|
Internet Security News
Breaking news and updates in Internet security
Last Updated: July 25th, 2008 03:16:46 CDT -0500
Google Street View Becomes Driveway View
While one Pittsburgh couple sues Google over its Street View pictures of their residence, another neighboring home found itself the focus of a Google camera car that drove up its driveway.
No word yet on whether Janet and George McKee plan to ask Google for $25,000 for taking pictures of their Pittsburgh home, as Aaron and Christine Boring did in their lawsuit over Google's Street View photography.
The Smoking Gun reported on the series of pictures of the McKee's home, where the driver of the camera car entered the private property. That's a no-no by Google's standards; drivers are supposed to stay on public property.
The Google car traveled up the long driveway, ending up in front of the two-story home's three-car garage. Pictures on The Smoking Gun showed the progress of the car as it left the obvious street for the unpaved gravel of the McKee's homestead.
When The Smoking Gun tipped off Janet McKee as to Google's impromptu visit, she said it was "a little bit creepy to think of someone filming our home without me knowing about it."
It isn't known why the driver of the Street View car chose to stop by the McKee's driveway. Perhaps he or she thought the driveway was some kind of connector road, and upon entering it had no way to turn around until reaching the McKee's house.
Identity Info Breaches Hitting Everywhere In 2008
Commercial businesses, colleges and universities, government offices, and medical facilities of varying sizes share the common label of being hit by identity thieves.
167 breaches revealing over 8.3 million records happened or became public in the first three months of 2008, according to the nonprofit Identity Theft Resource Center. Targets of attacks ranged from a Vermont ski resort to the University of Georgia, and plenty of points in between.
Some of the breaches happened due to internal misuse of customer data. At Bank of the West in Washington state, a loan officer used applications from customers to steal identities. Cassidy Janosky and her mother rang up $16,000 grand in purchases like plasma TVs and electronics from a local Sears store.
Other breaches happened due to laptop theft, like that of the Florida Department of Children and Families. Five laptops stoled from their Orlando office forced them to alert 1,200 staffers that their Social Security numbers, birth dates, and other information was at risk.
Then there was the old standby, the lost backup tape. In one particularly embarrassing case, secure storage business Iron Mountain lost one with credit card information on 650,000 customers. Names, addresses, and Social Security numbers were on it as well.
Oh, there were network breaches as well. One can essentially envision an attack vector, and something probably happened along those lines, since reported incidents for Q1 2008 more than doubled what ITRC picked up on for the same period last year.
Nick Cavalancia of ScriptLogic said in commenting on the report that security pros need near-real time notification of sensitive file system events, especially in environments where regulatory compliance like Sarbanes-Oxley is a reality.
"Businesses must be able to provide reports indicating permission changes, highlighting what changes were made, who made them and when they were made," he said. Cavalancia also recommended administrators be able to lock down the myriad devices like iPods people bring into workplaces, to mitigate data theft.
Metasploit Loads Up DNS Attack Code
Script kiddies and sophisticated hackers gained easy access to code for exploiting a critical flaw in the domain name service (DNS) system when the Metasploit Project added two attacks to its toolkit.
Back on July 9th, an advisory to major vendors of DNS systems advised them to patch their products with all due haste. Security pros with unpatched DNS systems under their purview reading this today need to get this done fast.
 | | Metasploit Loads Up DNS Attack Code |  |
The Metasploit Project updated its framework to include code aimed at testing DNS for vulnerability to exploitation. A successful attack against DNS using the method discovered by Dan Kaminsky and confirmed by Halvar Flake would result in requests to a compromised nameserver being silently directed to a different website.
Threat Level learned from Metasploit maintainer and noteworthy security researcher HD Moore about the updates to the testing tool with this code. The two exploits make it "much more effective for wide-scale hijacking," according to Moore.
Much of the threat may have been mitigated already, due to work by Kaminsky and Paul Vixie in coordinating a global response with major vendors of affected products. It won't mean much if admins of vulnerable systems do not apply the patches; one hopes any stragglers will perk up today and get this done.
Romanian Pleads Guilty In US Phishing Case
Eighteen months after being indicted by a federal court, one of a group of seven Romanian citizens pleaded guilty to involvement with phishing bank details from people.
 | | Romanian Pleads Guilty In US Phishing Case | |
Ovidiu-Ionut Nicola-Roman admitted to one count of conspiracy to commit fraud in connection with access devices in US District Court in Connecticut, the US Attorney's Office for the state said.
Nicola-Roman and six other Romanians had been indicted in January 2007 for their roles in a phishing scheme that sought banking information from victims. The group compromised a computer in Minnesota and published a fake site for Connecticut-based People's Bank.
The group also took on numerous other financial targets. Those institutions included Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay and PayPal.
One unnamed bank claimed losses of $150,000 from the phishing scheme. Nicola-Roman faces up to five years and a $250,000 fine for his role in the program.
Such news comes as major web-based email providers like Google and Yahoo make gains by supporting DomainKeys Identified Mail (DKIM) to identify and weed out emails coming from domains other than the one they pretend to be. Broader adoption of DKIM may be what email needs these days.
DNS Flaw Details Emerge
Security pros have been urged to patch vulnerable DNS systems if they have not done so already.
 | | DNS Flaw Details Emerge | |
A post by Halvar Flake regarding the critical but undisclosed DNS flaw being quietly patched apparently hit the mark.
Flake's hypothesis received a quickly-retracted confirmation from a security firm that had been briefed on the vulnerability. "We confirmed the severity of the problem then and, by inadvertently verifying another researcher's results today, reconfirm it today," Thomas Ptacek at Matasano Security said in an apologetic post.
Spoofing referrals to a nameserver could ultimately yield a way to bring legitimate DNS requests to a malicious system, according to Flake. Once the attacker manages to poison a DNS cache, people could be redirected from a legitimate destination to a bogus one.
"Patch. Today. Now. Yes, stay late," Dan Kaminsky, the DNS researcher who discovered the flaw and reported it to security vendors, said on his blog today.
The issue of whether or not this flaw was publicly disclosed inappropriately appears moot. A security advisory from earlier in July confirmed the existence of a problem with randomization of transaction IDs (TXID). Flake mentioned TXID as well, making it likely this flaw has been known for weeks already.
Server Theft Trumps Server Hacking
The brute force technique applied to physical goods long before it ever came up in the conversation about breaking passwords to gain access to resources.
 | | Server Theft Trumps Server Hacking | |
Spend a lot of time carefully tweaking your router, your firewall, your on-board security software, and you probably feel reasonably confident about the state of security for your computer. That will last until someone kicks in the door while you're away, and carts off the hardware.
Such base crimes seem almost quaint when thinking of computer security, but a smash and grab yields as much of a device, if not more, than any software or network approach to cracking a machine.
Pingdom picked up on the theme of theft of hardware in a blog post. The solution to physical security, one might think, would be hosting with a dedicated center where physical protection comes along as part of the package.
But that thinking stops with the news of several robberies of servers from their colocation facilities. In one example in Chicago, thieves cut through a wall, tasered an employee, and walked out with at least 20 servers.
Verizon, the Financial Times, and musician Peter Gabriel all suffered at the hands of thieves who liberated servers with their content from purportedly secure facilities. Thefts at private offices also add up to a common theme: machines that have value to criminal sellers, and a market for those devices.
Regular backups and encryption help get a victimized business up and running, while keeping sensitive data safe from prying eyes when a hard drive gets stolen. There's little reason not to safeguard information on a storage device anyway; security pros ought to evaluate their options here and make encryption part of a standard hardware build in enterprises of all sizes.
Critical DNS Issue Threatens Internet
No hyperbole, no joke. People familiar with a flaw in the domain name system sounded a sobering call to administrators everywhere to fix their systems.
 | | Critical DNS Issue Threatens Internet | |
One might think it a ploy worthy of the Black Hat Conference. Reveal how a noted security researcher found a fundamental flaw in DNS with major ramifications, put him on the conference schedule, and watch the attention and attendees roll into Las Vegas.
Except, the problem is real. Dan Kaminsky is no Peter crying 'wolf', but a Roy Schneider who's spotted a massive great white shark near the beach. Like the mayor of Amity in Jaws, the Internet needs to listen.
Kaminsky will discuss the DNS flaw on July 24 via webcast. It will take place as admins around the globe work to update their systems.
Legendary BIND creator Paul Vixie has been coordinating the vendor response to the DNS flaw. He took time to respond to sniping from the security pro community about Kaminsky's work in disclosing the problem.
"Everything we thought we knew was wrong," Vixie said of contentions that DNS has always been known to be terribly insecure.
OpenDNS founder David Ulevitch told SecurityProNews the DNS flaw was the most serious vulnerability he's ever seen. Ulevitch said the attack necessary to exploit the problem will be easy to do, enabling anyone who understands the flaw to try and exploit it.
He also noted OpenDNS has been secure well before Kaminsky discovered the problem, so networks using OpenDNS for their services today will be protected from those potential attacks.
Mozilla Patches Firefox 3
A fix for a vulnerability reported a few hours after the Firefox 3 Download Day opened began arriving on people's computers.
 | | Mozilla Patches Firefox 3 | |
Last month's effort by Mozilla to set a world's record for most downloads in a 24-hour period received a damper from a security researcher. About five hours after the start of the event, TippingPoint revealed a flaw in Firefox 3 had been reported to them and shared with Mozilla's engineers.
Mozilla revealed some additional information about the issue reported by TippingPoint, which acquired the vulnerability from its discoverer and passed it to the Firefox team. A remote code execution situation could have resulted if the flaw were exploited.
Mozilla said the vulnerability had to do with Mozilla's internal CSSValue array data structure. Too many references to a CSS object would create an overflow condition in the browser.
When the browser crashed from this, the attacker may have been able to run code on the targeted machine.
Mozilla also warned the Thunderbird mail client, which shares an engine with Firefox, could be vulnerable if JavaScript is enabled; by default JavaScript is not enabled in Thunderbird. They reasonably recommend not enabling JavaScript in the mail client in order to mitigate emailed threats.
Oracle Troubled By Web Component Security
The latest run of vulnerability fixes released by Oracle showed troubling trends with making services available with web-facing resources.
 | | Oracle Troubled By Web Component Security | |
Not only were previous versions of Oracle's signature database impacted by recently discovered vulnerabilities, but the latest version of their product, 11g, also contained flaws addressed in the newest patch updates released by Oracle.
Imperva CTO Amichai Shulman told SecurityProNews his first look at Oracle's updates noted that disturbing revelation. Along its Internet-facing products, many web components required fixes for the usual threats like code injection or buffer overflows.
Shulman said there was "definitely a trend" toward more of these kinds of problems being revealed. On the positive side, he cited Oracle's move toward denoting security issues with a CVE code to make them uniform with how the security industry tracks flaws and their resolutions.
According to security vendor iDefense Labs, Oracle needed to fix a critical issue in its Internet Directory. A malformed LDAP request could enable an attacker to hit a vulnerable host with a denial of service attack.
Another problem highlighted by iDefense that received a fix posed a remotely exploitable threat. A buffer overflow vulnerability in the DBMS_AQELM package in Oracle's Database, due to a failure to properly validate input, might allow an attacker to execute arbitrary code as the database user.
Unpatched Systems Survive Four Minutes Online
The presence of a firewall helps, but without something blocking the path from automated probes to one's PC, its survivability declines rapidly.
 | | Unpatched Systems Survive Four Minutes Online | |
Venturing onto the Internet brings along a sizable share of risks. Doing so with an unpatched system looks like the height of folly; we would be surprised if any security pro did this for a home or a production system.
SANS' Lorna Hutcheson said she gets questions on the four-minute figure for unpatched systems. People seem to disbelieve it happens this quickly.
Hutcheson said the four-minute window is accurate, modified by whatever may be between the unpatched system and external threats. For those who want to have fun testing this, Hutcheson suggested the Honeynet Project.
"Placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas," she said.
"Using a NAT router and a correctly configured personal firewall is the way to go - both these measures help a lot to improve the odds in favor or your PC."
|
