Windows Home Server vulnerable to critical bug, too
By Gregg Keizer
January 27, 2008

For the second time in three days, Microsoft Corp. added another product to the list of those vulnerable to a critical bug patched nearly three weeks ago. Windows Home Server, the company's newest operating system, is also at risk to the vulnerabilities spelled out by the MS08-001 security bulletin, according to a Friday update.

The advisory, first issued Jan. 8 -- and fingered then by researchers as the month's most pressing -- was revised Wednesday, when Microsoft announced that Windows Small Business Server was at risk. Neither Windows Home Server or Small Business Server had been among the versions called out by the original bulletin.

"Supported editions of Windows Small Business Server 2003 and Windows Home Server contain the same affected code as Windows Server 2003," Microsoft said in the revised notice. "[However] Windows Small Business Server and Windows Home Server configurations have IGMP [(Internet Group Management Protocol] enabled by default and will result in a greater exposure to the same vulnerability."

The initial bulletin had pegged the threat to Windows Server 2003 as "Important," the second highest rating in Microsoft's four-step scoring system. But it was later rated as "Critical" for Windows Home Server and Small Business Server.

Hit Man Allegedly Sought In Craigslist Ad
by Steven Musil
January 27, 2008 - 10:30 AM PST

There are some jobs offered on Craigslist that some people would kill for, but this one may have asked a bit too much. A Michigan woman is accused of using the popular bulletin board site to try to hire a hit man to kill the wife of a man with whom she had had an affair.

Ann Marie Linscott, 49, was arrested Thursday at her home in Grand Rapids, after allegedly posting an ad in November for a "freelance" job, according to a report by the Associated Press. Respondents to the ad were offered $5,000 to "eradicate a female living in Oroville, California," and given her name, address and other personal information, the AP reported, citing authorities and court documents.

Authorities are expected to ask that Linscott be extradited to face charges in California. Her court-appointed attorney was not reachable for comment Saturday. Craigslist is no stranger to postings that solicit illegal activities. In the past, the popular site has seen ads for prostitution, fake sex ads to harass people, and even an invitation to loot and trash a house.

But this appears to be the first time someone has solicited murder on the site, according to Craigslist CEO Jim Buckmaster. "Out of 550 million classified ads posted over 12 years, this is the first such incident that we're aware of," Buckmaster wrote in an e-mail to the AP.

CNET Blogs
complete article

Security metrics: Is there a better way?
By Larry Dignan
January 25th, 2008

A report arguing that the first year of Vista has been more secure–or at least has had fewer vulnerabilities–than XP and other operating systems has raised a ruckus. The issue raises a question about whether there are any metrics that could accurately capture whether an operating system is more secure. I posed the metrics question in my previous report on the claims by Jeff Jones, a security guru at Microsoft. Here is a look at some of the feedback:

* How about compromised systems per vulnerability. Yes I know the flaw there is that Windows would be a sure loser by reason of it’s larger install base. So, maybe state it as a percentage of the installed base? What really makes this difficult is that a Windows user is a fool if they don’t have some kind of virus protection enabled. That make any metric a measurement of not only Windows itself but the malware protection companies as well. Do I blame MS when Norton or McAfee fails? Maybe. Because a really secure OS shouldn’t need them.

* I think that a metric describing an entire operating system is of little use. Most operating systems can be configured in countless ways, with vast differences in their level of security. I think a more useful metric would be one that describes the security of an individual implementation. Perhaps one that scans the network or PC in question and compares the number of vulnerabilities found in the implementation to the total number of vulnerabilities discovered for the operating system.

* A metric on what is most secure gives you a false sense of security so ignore them. They purely marketing tools and that’s it. Security is about layers. So you could have a completely unsecured OS but if you have layered you security that will not be problem. The OS is just one small part of the big picture in terms of security......

ZDNET Blogs
complete article

Symantec warns of router compromise
By Tom Espiner
January 24, 2008, 9:10 AM PST

Security company Symantec has warned of an attack involving the subversion of routers. The security company said this was the first time it had seen such an attack "in the wild," although the concept had been discussed a year ago by Symantec researchers, according to a Symantec blog post.

In the attack, which targeted users of an undisclosed Mexican bank, the intended victims received a spam e-mail claiming they had received an e-card, directing them to gusanto.com, a Spanish-language e-card site. However, the e-mail also had embedded HTML image tags that contained an HTTP get-request to the router to change its Domain Name System settings, according to Symantec's U.K. manager of quality assurance, Thomas Parsons.

The HTTP get-request redirects traffic flowing over the router to a specific IP address when the user attempts to access six domain names that are banking-related. Symantec requested that ZDNet UK not publish the IP address.

The attack is made possible by a cross-site scripting vulnerability in routers made by broadband-equipment company 2Wire that was reported in August last year, according to Symantec. Parsons said this was "a simple hack" and advised small to medium-size businesses to change default security settings on routers and educate users about clicking on suspicious links.

CNET News

Student Behind DoS Attack That Rekindled Bad Soviet Memories
By Joel Hruska
January 24, 2008 - 02:27PM CT

Last May, the web sites of a number of high-ranking Estonian politicians and businesses were attacked over a period of several weeks. At the time, relations between Russia and Estonia were chillier than usual, due in part to the Estonian government's plans to move a World War II-era memorial known as the Bronze Soldier (pictured at its original location) away from the center of the city and into a cemetery.

The country's plan was controversial, and led to protests that were often led by the country's ethnic Russian minority. When the cyberattacks occurred, Estonia claimed that Russia was either directly or indirectly involved—an allegation that the Russian government denied. Almost a year later, the Russian government appears to have been telling the truth about its involvement (or lack thereof) in the attacks against Estonia.

As InfoWorld reports, an Estonian youth has been arrested for the attacks, and current evidence suggests he was acting independently—prosecutors in Estonia have stated they have no other suspects. Because the attacks were botnet-driven and launched from servers all over the globe, however, it's impossible to state definitively that only a single individual was involved.

Dmitri Galushkevich, a 20-year-old Estonian student, launched the DoS (denial-of-service) attacks from his own PC last year. Although he's a native Estonian, Galushkevich was angry over his government's plans to move the statue, and launched the attack as a means of protesting the decision. The fact that a single angry student was able to impact international relations between two countries is an startling development.

Ars Technica
complete article

Windows Small Business Server at risk from critical flaw
By Robert McMillan
January 24, 2008

Microsoft said Wednesday that another one of its operating system products is vulnerable to a critical vulnerability, first patched two weeks ago. In an update to its MS08-001 security bulletin, Microsoft said that the latest release of Windows Small Business Server was also critically at risk from a bug in Windows' networking software.

The flaw is also considered critical for Windows XP and Vista users. Microsoft did not say why it had initially omitted Small Business Server from its list of critically affected operating systems, but it said that the product's users were being offered patches via Microsoft's various automatic update services. "Customers with Windows Small Business Server 2003 Service Pack 2 should apply the update to remain secure," Microsoft said in its updated bulletin.

The bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery) protocols, which are used to send data to many systems at the same time. Microsoft said that an attacker could send specially crafted packets to a victim's machine, which could then allow the attacker to run unauthorized code on a system.

Microsoft rates the flaw as "important" for Windows Server 2003, meaning that it would be more difficult for attackers to exploit the flaw on this operating system. Security experts are paying particular attention to this vulnerability because it could be exploited by attackers to create a self-replicating worm attack. The flaw is not being exploited in online attacks, but last week researchers at penetration-testing-software vendor Immunity made a sample exploit available to their customers.

InfoWorld
complete article

Most malware comes from legit sites, says researcher
By Gregg Keizer
January 23, 2008

The majority of Web sites serving up attack code are legitimate domains that have been hacked by criminals, a security researcher said in a report released today. It's the first time that legitimate sites outnumber the malicious ones hackers purposefully set up to spread malware.

According to data compiled by Websense Inc., 51% of the sites it classified as malicious in the second half of 2007 had been compromised and then seeded with attack code that infected unpatched machines visiting the URLs. The remaining 49% were "intentionally built for malicious intent," the Websense report said.

Hacking legitimate sites to make them sling malware gives attackers instant advantages, added Dan Hubbard, Websense's vice president of security research. "It's a great vector because they don't need to drive users to the sites in many cases; they also get free hosting, of course, and [it's] hard to trace ownership," Hubbard said. "Additionally, if someone is allowing access based on reputation, then they may go undetected."

The win-win for hackers -- who get a crack at the built-in audience that's composed of a hacked site's usual visitors -- is a lose-lose for everyone else, a fact that's been proved by several prominent events where hacked sites spewed out malicious code.

Computerworld
complete article

Mozilla confirms Firefox proof of concept information leak vulnerability
By Larry Dignan
January 23, 2008

Mozilla’s security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox–even fully patched versions. Snyder confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any javascript file on a machine.

Technically, it’s a chrome protocol directory transversal. Snyder explains: When a chrome package is “flat” rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in this way. A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk.

Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack. Some extensions may store information in Javascript files and an attacker may be able to retrieve those. Greasemonkey user scripts may be retrieved using this method.

Session storage and preferences are not readable through this technique. Mozilla gives the flaw an low severity rating for now, but add ons such as Download Statusbar and Greasemonkey are vulnerable. Look for this vulnerability to get patched low risk or not. Mozilla has opened a bug.

ZDNET Blogs

FBI Warns VISHING Attacks Are On The Rise
By Joel Hruska
January 21, 2008 - 09:50PM CT

According to the FBI's Internet Crime Complaint Center (IC3), the number of "vishing" complaints received by the center is increasing at what it calls "an alarming rate." Vishing and phishing are related, and both rely on e-mail as a means of delivering bait, but the two use different hooks in order to snag user data.

Vishing starts with an e-mail, like phishing, but requests that end-users contact a particular institution by phone in order to resolve an issue or re-secure personal data. People who call the provided number will be asked to provide the same types of data phishers attempt to procure. Ironically, vishing e-mails may even attempt to reassure recipients of their legitimacy by stating that the institution in question would never request customer financial data via e-mail or IM.

The actual specifics of the attack could vary widely, depending how large of an operation those behind the attack intend to run. A standard vishing attack might use a phone number connected to an answering machine to harvest data. A large-scale scamming operation, however, could theoretically employ several people to act as call-center workers—who might not even be aware that they're in the employ of an illegal business operation.

Given the amount of outsourcing that goes on these days, it's not exactly unusual to find yourself talking to "Ralph Smith" when you deeply suspect the person on the other end of the line is located in south Asia. Vishing attacks are rising as voice-over-IP services become more popular.

Ars Technica
complete article

IRAA repairs web site
January 22, 2007 - 10:38 AM

THE RECORD INDUSTRY Association of America has managed to drag its website back online, a quick inspection of the interwebs has revealed. The RIAA website was hacked at the weekend using an SQL injection flaw in the site's code, and the website was totally ripped down, unavailalbe for the duration of the work-week break.

But it seems that the original American Gangsters are back online and up and running, although its not at all clear that they've actually identified the SQL issue and fixed it. Anybody want to take a second shot? Meanwhile, the erstwhile Don Reisinger has a fabulous interview with the mobsters up on his bog, here.

Take everything you know about the organisation, multiply it by a factor of five, and that apears to be the actual situation. Fun. You can find the RIAA's site, for now, here. So that's alright then.

The Inquirer

Linux Security Guru Joins Microsoft
By Larry Dignan
January 21st, 2008

Crispin Cowan, the Linux security expert behind StackGard, the Immunix Linux distro and AppArmor, has joined the Windows security team. In a blog post last week, Microsoft’s Michael Howard, author of Writing Secure Code, wrote:

For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy.

He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot! Cowan, CTO and co-founder of Immunix, will certainly be able to stir the pot–his home page still sports the Linux penguin in the URL.

Howard adds that Crispin will join the team that worked on User Account Control. Given the criticism that UAC (most popular UAC posts on ZDNet) has received hopefully Crispin can inject a little more pragmatism into the effort.

ZDNET Blogs
complete article

JavaScript worm still spreading, infection origin unknown
By Joel Hruska
January 21, 2008 - 11:00PM CT

The JavaScript worm Ars has covered previously is still out in the wild—and it's still causing hell for webmasters and malware researchers alike. According to a recent post by Bojan Zdrnja at the SANS Internet Storm Center, the actual infection vector has been discovered, but there's still no hard data on how systems are actually infected in the first place.

For those of you who are new to the story, this particular JavaScript worm generates a randomized script on the same server. This script points to a container file that holds various exploits, but the file is single-use only. Once the end user downloads and installs it, the infected server caches the visitor's IP address and never prompts the individual for file installation again.

Even if the visitor declines to download the infected package, the randomized file name changes for each individual. Once successfully installed on a system, the program hunts for a number of unpatched exploits looking for an avenue of infection. Current antivirus scanners are apparently proving to be a poor defense against the nature of such attacks and the infection vector itself, and we've yet to see any single security product billed as providing an adequate level of protection.

The client-side infection vector has been identified, but it's still not clear how the virus is actually embedding itself server-side in the first place. As The Register reports, the infection is difficult to remove once infected, One theory proposed by Don Johnson of SecureWorks, is that the creators of the script have managed to install an Apache runtime patch. This patch is then used to inject the payload.

Ars Technica
complete article

Dont Dawdle On Microsoft Latest Batch Of Patches
By Larry Dignan
January 17th, 2008

If you’re like most folks you are taking your time installing Microsoft’s latest round of security patches. However, you may want to get your rear end in gear. Specifically apply MS08-001, which was released on Jan. 8. That patch fixed a Transmission Control Protocol/Internet Protocol (TCP/IP) processing vulnerability that was critical for XP and Vista.

The vulnerability if left unpatched could lead to a worm attack. Ryan Naraine interviews the hacker that brought the bug to Microsoft last August and the details are worrisome. So how can this turn into a worm attack? Immunity has issued a proof of concept attack for the vulnerability (available to customers). It’s a just a matter of time before this code goes into the wild.

Ryan appears to be sold on the idea of a potential worm attack. I agree just based on odds–we haven’t been hit with a serious worm for two years. Microsoft has noted that the latest flaw isn’t likely to lead to a worm attack in real-world conditions. Then again, Microsoft has spent some serious digital ink on its Security Vulnerability Research and Defense blog over MS08-001.

“We think successful exploitation for remote code execution is not likely,” says Microsoft. Is that a fact or a challenge? Hackers are likely to choose the latter. Simply put, Microsoft didn’t have a lot of patches to kick off 2008, but the ones it delivered shouldn’t be ignored. Naturally there are complications. The biggest one is that this patch may not be easy to install.

ZDNET Blogs
complete article

Red Hat and Firefox More Buggy Than Microsoft Apps
By Matthew Broersma
January 17, 2008 8:20 AM PST

Secunia has found that the number of security bugs in the open source Red Hat Linux operating system and Firefox browsers far outstripped comparable products from Microsoft last year.

In a report released this week, Secunia also criticized CA for the quality of the code in its anti-virus products, saying that "inherent" code problems are exposing CA products to ongoing security vulnerabilities.

On the other hand, "zero-day" security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer, according to the Secunia 2007 Report, released this week.

In a review of the number of vulnerabilities found in enterprise anti-virus vendors' products, Secunia found that CA was by far the leader, with 187 vulnerabilities, followed by Symantec with 73. Trend Micro (34), ClamAV (15), McAfee (13) and F-Secure (6) ranked lower on the list.

PC World
complete article

Attackers targeting Microsoft Office Excel
by Dawn Kawamoto
January 16, 2008 9:09 AM PST

Microsoft issued a security advisory late Tuesday that malicious attackers are targeting versions of its Office Excel with vulnerabilities. Microsoft Office Excel 2003 with Service Pack 2; Excel Viewer 2003; Excel 2002; Excel 2000; and Microsoft Excel 2004 for the Mac are affected by the security vulnerabilities, according to the advisory.

People who open a malicious e-mail attachment or visit a malicious Web site may find that their systems are compromised and that arbitrary remote code is executed. Computers configured to allow the user to have administrative user rights are at greater risk that those with few user rights on the system. Microsoft said it is still investigating the security vulnerabilities but noted the attacks appear to be targeted and not widespread, according to its security blog.

CNET Blogs