Sunnet Beskerming Security Advisories

Learning Information Handling Lessons From Celebrity Tragedy

info@beskerming.com (Sunnet Beskerming) — Thu, 2 Jul 2009 03:23:00 +1000

In the space of a week and a half the world has lost some major celebrities, with Billy Mays, Farrah Fawcett, Ed McMahon, and Michael Jackson all passing away. Although each passing is tragic, it is the sudden death of Michael Jackson that has had the most effect on the online world, though there are reports that the deaths of the others have also led to online scam attempts.

Jackson's unexpected death demonstrates the power that "non-reputable sources" can have in being able to break and follow important news that is normally ignored until a more "reputable" source picks it up. The Internet may make it possible for anyone to have a voice, but it also means that carrying authority and reputation with that voice still takes time and effort. Michael Jackson's passing was first identified and reported on by TMZ, however the "reputable" news agencies and sources were much slower to pick up the story and run with it. One of the primary reasons why is that they had a much stronger reputation and weight of authority to risk running with a potentially inaccurate story, especially one that could be damaging if it was inaccurate. When everyone on the Internet is able to go and visit the originating source site, then the decision to delay the coverage of his death can result in lower overall readership of their particular coverage of the story.

Savvy online users and the skeptical will still try to get independent validation of the breaking story, something that came with time even though many of the early 'reputable' stories were derived almost exclusively from TMZ material. This sudden rush of Internet users seeking out independent validation in a very narrow timeframe led to some interesting side effects for Google and major news sites. Google's side effect was that the massive wave of traffic was initially identified as an attack and so accurate information was withheld for a short period while Google's defences were activated to deal with the significant but legitimate traffic flow.

Twitter was another service which found itself struggling to cope with the increased traffic that came as a result of Jackson's death. Various elements and features of the service were temporarily disabled to allow it to carry the messages being created by its users. Reportedly this was in the vicinity of 66,000 messages per hour, but that figure seems extremely low. If the service is going to struggle on 1,100 messages per minute, then it needs to be re-engineered to be able to carry more capacity if it is going to have wider appeal and usefulness.

Sites that were reliant upon third party advertising hosting found that serving the external ads was causing bottlenecks when serving up news reports, so much so that it made the overall sites seem unresponsive, despite the site itself still being responsive and fully functional.

Not only were mainstream "reputable" media sites and sources scooped by a non-traditional source and means, but there are questions about the appropriateness of media organisations self-censoring material that would normally be published.

When that material is suppressed because it pertains to a reporter that they employ it leads to accusations of double standards from external observers.

Not only was news of the reporter's kidnapping suppressed from traditional media sources, but an active and successful campaign was led to keep the information suppressed from Wikipedia, where the reporter already had a page describing their life and employment. Critics of Wikipedia have seized on this as a clear example of how Wikipedia is not the neutral, freely-editable source of information it claims to be. Political and commercial interests can trump the efforts of contributors to improve and enhance the usefulness and accuracy of the site.

Even though each of the situations described above took place recently, it isn't quite yet the case where people can claim that "The Emperor has no clothes", but it is beginning to look that way. How each situation came about and was resolved should provide lessons to the companies and organisations involved to help them provide better results the next time something similar takes place or else they will find themselves with no clothes.

Dealing With People Who Avoid Restrictions

info@beskerming.com (Sunnet Beskerming) — Mon, 22 Jun 2009 20:20:00 +1000

Whenever restrictions are imposed on people, stopping them from carrying out certain activities, or trying to restrict their access to information, there will always be a portion of the population that goes out of their way to avoid and defeat these mechanisms in order to access what is being blocked.

Sometimes this is done out of necessity, and in these cases the restrictive blocks really are a hindrance to carrying out their work or other activities that they have a need to do so.

Other times it is being done out of ignorance of the new, accepted procedures. People are happy with their old ways and will work a little bit harder at placing themselves in a position where they can still do what they used to.

The most risky cases are where it is done out of malicious intent, done only to prove that they can defeat the system or out of fear that the newer restrictions aren't as useful as they could be and the users fear approaching the network administrators and state their case effectively.

Corporate network administrators face problems like this on a daily basis, encountering users who fall into each group who are running head first into the restrictions on approved applications, approved websites, blocked websites, and approved email usage. The wrong thing to do is to tighten the restrictions further, as it will drive some of the casual by-passers into the camp of the willful by-passers and will do nothing to dissuade the already willful by-passers. The number of casual by-passers and those who need to bypass the blocks who give up as a result are going to be outnumbered by those who now intentionally bypass restrictions.

Some workplaces choose to punish those working around the restrictions, irrespective of the actual reason for doing so, and this can lead to resentment and distrust between the frustrated users and the network gatekeepers.

There are cases in other domains that mirror what goes on with network restrictions. With the increased concern about the spread of H1N1 influenza, some countries are using body heat scanners at points of entry to scan for passengers who might be running a fever as an early indication of possible influenza infection. On the surface it sounds like a reasonable step to take and can help rapidly sort incoming individuals into categories where it might be worth taking a closer look at their condition to confirm the presence or lack of H1N1 infection.

As this is a potential barrier to entry to a country, it is a restriction that is causing people to seek a way around it. Vietnam recently reported that some incoming passengers were using fever reducers that resulted in them passing the body heat scan despite actually being infected with H1N1.

Just like a disaffected user introducing non-approved network hardware or potentially malicious storage devices or software into a corporate system, an ill person avoiding the body temperature scanner is introducing a potential health risk to the wider population (or a security risk to the wider user-base).

How do you handle such cases?

Banning use of relief medication by an affected individual isn't going to work, though this is the path that many network administrators take when dealing with users who have bypassed network restrictions. It just forces people to take steps that are more extreme than really necessary.

You can't always rely upon people to tell you the truth when questioned, especially when the truth might jeopardise the holiday that they have already commenced and have almost reached. The fear of losing out on such an investment of time and money due to something that feels like a cold won't be well received, especially when they are so close to their destination.

Sometimes, that is what has to be done, each case investigated individually and appropriate remedial action taken. Most cases investigated should amount to nothing (though with an excellent first filter this will rise), allowing resources to be dedicated to the cases which are actually significant.

Applying this approach to network security can help ease perceived restrictions for the majority of users while still managing and actioning those cases of significant breach of policy. By demonstrating a well-run and well-managed set of restrictions, it will make users more comfortable to exist within the boundaries set and will make them more comfortable about approaching administrators for the times when the restrictions need to be bypassed.

Not everyone is going to be able to have such a system, but every step towards such a system is going to be of benefit to the end users and administrators alike. Such systems, both network and body temperature scanners, need to be monitored and continually improved upon to demonstrate that they aren't just for show and are actually effective (at least partially) at what they claim to be doing.

Microsoft Money Joins Encarta on the Scrapheap

info@beskerming.com (Sunnet Beskerming) — Thu, 11 Jun 2009 22:38:00 +1000

Following their decision earlier this year to cut Encarta from their product line, Microsoft have announced that they will be ceasing production and sale of Microsoft Money (now Microsoft Money Plus) from June 30 this year. Affected products are all of the Microsoft Money family (Essentials, Plus Deluxe, Plus Premium, Plus Home & Business).

Citing increasing competition from banks, brokerage firms, and websites as viable options for traditional Money customers, Microsoft stopped providing annual updates last year, and will stop all online services by January 31, 2011. Reading deeper into the linked FAQ it clearly states that Microsoft Money products can not be activated or reactivated after January 31, 2011. This means that after that date if the system running Microsoft Money is replaced, or the software is otherwise transferred to a new system, it will not and can not be activated.

End users purchasing the software between now and the end of the month need to be aware that the effective life of their software could be eighteen months, and that they need to have alternate plans for handling their financial data after that date. If the system running Microsoft Money continues to operate happily beyond that point, the loss of online functionality can be largely replaced by manual updates of tax and stock quote data, but this does limit the effectiveness of the product.

Critique of Apple's Security Stance Nothing New - But Still Worthwhile

info@beskerming.com (Sunnet Beskerming) — Thu, 11 Jun 2009 01:01:00 +1000

Apple is a company that is notoriously secretive about their internal security processes and, although they have become more open about acknowledging the source of bugs reported to them when they fix them, they remain steadfastly tight-lipped at almost all other times when it comes to discussing security matters.

That isn't to say that the company doesn't keep on top of what is going in the world outside of Apple, nor engage with researchers and Information Security companies. Despite this, many still hold the impression that Apple is stand-offish and uncaring / oblivious to the bugs in their products. For some, this point of view has tainted all dealings with the company and has seen some researchers go to publicly disclose vulnerability information before notifying Apple, whereas other vendors in the same situation would have been notified ahead of a co-ordinated or a delayed public release of vulnerability data.

Articles such as this one do little to help commonly held views, especially when it is picked up and reported as Apple struggling with security, even if it isn't the complete message of the original article.

Rich Mogull puts forward a reasoned, well-thought out series of arguments in the original article, but it is nothing new. Nothing that hasn't already been put forward to Apple, both publicly and privately many times before. This doesn't mean that making these arguments is worthless.

It's not.

As Adobe has recently shown (and Microsoft some years before that), it is possible for a large software company to change how it approaches Information Security management, patch issuing, and dealing with security-concerned consumers and Information Security researchers.

Even if Apple do not change their stance based on the most recent hirings and articles published by concerned Information Security and Apple system users, continuing to highlight and publicise the importance of taking these recommended steps keeps the ideas out in the open and being turned over, ready for a time when they might be more warmly received within Apple.

T-Mobile Responds to Hack Claims - Nothing to See, Please Move On

info@beskerming.com (Sunnet Beskerming) — Thu, 11 Jun 2009 00:32:00 +1000

Following on from our recent article on a claimed successful attack against the telecommunications giant, T-Mobile, it appears that the situation still remains a little murky, with reports claiming that the company has both confirmed and denied that a breach took place.

Ignoring for a moment the most recent statements by T-Mobile, the original claim of a hack seemed to offer tabulated internal network data as proof of successful compromise of the company. This is the sort of information that would be easy to extract in a single file, and is something that would be expected to exist in any non-trivial network to aid administrators with keeping the network and associated systems operating smoothly. While having possession of the file reduces the need for an attacker to manually map out the network, it isn't something that many would consider overly damaging, especially if network and system security was robust.

Perhaps if a company had thrown all their intrusion and detection system eggs into the basket of Network Intrusion over Host Intrusion Detection Systems (NIDS vs HIDS), then possession of this list would allow an attacker to immediately commence extremely targeted attacks against single systems, hoping to avoid triggering the NIDS (which should be triggering on the external access in the first place), but it should be triggering a properly managed HIDS. The flip side is that having an attacker in possession of a well-enumerated network map makes it simpler for them to target systems which might have an unpatched vulnerability, or which have a degraded HIDS, when their network mapping activity should have triggered on a properly managed NIDS.

A blended approach, with both systems in place and properly managed isn't going to be overly threatened by an attacker having possession of a network map. All it means is that the timeline between initial contact with the network / company systems and compromise / extraction of sensitive data is compressed, reducing the available opportunity to detect, trap and stop the hack and data extraction.

T-Mobile's statements seem to support this point of view, acknowledging that the information published did exist in a file (again there are conflicting reports about the validity of this statement), which has now been identified, and that an investigation is now ongoing to determine the extent and severity of any breach that took place.

The downside for external observers is that T-Mobile are not obliged to make public the results of their internal investigation, and if it is confirmed that personal data was affected for customers, then it could take some time for that information to come out. If affected customers are notified individually, it may never be known just how significant any breach might have been.

Truth, as it is in many cases like this, will lie somewhere between the extremes being put forward (no or minimal hack and full network access and compromise), but it is more likely to lie towards a minor network penetration and data extraction - after all, the information that was published had to come from somewhere.

It is entirely possible that the information was the result of improperly disposed of hardware or a lost storage device.

At the least, it put some excitement back into the old Full-Disclosure mailing list.

A big welcome, by the way, to those reading this article from within T-Mobile's network. Yes, we know you're there. If you, or any of our readers would like to get in touch with us, we're always happy to discuss analysis and material beyond what is published.

Claims of T-Mobile Hack Raise More Questions Than Answers

info@beskerming.com (Sunnet Beskerming) — Mon, 8 Jun 2009 15:33:00 +1000

Claims have been made by an unknown party that they have compromised the US cellular network carrier T-Mobile and have managed to extract all of the corporate data, including databases, confidential documents, scripts and programs from company servers and full financial data up to the present time.

Issuing the public announcement over a weekend means that it is going to take some time for T-Mobile to investigate the claims and make a formal statement, but already there are elements which suggest scam, and some which suggest that the material is legitimate.

Leaning towards scam is the claimed ignorance by T-Mobile's competitors when they were approached with the data the hackers claim to have. This might just be that the hackers relied upon emails to reach the competitors, and with the email address pwnmobile@... they were likely to end up in the spam bin before anyone would be able to see the material on offer. There are better ways to reach people than through unsolicited email, but there are increased risks with taking this approach.

Previous cases where there have been attempts to sell company secrets, especially for major public companies, have ended with major law enforcement attention and the approached company often aiding law enforcement in stopping the attempt. With greater corporate and public awareness of data loss and theft, it is more likely in the modern environment that competitors will call law enforcement and gain positive PR than to risk prosecution and damages by purchasing their competitor's secrets.

Leaning towards legitimacy are anonymous online comments from people claiming to have worked for T-Mobile in the past verifying that at least some of the details posted correlate with the systems and servers that they knew existed within the company. The other aspect which suggests legitimacy is the level of detail in the material posted, which amounts to a tabulated network description.

So far, based on the table of possible servers, applications, IPs and locations, there is nothing that can be done to further verify the accuracy of the claims by this unknown group. Not enough information is available to say either way, and it is now up to T-Mobile or the group to release further information that will clarify the situation. The arguments for an actual compromise are much weaker than the arguments for it not being real and it is considered much more likely that it is a hoax.

It doesn't matter which one is actually true at the moment. The very public offer for sale of the material is going to cause more harm than good for the group behind it. For the seventh largest telecommunications provider in the world (Morgan Stanley, 2008), with 32 million customers in the US alone, T-Mobile is a very large target to be taking on, and the use of an anonymising email service may not be as secure as the group thinks it is, with Safe-mail keeping their client data protected up to the point it is necessary to comply with legal requirements, something that is probably going to happen soon.

It is staggering to think how much data is represented by what the hackers have claimed and how long it must have taken to exfiltrate that information from the corporate networks, if the hackers do have it, all without the awareness of T-Mobile's Information Security staff.

Other claims have been made that the group responsible is the same one that claimed to have penetrated Checkpoint, extracting the full source code for VPN1.

At the end of the day it could just be another bit of drama played out on the Full-Disclosure mailing list, but it could also be the first public sign of one of the most significant network breaches in recent history.

Update : Looking for more up-to-date information? A follow-on article has been published and can be read here.

Challenging Security Researchers and Coming off Second-Best

info@beskerming.com (Sunnet Beskerming) — Sun, 7 Jun 2009 17:41:00 +1000

Challenging the security community to do something that you are basing a core part of your business on is always a risky move. It is something that you really need to get right the first time, or else it is going to be quite an embarrassing experience and is likely to cost reputation if news of the defeat is widespread.

A new webmail provider, which has based a core component of their service offering around offering "The most secure email accounts on the planet" might have to reconsider both their claims and their approach after a $10,000 USD challenge to break into a specified email account was defeated through a series of web based

With a big push of PR highlighting this challenge, it isn't going to go down well that the breach took place so quickly. Even if there were restrictive rules in place as to how the attack might be carried out, this isn't going to stop anyone who is attacking for real from using whatever means are at their disposal to access their victim's accounts.

From the description of the attacks carried out, the weakness is in how the user credentials and authentication is managed once the user has logged into the system (based on the described requirement for the attacker to launch it from a valid account), and relies upon the user having scripting permitted for the attack to work (from an IDG writeup, it seems that NoScript is enough to prevent the attack from being functional). This and other Cross Site Scripting flaws allow for credentials to be stolen, and for a victim's account to be taken over completely.

One of the researchers involved with the successful compromise of the targeted account has indicated that detailed information about the attack methodology will be released early next week.

Depending on the nature of the attack, this could pose problems for other service providers that rely upon physically separate channels for two-factor authentication, particularly in the case where messages sent to cell phones are used as the second authentication factor (as it is with this email provider and a number of banks which use it as a selling point of the security of their services).

Google Finds More than 4,000 Malware Distributing Sites

info@beskerming.com (Sunnet Beskerming) — Sun, 7 Jun 2009 17:40:00 +1000

Google's Online Security Blog published some information regarding the number of potentially malicious sites that appear to have been set up for distributing malware. Of the more than 4,000 sites that they have identified, more than a quarter are registered under a .cn hostname and there were several that tried to play on Google services to trick users into thinking that they were legitimate.

Based on the chart presented in the post, it seems that the best opportunity to avoid detection and blacklisting by Google is to select a non .cn domain, and to pick a name that is inoffensive and bland and doesn't correlate to any pre-existing service that it plainly isn't. From the chart, it seems that orgsite.info had the greatest level of success, both in terms of the length of time before being added to the malware list, and with the number of people reached before being added.

Just because a site is added to Google's malware list doesn't mean that it is going to fade from significance. Gumblar's recent and rapid rise to prominence, including not peaking until well after being added to Google's malware list highlights this succinctly. It reflects the growing number of sites that Google has identified as being infected with the Gumblar malware, all of which points back to the problematic gumblar.cn domain. Almost all of the sites flagged by Google as pointing towards gumblar.cn would be legitimate websites that have been compromised by a group or groups as part of a widespread Internet attack that is being used to distribute malware to Windows PCs (though it could always easily be repurposed).

Microsoft Security Patch Release June 2009 Advance Notification

info@beskerming.com (Sunnet Beskerming) — Fri, 5 Jun 2009 13:27:00 +1000

Microsoft have released their Advance Notification for June 2009, with ten patches being identified for release next Tuesday.

Six patches, for Windows (2), Internet Explorer, Excel, Word, and Office have been rated as Critical, with the remaining four, for Windows, being rated as Important. From Microsoft's notification, the Critical patches can all lead to remote code execution in the worst case, while the Important patches can lead to elevation of privilege and information disclosure on exploitation.

Of the multiple Critical Windows patches being released, only Windows 2000 is affected at a level considered by Microsoft to warrant the Critical rating. The other supported versions of Windows are affected to lesser extents (Important or Moderate) and Windows Vista and 2008 are not required to apply the first Critical patch. Likewise, the Internet Explorer patch is only Moderate for Windows 2003 and 2008 systems, while the last two Important Windows patches are not applicable to Windows Vista or 2008 systems.

The Word, Excel and Office patches to be released are Critical for Office versions 2000, 2002 (XP), 2003 and 2007. Despite Word having its own standalone patch being released next week, the Office patch is being identified as only affecting the Word component of Office. The only Office version that the patches are Critical for is Office 2000 (and thus Word 2000, Excel 2000), the other versions are only rated as Important for the same vulnerabilities.

This month's release will also patch the software that MS09-017 wasn't able to address (OS X Office and Microsoft Works).

At this stage there is no plan to release a patch next Tuesday for the recently disclosed vulnerability with DirectShow (DirectX), specifically in quartz.dll, which can lead to remote code execution and which is being actively targeted in the wild.