TechBulletin

While DNS access is at the centre of internet usage, it is very rare for hackers to actually hit these sites and have a major impact. 

Unfortunately in a chilling blast from the past, i.e. a similar attach in 2002, South Korean hackers have managed to disable three of the thirteen server at UltraDNS, the company which looks after DNS address ending in a variety of suffixes. 

The main suffix hit was the “.org” tag which has historically been used by a number of governments for both their public and secret websites.  The servers were disabled by sending masses of spam data to the servers over a large space of time, eventually leading to three servers “falling”. 

While the attack in 2002 had more widespread repercussions due to the fact that there were less servers in the system, many internet users would not have noticed the recent attack because of the back up and additional servers in place.  Even though there has been no widespread disruption or damage to the sites in question, many are starting to wonder if we will see an increase in such attacks over the coming months.

While internet security has increased dramatically over the last few years, it seems that the most basic of prolonged attacks can still have an impact.

While the new Windows Vista operating system is out there in the market place, it seems that all is not well with Microsoft’s much awaited system.  Apple have strongly recommended that iPod users refrain from upgrading to Vista ahead of compatibility “patches“ required to steady the system.

It appears that one of the potential side-effects of upgrading your iPod to Windows Vista is the chance of major corruption to the device.  Apple have also issued advice about connecting iPods to a desktop port supported by Windows Vista, as there is the chance that songs downloaded via the Vista software port may not be compatible with the iPod internal software.

In general Windows Vista has been fairly well received, although there are concerns from both regulators and third parties such as Apple, that the lack of discussion and co-operation in the development of the system will prevent immediate universal acceptance.  Even though so-called “fix patches” are common place in the computing world, it is a little worrying to see the current level of concerns being expressed publicly.

While there is no doubt that the Vista operating system is an improvement on all before, there are still a number of issues to address before everybody will be content with the safety and comparability aspects.

Garett Rogers posted about serious security flaw in google accounts .. This sample script once proudly displayed the visitors contact list if they were logged into their Google account.  Only hours after it was reported to the Google security team, the vulnerability was fixed.

Serious Gmail vulnerability fixed

CPL is a simple, near-English language for expressing cryptographic protocols. CPL lowers the barrier between abstract mathematical descriptions and working code. Potential uses include protocol design, code prototyping and functioning as a teaching aid. An accompanying compiler translates protocols expressed as CPL “code” into working Java clients. CPL is also packaged with a tool for converting protocol descriptions into LaTeX diagrams.CPL Quick Reference

This is an interesting article posted ….

Computer crimes can be separated into two categories: 1) crimes facilitated by a computer and 2) crimes where a computer or network is the target. 

When a computer is used as a tool to aid criminal activity, it may include storing records of fraud, producing false identification, reproducing and distributing copyright material, collecting and distributing child pornography, and many other crimes.

Technology has made it easier for criminals to hide information about their crimes. Because of the sophistication of the digital environment, evidence is collected and handled differently than it was in the past and often requires careful computer forensic investigation. Crimes where computers are the targets can result in damage or alteration to the computer system. Computers which have been compromised may be used to launch attacks on other computers or networks.

http://www.cert.org/tech_tips/FBI_investigates_crime.html

Good article by Mike Murray…

As systems administrators, it’s often funny how new and interesting information ends up in our hands. Sometimes, it’s through an intentional course of study; other times, it seems to arrive by accident. That’s exactly how the concept of using a halted Linux computer as a firewall occurred to me. I was at work, perusing an internal corporate mailing list and saw a message about something that was once present in Linux.

Authors: Scott A Crosby and Dan S Wallach

netfilter is a framework for packet mangling, outside the normal Berkeley socket interface. It has four parts. Firstly, each protocol defines “hooks” (IPv4 defines 5) which are well-defined points in a packet’s traversal of that protocol stack. At each of these points, the protocol will call the netfilter framework with the packet and the hook number.

Secondly, parts of the kernel can register to listen to the different hooks for each protocol. So when a packet is passed to the netfilter framework, it checks to see if anyone has registered for that protocol and hook; if so, they each get a chance to examine (and possibly alter) the packet in order, then discard the packet (NF_DROP), allow it to pass (NF_ACCEPT), tell netfilter to forget about the packet (NF_STOLEN), or ask netfilter to queue the packet for userspace (NF_QUEUE).

This document is a journey; some parts are well-traveled, and in other areas you will find yourself almost alone. The best advice I can give you is to grab a large, cozy mug of coffee or hot chocolate, get into a comfortable chair, and absorb the contents before venturing out into the sometimes dangerous world of network hacking.

For more understanding of the use of the infrastructure on top of the netfilter framework, I recommend reading the Packet Filtering HOWTO and the NAT HOWTO. For information on kernel programming I suggest Rusty’s Unreliable Guide to Kernel Hacking and Rusty’s Unreliable Guide to Kernel Locking.

FaceTime Security Labs provides the foundation for complete instant messaging security and spyware prevention strategy, delivering detailed information about known threats that enable organizations to:

• Block P2P network use that could breach corporate security policy
• Prevent spyware from being accidentally or intentionally downloaded by users
• Secure instant messaging against worms, Trojans, malware and rootkits
• Remain in compliance with data privacy and information security legislation

The Labs also power the patent-pending inoculation and targeted remediation capabilities that keep clients spyware-free.

FaceTime Security Labs provides the foundation for FaceTime’s Defense-in-Depth spyware prevention strategy , delivering detailed information about known threats that enable the blocking of spyware distribution sites as well as powering the patent-pending inoculation and targeted remediation capabilities that keep clients spyware-free.

http://www.spywareguide.com/index.php

rsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:

• An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
• Change root (chroot) hardening
• /tmp race prevention
• Extensive auditing
• Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
• Prevention of arbitrary code execution in the kernel
• Randomization of the stack, library, and heap bases
• Kernel stack base randomization
• Protection against exploitable null-pointer dereference bugs in the kernel
• Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
• A restriction that allows a user to only view his/her processes
• Security alerts and audits that contain the IP address of the person causing the alert

download now

Just when you thought it was safe to use all those electronic devices out comes the newest report to scare the pants off of you.  Just in time for the Halloween season, the SANS Institute has released its yearly report and people using all types of telecommunication devices are not happy.  The two newest threats are cell phones and the VOIP systems that are springing up around the country.  This comes on the heals of several new viruses that have been released in the past ten months that are aimed at these devices and services.  Of course just because the institute is able to claim that these are the new security concerns for the 2007 year does not mean they know what to do about it.  In truth they are just as lost as we are when it comes to the issue.

The newest thing in viruses is the cell phone worm, which attacks cell phones and uses them to harvest personal information.  How are they able to do this on a cell phone?  Well the answer is simple, because the world is now using their cell phone for just about everything in the world, including email and personal messaging.  So they are basically mobile computers that are always connected to the internet by way of the cell phone service.  Sounds like a good idea when you are the owner of the phone, but what about when you are the person who gets a virus and finds out that your identity has been stolen?  That is where the problem comes in. 

Windows XP has a lot of services, some of which are not needed for normal use. To speed up and increase your systems security, disable these services.

Anthony,a 14 year old kid, has posted on this blog about a Javascript Gmail vulnerability that he discovered.

“Apparently javascript will run if it is withing the preview of the message” wrote Anthony, meaning that hackers could grab email addresses or possibly steal cookies and compromise Google accounts. It’s surprising that this vulnerability existed and who knows how long this has been a hole.

Kaspersky,a security software, is warning that a new mobile virus is targeting any mobile capable of running Java applications.The malware claims to be an application called RedBrowser, which allows mobile users to access WAP services without using a WAP connection by using a free SMS service.

The malware sends data to a SMS service which charges around $5 per message.Kaspersky’s corporate communications officer,Olga Kobzareva, says that RedBrowser is a sign that virus writers are no longer targeting only smartphones.

Source: vnunet.com

Anti-virus companies are advising that everyone scan their machines before February 3, when the destructive virus known as Nyxem will delete a multitude of filetypes.

The virus is also known as Blackmal, MyWife, Kama Sutra, Grew and CME-24.

The mass mailing malware tries to entice users through social engineering efforts into opening an attached file promising pornographic material in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

The virus will wait till the 3rd of each month to wreak its havoc.

February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts.

Files of the following types will be deleted: DMP, DOC, XLS, MDB, MDE, PDF, PPS, PPT, PSD, RAR and ZIP.

Please update your Anti-virus definitions and scan your system before February 3, 2006.

Sex sells and the new internet worm (Nyxem-E) nick-named the “Kama Sutra worm” because it spreads under the guise of pornographic content, has leap-frogged lesser viruses reaching top-spot on world virus charts.

Nyxem-E aka Kama Sutra is a mass-mailing worm which attempts to disable security-related and file-sharing software and destroys files of certain types. When run on a Windows PC, the worm copies itself to shared network locations, and sends itself to e-mail addresses found on the target computer. Nyxem-E, according to F-Secure, is programmed to disable anti-virus and firewall software, and delete certain files including Office documents, on the third day of every month.

The Kama Sutra worm arrives as an e-mail attachment, with different subject lines including “School girl fantasies gone bad,” “The Best Videoclip Ever,” “A Great Video,” “give me a kiss,” “Fwd: Photo,” “Fw: Sexy,” “You Must View This Videoclip!” “Miss Lebanon 2006,” etc. The text differs; it may include references to the Kama Sutra - the ancient Sanskrit book on sex and related matters.

F-Secure has reported a steady stream of Nyxem worms from all over the world, and has said that at last call the worm showed 510,000 infected systems.

Recently even i have been receiving a lot of such mails from various yahoo groups

A design flaw in Internet Explorer could give malicious hackers an easy way to use Google Desktop to hijack user information.

Matan Gillon, a hacker from Israel, discovered the vulnerability in the cross-domain protections in IE and published a proof-of-concept exploit to show how Google Desktop can be cracked.

A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it.

Download: Vista Beta 1 | x64

Download: Vista December CTP | x64

We have posted about a meta file bug just a few days before that Microsoft just patched. Now two more meta file bugs were found and posted by a hacker (using a name ‘cocoruder’) to the Bugtraq security mailing list.

All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts.

That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update.

Source: PC World

Install this update to resolve an issue in which you receive a “stop 0×7e in aec.sys” error message on a computer that is running Windows XP Service Pack 2.

The error may occur during startup, or after the system has started. AEC.SYS is the acoustic echo canceling driver. After you install this update, you may have to restart your computer.

Download: Update for Windows XP (KB900485)

Microsoft released the WMF (Windows Meta File) patch yesterday even though they had planned to release it on Tuesday, January 10, 2006.

The patch was released as an update via MS Update and is rated critical for Windows XP, Windows 2000 and Windows Server 2003.

View: Knowledge Base

Download Patch: Windows 2000 SP4 | Windows XP | Windows XP x64| Windows Server 2003