News.com is at it again with yet more sensationalist tabloid journalism. The disaster of the day is the USB device. There seems to be a concerted campaign to convince people that USB is bad. This article takes it a step further to blame the plug and play operating system. The article worries about information theft but also mentions sneakernet viruses.
The article fails to point out (but it is mentioned in reader comments) that XP service pack 2 contains a setting to disable such. If you cared to you could disable the USB in the BIOS, go for a physical solution like breaking the USB or go for a commercial software solution. But the news.com article isn’t about solutions, its about FUD. I suggest checking out the July cryptogram
Archive for September 2004
Ultimate Security Breakdown, (not really)
More Jpg Exploit in the Wild News
Got to love the old school viruses. The jpg exploit has gone back to the future by making its first notable appearance in porno newsgroups. There is a good writeup of this over at http://www.easynews.com/virus.txt
The virus is using the JpegOfDeath sample exploit code made available on the net to install remote admin software and downloading assorted hacker tools to make life easier.
The BotNet Came Calling
There is a writeup in todays ISC diary about a botnet found on a corporations network across 40 sites. I highly recommend reading it.
The question is how do you avoid it. The company in question failed to follow good practices by not noticing when their antivirus failed to update. It also sounds like they relied on their computers going to symantec’s liveupdate server rather than using an internal system or using VDTM. That sounds like another mistake.
What else can you do? Monitor for P2P installation (banning it should already be company policy). Prevent users from being admin? That just doesn’t fly. Limit outbound activity to the firewall to specifically allowed ports? Great idea, already done it. I suppose an internal IDS/IPS as well as segmenting internal networks so not everyone can talk to everyone would help also. Patching should also help. The article doesn’t state how GaoBot spread within the network. Its either not patching or improperly secured file shares (ie wide open or weak passwords).
When half the company subverts firewall security by going home with a laptop and hooking it up to an untrusted network, you never know what surprises you are going to find when they bring the computer back in.
JPG-GDI Vuln- Your Time is Up
There are now exploits out there that will exploit the jpg vulnerability to open a remote command prompt or create a local administrator account. While I dont see how this could turn into a worm like sasser or blaster, it could easily be used to spread spyware, and to develop a bot network. Its like mydoom. It could leave a port open that is later harvested by another worm.
Its a good time to be running a firewall, and to be careful of what links are followed. Head over to windows update, and then office update. After that run the GDI Scan Tool available over at SANS.
SUN JVM Exploit
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57221-1&searchclause=57221
http://www.f-secure.com/v-descs/binny_a.shtml
Vulnerability in Java Virtual Machine allow the installation of malicious code (viruses and spyware). This effects all browsers using the SUN JVM, not just IE
Solution: Upgrade SUN Java virtual machine to 1.41_04 or later (current version is 1.41_07)
Spammed Drag and Drop Exploit
Yesterday, I saw some spam detected as Trojan/Exploit-DragDrop!link. Today I see in Fsecure posted this to their blog yesterday. If you click on the ‘remove’ link, you are taken to a website. At the site they use the drag and drop vulnerability to download a trojan to your computer.
Currently there is no patch for this exploit. In Windows XP with Service Pack 2, you can disable “binary behaviors” under the ActiveX security settings. Other than that all you do is the usual advice. Run all client software as a non-privileged user and do not follow links that you have any reason to be unsure of.
Software flaws will triple downtime by 2008
Saw this in the SC Information Security Newswire:
Organizations that do not include security as a criterion when building
or buying software will see system downtime caused by security
vulnerabilities treble from 5 per cent to 15 per cent of downtime in
2008, industry experts have warned.
http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=7fc97c73-b0a7-41df-8eab-e354169b6084&newsType=Latest%20News
Sept Patch Day
Tuesday was Microsoft patching day and this one left me scratching my head more than most. Maybe its my own fault for reading ntbugtraq and the babble of the tech writers. This jpeg patch seems tougher to decipher than the riddle of the sphinx. First you’ve got windows update that just gives you a tool to see if you have the file. Then you’ve got different Microsoft versions of the patch. At least that’s what it sounds like. You dont need a patch if you have Microsoft Office 2003 SP1, but if you haven’t applied that service patch then you need a patch. And there is an IE patch. Or is that the same thing. Then the file in question is used in other MS apps that MBSA doesn’t detect. Then you’ve got other applications that introduce their own vulnerable version of the file. And of course you’ve got a denial of service exploit already on the market. What a patching nightmare
Trouble for Microsoft SenderID
The Apache Group and Debian developers have marshaled the anti-Microsoft forces and convinced the IETF to scuttle the proposed SenderID standard. They do this claiming that it is anathema to have a “standard” be encumbered by patent. Somehow I think that this would not have been this first time that a standard would have surrounding patents. Further I would postulate that if this were not Microsoft that narry a word would have been said about it.
The Register article on this has a link to a discussion list archive.
It will be interesting to see what the next step is. Some see SPF separating itself from Microsoft and being implemented as a standard while Microsoft SenderID is available to the MS customerbase.
Not sure why the Slashdot and Register articles are so celebratory. A potential weapon in the war on spam was just handed a defeat. I guess some people will hate anything coming out of Redmond.
Looks like we’ll all be implementing Yahoo! Domain! Keys! soon. 
