Skip to main content

Posts

Showing posts from February, 2006

Will monthly patch cycles survive the year?

Microsoft's regularly scheduled (once a month) security updates have received a great deal of criticism in the security community. The practice delays (in theory up to a month) the rollout of vital Windows patches and leaves customers exposed to worms, viruses, adware, spyware and outright hacking for more calendar days than the previous ad-hoc rollout of patches (e.g. as soon as they were ready). In today's world, where exploit code and worms show up within hours or days, these delays can be devastating. The monthly patch strategy has probably helped Microsoft with one key metric -- reducing the number of headlines per month about the latest vulnerability. In the months before Microsoft changed from ad-hoc security patch releases to a monthly schedule, negative security headlines were appearing almost daily. These headlines had begun percolating into the public unconscious, contributing generally to a vague but increasingly common perception that Windows is "insecure…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

MS06-007 and the importance of being ernest

Announced in the batch of new Valentine's Day vulnerabilities from Microsoft today, Microsoft Security Bulletin MS06-007 is an exposure to a remote Denial of Service attack. The bulletin states: A denial of service vulnerability exists that could allow an attacker to send a specially crafted IGMP packet to an affected system. An attacker could cause the affected system to stop responding. This is rated "important" rather than critical by Microsoft. (See the Microsoft Security Response Center Security Bulletin Severity Rating System for a description of their rating system and the criteria for each category). As a consequence of a couple "critical" defects in this monthly batch, this particular defect doesn't seem to be getting the attention it probably deserves. These types of DoS vulnerabilities are sometimes used by botnets and worms, which are frequently under control of an attacker once they have penetrated a network and spread inside it. If use…

Phishers target Verified by Visa - as predicted!

Recent phishing scams have been noted to employ an SSL certificate as part of the scam web site. In combination with one of many patchable but unpatched and other unpatchable browser defects, these scam sites are now giving the end user the full appearance that they are engaging in a secure transaction with their bank. As reported by Brian Krebs today (see: The New Face of Phishing) as well as predicted here a couple weeks ago (see: Verified by Visa (Veriphied Phishing?)) the latest such phishing scams have begun to exploit the program by using the name recognition of the campaign as part of their social engineering. Mr. Krebs mentions a few key facts about this latest scam in his article. the scam targets a small bankthe scam exploits the brand awareness campaign surrounding the "Verified by Visa" programthe scam employs the use of an SSL certificate which appears to have been obtained specifically to set up the scam web site niche markets as targe…

Are cookies spyware? WWDS?

Should cookies that track your web surfing be considered ? (WWDS). To the many millions of people trying desperately to keep their home Windows PC from collapsing under the load of adware, spyware, bots, worms and virii, and looking on the internet for help, it might seem like there is a raging (or at least simmering) debate about cookies -- are they spyware or not? This debate is mainly fueled mainly by the tension between adware vendors (typically shady or at least shadowy new media advertising outfits that match ads to web surfing habits) and anti-spyware vendors. The former need cookies to provide value added advertising, while the latter want to make the malware situation seem as bad as possible by releasing reports periodically about how much worse it's getting. Even if cookies are discounted entirely, the malware situation is indeed getting worse every year, and is very bad here in 2006. There really shouldn't be much debate about th…

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…