F-Secure on their blog today asks, should free webhosts such as Geocities, Tripod etc proactively monitor for abuse such as phishing websites hosted on their servers.
Its an interesting question. I’m not a lawyer or a privacy rights person. Currently providers are not expected to monitor content. They are expected to take action when notified. I’m pretty sure that performing some review, such as having moderators on a bulletin board, does not open a provider to the expectation of removing all bad content proactively.
If I were doing it, I’d contract with a filtering firm like Websense Bluecoat or MessageLabs to notify me when a URL from my domain shows up on one of those block lists. Preventing certain hostnames from being used like paypall-redirect.tripod.com seems like a good step. I’d be surprised if the vendors aren’t doing this already. I suspect the examples found in their post are just examples of names that slipped through the ban list.
Archive for August 2006
JAVA updates
There is some interesting info in the latest updates to the ISC diary entry on SUN JAVA.\
In the original entry the writer notes that the latest version of SUN JAVA attempts to solve the problem where not only does installing an updated version of JAVA not remove earlier versions, the earlier versions can be specifically requested by the bad guys. That’s right, its like installing a patch, but letting the bad guy ignore it if they choose to. That problem is rather old, but SUN is addressing it by having the latest version of JAVA prompt the user if an older, potentially vulnerable version is requested.
So why not just remove the earlier vulnerable version you might ask. Many bad web applications specifically require a bad version of JAVA, so you cant uninstall the bad version if you want to use that website. You are forced to wait for the original developer to provide an update. Ciscoworks VMS is one example of such a site.
So here is what is new, a reader of the ISC wrote in to suggest that you create a CLSID pointing requests for the older vulnerable version to the newer version (stay within the same 1.42, 1.5 family). It may not work for every site, but its worth a shot. I thought that was the best tip so far on the ISC site this month and it wasn’t even part of their tip of the day segment. 
W32/Stration
I noticed that a few copies of W32.Stration were detected in the inbound email today. Its a nice break from all the Phishing and mytob.
Unplanned Business Continuity Drill
As I was getting ready to leave for work this morning, I got a voicemail message from my manager indicating our corporate headquarters is closing today at 8:30 am due to a A/C failure and that I should work from home.
Normally, this wouldn’t be a problem. However, yesterday I left work at 9:15 pm and didn’t bring my laptop or my computer glasses home. I figured, I wasn’t going to do any more work that evening so why bother. We’re supposed to bring the laptop home every day for disaster recovery purposes.
VM Sprawl
Here’s an interesting article on VM Sprawl.
Companies implement Virtual Machines but soon find that without the restrictions of hardware cost, the amount of virtual servers skyrockets. They still need to be managed, patched and in some cases licensed.
Mac Zealots go to war on Secureworks
George Ou writes on the campaign Apple Computers and their kool aide drinking drones have been mounting against the security researchers who demonstrated a wireless driver exploit at Blackhat.
I find the entire thing disgusting. Why does computing feel more like politics?
Full Disclosure of Symantec Product Updates?
It seems like someone decided that Symantec is no longer a favored company. I think it started last year when support hold times were up over an hour. Whatever the cause, SAV admins are looking for any opportunity to complain. SAV updates the product, complain. SAV doesn’t update the product, complain. SAV doesn’t provide updates in the method you’d like, complain.
Which leads us into today’s item. An admin from the University of Richmond would like the ability to push out SAV updates via the Symantec System Center. Does he enter a feature request? No! He posts to the Full Disclosure mailing list as if this were some sort of discovered exploit.
Symantec does need to take a look at distribution systems such as those used by McAfee ePolicy Orchestrator or Webroot SpySweeper Enterprise. But ultimately, this is an enterprise product, and enterprises invest in products such as SMS to perform software rollouts.
MS06-042 and CA Servicedesk
MS06-042 is causing issues with CA Servicedesk even when XP sp2 is the Operating System. The previously reported fix for MS06-042 is for Windows 2000 and XPsp1 only. There is an announced MS06-042 rerelease of MS06-042 due by August 22nd. The release is said to be for all versions of IE6sp2. Its hoped that means this problem will be resolved. Some people think the release will only contain the currently available hotfix.
The SANS ISC covers the issue here.
Consumer Reports Reviews Antivirus, McAfee Cries Foul
Consumer Reports reviews antivirus products in its September 2006 edition. Most of the article requires a subscription, as a result I have not had a chance to look at it yet.
McAfee responds in their weblog. The author “Igor” obviously has no clue who Consumer Reports is. As a result, he is confused by the September 2006 date. Since the material is undoubtedly part of the September 2006 edition of the magazine, that is the correct way to date the article on their website as well.
Igor gets his nose out of joint because CR used a live fire test, creating new viruses in the lab. Igor prefers tests where three month old virus definitions are used so any virus that came out after that can be tested as a “new” virus.
Complaining about that reminds me of when a vendor complains about the method of disclosure to distract from the vulnerability in their product. (although there is actual damage from full disclosure and no damage from this private lab test). Igor needs to get over it. Signature based detection is dead, and antivirus products will be judged by their heuristic and behavioral protections. That said, CR needs to look into the standard virus testing methodology. They are unaware of the testing performed by av-comparatives for example. These types of tests are not as new as CR imagines.
http://www.avertlabs.com/research/blog/?p=71
