Sunnet Beskerming Security Advisories

Microsoft's October Patch Release Advance Notice

Sat, 11 Oct 2008 23:26:00 +1000

Microsoft's Security Response Centre has provided advanced notification of this month's expected Microsoft security patches.

After only a handful of patches were released with September's update Microsoft are expecting to release 11 patches for October.

Of the 11 patches, four attract Microsoft's highest rating, of Critical. These patches are expected for Windows, Host Integration Server, Office, and a cumulative Internet Explorer patch.

The six patches labelled as Important are all for Windows, while the Moderate patch will be for Office.

While it would be expected that all of the Critical patches are for remote code execution opportunities (and they are), some of the Important patches are also for remote code execution problems. Given that Microsoft has done this in the past, it suggests that the affected components are not present in a default Windows installation and that some level of user modification / configuration is required away from the standard installation in order for them to be vulnerable.

Users of Microsoft Office on OS X should also expect to receive updates for some of the Office vulnerabilities.

In addition to the routine updates to the Malicious Software Removal Tool, and the high-priority, non-security updates, Microsoft will be introducing the Exploitability Index alongside this month's patches. The tool was introduced at this year's Black Hat conference in Las Vegas. It will be interesting to watch to see if the addition of the Index provides any extra benefit to users and administrators, or if it merely identifies which vulnerabilities are more vulnerable to exploitation if left unpatched.

Fact Checking Helps

Tue, 7 Oct 2008 00:31:00 +1000

In the last few weeks there have been a handful of standout cases where poor reporting on an issue, including fake reports, led to significant negative outcomes for the companies involved. A couple of weeks ago it was a poorly dated news article about a United Airlines bankruptcy from several years ago that led to massive stock market losses for United Airlines, and most recently it has been a fake report about Steve Jobs having a heart attack that led to an immediate drop of 2% on Apple's stock, which recovered but still closed down 3% for the day.

Apple's famed reputation for secrecy makes it more likely that rumour and speculation will gain traction amongst Apple-watchers, but if investors allow themselves to be led based on nothing more than baseless rumour, it might go someway to explaining some of the volatility in recent stock and commodity markets. Any time an incident such as this takes place there are immediately whispers about stock market manipulation having taken place.

It is often said that people are smart and reasonable as individuals, but place them in a group and they become dumb, panicky herd-driven creatures. With the stock market being made up of a massive herd of investors, panicky and flighty responses can take place based on speculative and poorly referenced rumours, leading to major changes in the value (at least in the short term) of a stock.

On a smaller scale, malware authors and distributors have been spamming our inboxes for some time with fake news stories in an attempt to gain hits on their sites for drive-by downloads or clicks on malware-loaded content. Pink sheet stock pump and dump scams are also very similar, but on a smaller scale. In each case, falsified or exaggerated "news" is being pushed to users in an attempt to compromise a system or manipulate a stock.

What stands out from the recent cases is the seeming unwillingness for reporting organisations to admit responsibility for spreading the false or outdated news. If they hadn't picked up on the story, then nothing would have happened, yet when it comes time to apportion blame, it seems like they can't point the finger fast enough at someone else. In both of the recent cases it wasn't until the misrepresented story appeared on "legitimate" and "trustworthy" sites that the problems really began for the companies involved.

Rather than stand up and admit that they contributed to this latest event, CNN have handed over as much detail as possible on the alleged source of the Steve Jobs rumour to the SEC.

You can argue as much as you like about whether it is "New Media" versus "Old Media", but ultimately it is a case of poorly verifying content that has been published. The same problems still take place in print and broadcast media and it doesn't take too much searching to turn up errata columns where these errors are hopefully addressed.

Governments Listen to You - Just Not The Way You Think

Tue, 7 Oct 2008 00:28:00 +1000

It should have come as no real surprise that Skype's China-based partner had been intercepting, logging, and even blocking text messages traversing the Skype network through China. A Canadian research group discovered the activity after breaching the insecure Chinese servers (which in itself was a dubious activity, but since the data was available from a web server that was outward facing, it can be argued that it was permissable).

Based on a previously disclosed set of text filters, the modified filters allowed for a broader set of communications to be intercepted and logged, apparently without Skype's knowledge. As the original filter was described, it was meant to drop text messages that had been deemed inappropriate and not transmit them anywhere. The modified system seems to have resulted in the messages being transmitted to centralised servers for further storing.

It is interesting that the tracking servers appeared to have been compromised by others before the research group came along. This opens up some interesting possibilities to pressure people of interest, based on intercepting already intercepted messages. It would be possible to alert people to the fact they are being routinely logged, even for traffic that does not match any filterable words, as well as lean on people by blackmailing them into doing what you ask them to - after all, you have copies of their text conversations.

Survey Results Unsurprisingly in Favour of Company That Paid for Them

Mon, 6 Oct 2008 08:18:00 +1000

Any time that the results of a new survey are announced, especially a survey that seems to paint a company in a positive light, questions must be asked as to who is responsible for the funding and setup of the particular survey or analysis. Generally, it is the company being reported on favourably that is funding the survey, even if the survey is being run by a nominally independent organisation.

This pattern of behaviour seems to be most obvious in Information Technology, where the survey and associated analysis seem to be the method-du-jour for companies to gain favourable press and to make it look like an independent source is painting them in a positive light. If a business purchasing decision can be based off such a report, then it is all the better for the original company.

The Harrison Group recently ran a survey, paid for by Microsoft, that found that companies running incorrectly licenced versions of Windows were more likely to run into problems such as system failures and loss of customer data. With Microsoft paying for the survey, was any different result really to be expected?

With unlicenced systems almost certainly using digital perfect copies of licenced software, why should there be any difference with how stable the systems are? One of the suggestions put forward in the article is that whoever is responsible for the copied software has slipstreamed something malicious in with it. It would be more likely that a company that is unwilling to spend funds on licenced software would be unwilling to spend funds on properly maintaining their systems - and so be more likely to encounter problems extending from not maintaining their systems than they would from just having unlicenced software.

In order to see a result like that, though, we are going to have to wait until a system administration service provider runs their own set of surveys.

If you build it, will they come?

Sun, 28 Sep 2008 17:28:00 +1000

Despite many people exhorting that all it takes to get online traffic is to build it, and people will come, sometimes it doesn't turn out that way, as the University of Illinois is currently finding out.

Earlier this year, the University of Illinois set out to establish an online campus that would allow students to obtain degrees online, however the response has been underwhelming, to say the least.

Online degree programs have always been regarded with dubiousness, however the idea of delivering degrees online is only one step removed from degrees by correspondence that many universities offer for students who work or otherwise can't attend classes full-time. Having ready access to a network connection means that coursework can include media and improved learning aids that can not really be delivered through the mail.

Expecting 5,000 students by the five year mark, fewer than 150 students have taken up the opportunity with the University of Illinois since the system went online.

One of the biggest problems with the University of Illinois' online campus seems to be that the whole concept relied upon University departments creating new coursework and material in order to create online degree programs. It has rapidly become apparent that there aren't too many departments with the time or interest to create new coursework for the system.

This is an excellent demonstration of what can happen when you don't adequately plan for how a concept is to be implemented before actually trying to implement it. Social networks rely upon their users for most of their content and relevance, but it seems that online degree programs (at least the legitimate ones) aren't as simple to establish. Perhaps a better approach would be to have arranged with the various high demand courses to be created ahead of time and then placed online. Achieving accreditation, as suggested in the article, could help somewhat.

If You Can't Take The Heat, Get Out of The Kitchen

Mon, 22 Sep 2008 16:38:00 +1000

When United Airlines' stock recently tanked on an out of date news report, questions were asked about the appropriateness of relying upon automated news reporting for making critical financial decisions, or really any decision.

Sun Sentinel, and parent The Tribune, might have been quick to blame Google for the incident, but the core problem was that there was no dated byline on the article to provide context for either human readers or Google's automated crawlers. With the only date on the page displaying the article being the current day's date, what conclusions could a reader draw from the article other than the wrong ones? Unless a reader is in the habit of conducting string matches in every article they read against historical news, then they aren't going to pick this up easily. The fact that it doesn't appear as breaking news might provide some context, but where would you assume the error lay if you came across the article without other context?

Google's subsequent actions of highlighting the article in their email alerts relating to United Airlines, and listing it in their Google News archives, merely meant that more people were now aware that the Sun Sentinel was carrying an article on a United Airlines bankruptcy.

It was when humans stepped in and rewrote the article for other news services, particularly those that investors were relying on, that the situation compounded and was the critical error that eventually led to the loss of market value for United Airlines. Without access to other context, there wasn't much else that the readers could have done other than to trust a service that, up to that point, may have been extremely reliable.

Each time the story was picked up and re-reported, from the Sun Sentinel, to Google, to the stock research firm (where the human re-report tied the story to the current date), to Bloomberg, legitimacy was added and this contributed to the final downfall.

With almost daily bailouts and failures in the lending markets could jumpy investors (gamblers?) be blamed for going all in on another bankruptcy report? Yes.

The investors who allowed their decisions to be swayed by an inaccurate report need to shoulder responsibility for their actions, but the stock research firm and Bloomberg need to be asked the hard questions over how they let this happen and why their monitoring systems (if any) didn't flag this as possibly inaccurate. Who knows just how many stop loss orders were activated as a result of the initial slide in price? If all of the sales based on misinformation took place before the stop loss orders kicked in, but resulted in depressing the stock price below this floor, it no longer matters where the information came from, the market was going to be flooded with United Airlines stock that not many people were going to want to hang on to.

If nothing else, this is a classic example of a Swiss Cheese failure (Reason's model). It wasn't a single cause of failure, but a number of procedural and design errors that chained together, with poor or non-existent active and latent defences, to almost wipe United Airlines off the stock market.

When a small (debatable) error on one website can lead to a major company almost being destroyed in a matter of minutes it suggests that something is seriously wrong with how much trust is placed into unverified information and how much value is then applied to that information.

In the rush to be first to the news, you shouldn't leave behind your critical thinking skills. Garbage In will result in Garbage Out, every time.