinding down any little bit of good will they might have out in the world. If you do this enough, more companies are going to look to different Operating Systems and tools to do their job. Microsoft makes a huge amount of its money from corporate users. At the very least I'm betting Mr. Frantz is looking for a different software vendor.
How many companies are going to start a slow quiet changeover? I hope it's almost all of them! I think I am once again going to look at alternative systems before I buy my next computer. This is way past ridiculous and into ludicrous.
Please note, I am basing my assumptions on what I read in Jennifer Granick's article, and the article from Security Focus that she linked in her piece.
A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities.
Ominous sounding isn't it. There have been a number of high profile cases in the Computer Security world where security experts have been called in to look for system vulnerabilities, only to be arrested and even convicted of hacking systems when they do find problems. Jennifer Granick has been an avid defender of many who are caught in this situation. She has done an incredible amount of good work in this area. So, I'm wondering if part of the story has been left out because here is the scenario she presents.
On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers.
For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it.
The incident might have ended there, but didn't.
The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law.
Now let's look at an excerpt from the Security Focus article.
SecurityFocus notified the university of the issue two weeks ago after being tipped off by the discoverer, who claimed to be a security-savvy student who found the flaw during the process of applying to USC . The university initially removed the log-in functionality from the site for several days, but allowed applicants to log in for most of last week. USC completely blocked access to the site this week.
What I don't understand is why McCarty didn't go directly to the University and tell them what happened? The actions make no sense at all in the context they are presented. He hacked the system, copied records he had no right to have in his possession, did NOT cover his tracks, then immediately heads to a computer security magazine to distribute the information. I'm not sure what the real goal was in this case. Was it to close the security hole or make a name for himself in the computer security field? From the reports I am reading, there was no effort to involve the University at all until Security Focus contacted them.
This back and forth between hackers and system owners has been simmering since computers formed the internet. For years, companies would ignore the hackers when they were presented with evidence that their systems and software were vulnerable. Utter frustration forced hackers to go to the internet and publish the vulnerabilities in an effort to have them taken seriously. (I won't deny that there is a great deal of contempt on the part of hackers toward "big business", but that might have been manageable if business had made an honest effort to fix the problems instead of ignoring them) As the internet grew and the system breaches made headlines, and law makers started instituting penalties against companies leaving their systems open, the shift has been toward the hackers giving the system owner the chance to fix the problem before going public with it.
But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them.
For one thing, someone could at least mention in the articles in question, whether or not McCarty tried to let the school know about the problem. If he did and was given the brush-off then I can see his point about going to the press. After all, many many students will use that site to send in applications. They are entitled to have that information remain private. The University has an obligation to do all in its power to fix bugs in the system.
In this instance I'm not sure which side is wrong. I have the feeling we were not given the entire story. The article's main intent is to make us feel sorry for the poor "whistle blower" who was only trying to make things better. Too many questions are left open in this case to make me immediately jump on his band wagon. Thus, the lack of certain details in the story, make it difficult to say who is at fault. However, it's not too difficult to conclude...
This is another instance where ethical actions might have kept this from becoming a court case.
Hat Tip: Slashdot
May 04, 2006
Rumor had it that the attacks were originating from Saudi Arabia and many people jumped to the conclusion that the Islamo-Facists were trying to silence bloggers. Not an unreasonable thought, but not provable with the data available at the time. We must also remember, to this point, the terrorists haven't attempted any online attacks, rather they have used the internet to spread their propoganda. Since it is difficult to spread propoganda if you do try to take down the internet, I was skeptical about them being the culprits.
Now it seems I was right and that the center of origin of the attacks gave us little useful information on the attackers themselves. For that matter I have to ask, did the attacks originate in Saudi Arabia or was it a rumor with nothing to back it up? I still don't know.
Today we get the news that the culprit behind all of this is a Russian Spammer and (to make matters worse) he wasn't even aiming for Typepad!
Six Apart Ltd, which runs the popular LiveJournal and TypePad blogging services, yesterday became the collateral victim of a very big, very sophisticated denial of service attack mounted by a Russian spammer against an unrelated security company.
The attack, which we can reveal was part of an extortion scam against users of Blue Security Inc's anti-spam software, caused hundreds of bloggers to complain about the downtime, during periods of intermittent blog access.
That's right folks - it was a scumball spammer!
LiveJournal and TypePad found themselves suffering the brunt of the attack when Blue, which says it has been targeted by a "top four" Russian spammer, redirected the front page of its website to a blog hosted at TypePad's data center.
"The major denial of service attack at TypePad was because of us hosting with TypePad," Reshef told Computer Business Review.
I think they need to up the penalties on these slime of the internet. It certainly rates prison time as far as I'm concerned.
Hat Tip: Slashdot
May 02, 2006
vulnerability: in computerese this is a section of code that is poorly written, giving a hacker the opportunity to break into the system and either gain complete control or manipulate files (read, copy or delete take your pick) or place their own piece of code on the system to run undetected and do bad things (this would be people who have "spambots" on their machines - cranking out spam without even knowing it).
exploit: this is the actual code itself that someone has written that will use a known vulnerability to get into the system.
Think of it this way: the vulnerability is the open window, the exploit is the robber who enters the window to rob your house.
Not every vulnerability is exploited. Just as there are many people with unlocked windows who never have a robber enter their house.
Hope that helps explain the rest of the post a bit better.
Yesterday I saw this blurb on Instapundit about possible security holes in the Mac OS/X. The story is from sfgate and certainly lays on the "let's scare everyone" tactic that most media organizations rely on to keep people reading.
Perhaps the most striking is the "rapid growth in critical vulnerabilities" in Mac OS/X, Apple's operating system, long considered safer from hacker attacks than Windows, the report said.
"Although OS/X still remains safer than Windows, it's certainly not a bulletproof alternative to Windows," said Rohit Dhamankar, editor of @RISK, a SANS Institute newsletter. "The number of vulnerabilities in the Mac OS has certainly increased in the last six-month period."
Now let's look at this as a Computer Security issue - NOT a Mac vs. PC issue.
Okay there are several different elements to this that they are combining into one big - "it's not safe" shtick.
First you have the belief: Apple systems are safer than PC systems. As with all perceptions, it's easy to delude yourself into a feeling of either safety (Mac) or fear (PC). Basically this means nothing at all - it is simple perception. It changes nothing about either operating system, doesn't make them more or less vulnerable. So it's a throw away line to get people thinking the way you want them to think.
Next you have the "rapid growth of critical vulnerabilities". There are several reasons for this. You have the fact that the OS/X is a fairly new system, it has not been around long enough to have a backlog of problems that are simply ignored. You have the fact that the OS/X is based on the Unix system which means it is very likely to have the Unix flaws which, while new to Mac users, have been known in the Unix community for years. Add to this, the fact that the Unix base makes the Mac more attractive to hackers who always love playing with a new system to find its weak points, and viola! You have more vulnerabilities uncovered.
The "bulletproof" view is very popular with quite a number of people when a certain system is hacked less often. This only means that the system is hacked less often, not that the vulnerabilities don't exist.
As with any OS - the proponents don't like the criticism.
I have a two word rebuttal to this - BULL and (insert word that rhymes with “fit”) !
I don’t care how many potential vulnerabilities there are, I want to know how many sure-fire, get-in-my-Mac-and-erase-files, ruin-my-day vulnerabilities are out there. That number stands at zero.
Just as it has from the very first day OS X hit the street. No flavor of Windows can say the same thing.
Okay I understand where he's coming from. He doesn't mean vulnerabilities, he means exploits. Two entirely different animals.
He's right, there hasn't been any large scale exploit written that effects the Mac, as far as we know. The theories range from the Mac base of users being too small to get that big rush from hacking it, to the well known fact that most hackers loathe Bill Gates with a passion. That does not take away the fact that there are system vulnerabilities, but up to the present point in time, they have not been exploited.
However, this alone does not make you safe. What I'm saying now is true of ANY Operating System out there - from Mainframe to cellphone with PDA. There are always holes. Because you haven't seen one exploited does not take the hole away and it does not make your system any safer. Every single system in the world is like a house in a bad neighborhood with at least one window unlocked and waiting to let intruders in. Every. Single. System.
Just because your system disk hasn't been erased, or some other catastrophe did not befall you, does not mean someone didn't get in and look around. It doesn't mean someone didn't copy your files or have a look at your online life. And just because you haven't seen one yet, doesn't mean there won't be a huge exploit released in the future. Perhaps some moronic virus writer is even now crafting a lovely little surprise for the Unix based community.
In other words, just because it hasn't happened does NOT mean it won't happen. Do not confuse these two completely different issues.
Perhaps there will never be a huge exploit released, this still doesn't mean you are safe. What if you own a company with proprietary secrets? What if you have very sensitive data on your system? The fact that there are exploitable holes now becomes an entirely different issue.
You see, the real threat is seldom the annoying inconvenience of having your system crashed by some low-life virus writer, no matter how much you'd like the wring the jerk's neck. It's much worse than that, it's "what can be stolen from your system and resold without you being any wiser". That is the real issue. It's where the big bucks are. It's where the real bad hackers reside. Do not underestimate them - there are some incredibly smart people out there looking to quietly steal secrets. It's not as thrilling as watching someone's PC go down while your Mac continues to run, but it's a far greater danger.
As long as you think of "hacking" in terms of a virus some script kiddie can spew out to cause a few days of hassle to hapless PC users, you will completely miss the shadow sneaking in your back door and walking out with the keys to the kingdom.
73 queries taking 0.0191 seconds, 249 records returned.
Powered by Minx 1.1.6c-pink.