 Monday, 27. January 2003
DoD offering admin privileges on .mil Web sites
Care to register a .mil Web site of your own for free? The DoD has gone out of its way to make it a snap. An unbelievably badly-protected admin interface welcomes you to register whatever domain you please (http://Rotten.mil anyone?), or edit anything they've already got. The interface is so ludicrously unprotected that it's been cached by Google and fails to mention that you must be authorized to muck about with it. Incredibly, default passwords are cheerfully provided on the page.
Following an anonymous tip from an observant Reg reader, we've encountered the page in question in the Google cache, and after a bit of our own poking about have also discovered an equally unprotected (and Google-cached) admin interface encouraging us to add a new user, like ourselves, say, which requires no authentication .
All you have to do is find that page and you can set yourself up with a user account, manage your new .mil Web site, fiddle about with other people's .mil Web sites, and generally make an incredible nuisance of yourself. We are, of course, straining against every natural, journalistic impulse in our beings by neglecting to mention any useful search strings with which to find it.
Another unprotected and cached page, this one discovered by our tipster, lists traffic to a major DoD Web site by URL/IP address. This worries us because it may list .mil sites and networked DoD machines that are not public, not hotlinked anywhere, and which might contain (or be networked with other machines that contain) sensitive data. Merely knowing that all those URLs and IP addys are valid and owned by DoD would give a significant advantage to attackers by narrowing their target area dramatically.
We have e-mailed the person who manages these sites - twice in fact - but so far have not been graced with a reply. We were hoping that they might be inclined to fix this mess quickly so that we could safely include the details in our report. Unfortunately we have to withhold them until we're confident that these security snafus are under control.
[The Register - Security]
09:04 |
permanent link |
mail this
Tuesday, 10. December 2002
Feds declare open wifi hotspots a terrorist tool
WiredNews has article describing the Homeland Security Department's dislike of wifi. My favorite quote from the article: Homeland Security is putting people in place who will be in a position to say, 'If you're going to get broken into ... we're going to start regulating,'" said Cable and Wireless security architect Shannon Myers This has some rather chilling implications for proponents of free community wireless networks. [infoAnarchy]
09:03 |
permanent link |
mail this
Wednesday, 04. December 2002
Holiday E-Cards: Handle With Care
Online greetings were once considered a free and relatively harmless alternative to paper cards. Now companies are charging users to send them, and recipients have to worry about fake e-cards that carry viruses. By Kendra Mayfield. [Wired News]
12:43 |
permanent link |
mail this
E-mail warning for workers
Burglars could use out of office e-mail replies to target homes when workers are on holiday, a technology industry body has warned. [BBC News Online]
10:39 |
permanent link |
mail this
Tuesday, 03. December 2002
Hacker Log: Pathway to Successful Site Attack
A few fairly simple practices would have prevented my successful attack on eWeek's OpenHack site. Application security can be attained, but it must be consistently applied and methodically checked to be effective. [Help Net Security]
14:23 |
permanent link |
mail this
Web-Applikationen werden zur neuen Hacker-Zielscheibe
Das Gros der Unternehmen wähnt sich hinter einem Schutzwall aus Firewalls und Intrusion-Detection-Systemen in Sicherheit vor Übergriffen aufs firmeneigene Netz. Diese werden von Hackern nach Beobachtungen von Sicherheitsexperten jedoch zusehends häufiger umgangen. Laut Kevin Soo [ComputerWoche: Nachrichten]
07:42 |
permanent link |
mail this
Friday, 29. November 2002
Psychiater: Internet-Suizidforen nicht generell problematisch
[heise]
14:15 |
permanent link |
mail this
Monday, 25. November 2002
The spy inside your home computer
Your home computer is a pretty dumb device that usually does what it is told. But with the right help this mute machine can become disturbingly "talkative".
So-called "parasite programs" are logging what you do online and, like a nest of busy gossips, sharing the information with anyone who will pay to listen.
Not all spies are so obvious
As concern mounts over these sneaky tactics, privacy experts, cyber watchdogs and many concerned net users have started to compile lists of these programs.
Most parasite programs divide into two categories:
&149; "adware" - programs on your computer that fling pop-up ads at you, install toolbars full of adverts or hijack searches and web use; and
&149; "spyware" - more underhand, these devices surreptitiously watch what you do, steal personal information and despatch it across the web.
What they have in common, is that they quietly download onto your computer while you are online.
Sometimes they come attached to software you download from the web - the details are often included in the license agreement small print that most users click through without reading.
And sometimes they don't even need your permission to download, but just hop on your hard drive, totally unannounced, because you are browsing the wrong webpage.
[BBC News Online]
15:48 |
permanent link |
mail this
Saturday, 23. November 2002
Research Aims To Stop Battery Attackers
A team of computer scientists is working to prevent new types of denial-of-service attacks aimed at battery-powered mobile devices. Tom Martin, a professor at Virginia Tech's electrical and computer engineering department, has received a grant for more than $400,000 from the National Science Foundation to devise a way to protect battery-operated computers from security attacks that could drain their batteries.
Although the researchers concede that such kinds of attacks are extremely rare, the proliferation of notebook computers, personal digital assistants, tablet PCs, networked cell phones and other devices could make them alluring targets.
The threat could be even more menacing to businesses that use battery backup systems to protect their databases and storage systems against electrical power outages. [LinuxSecurity.com]
09:20 |
permanent link |
mail this
Thursday, 21. November 2002
Träge Administratoren
Im Zusammenhang mit Sicherheitsproblemen wird häufig diskutiert, wie schnell ein Unternehmen ein Patch bereitstellen muss, oder wieviel Zeit der Entdecker einer Sicherheitslücke den Verantwortlichen gewähren sollte, bis er mit seinen Informationen an die Öffentlichkeit tritt. Der Amerikaner Eric Rescorla macht auf ein anderes, fast schon wichtigeres Problem aufmerksam: Selbst wenn Patches angeboten werden, lassen sich die meisten Administratoren zu viel Zeit mit der Installation.
Rescorla hat zum Nachweis dieser Behauptung einen Test durchgeführt. Er hatte Ende Juli, noch vor Veröffentlichung der Informationen über eine schwere Sicherheitslücke in OpenSSL einen Tip bekommen. Daraufhin sammelte er eine Stichprobe von 890 Servern, die OpenSSL verwenden.
Diese Stichprobe beobachtete er über einen Zeitraum von über zwei Monaten. Täglich überprüfte er, ob eine Aktualisierung der Software vorgenommen worden war, oder ob die Administratoren Patches installiert hatten. Interessanterweise tauchte nach anderthalb Monaten auch noch der Wurm Slapper auf, der eben diese OpenSSL-Lücke missbrauchte. Dieser Wurm erhöhte nicht nur die Notwendigkeit von Sicherheitsmaßnahmen. Er sorgte auch erneut für einen hohen Bekanntheitsgrad des Problems.
Seine Ergebnisse kann Rescorla im Zeitverlauf präsentieren. Nach etwa 40 Tagen, kurz vor dem ersten Erscheinen des Virus', waren noch fast 60 Prozent aller Rechner ungeschützt. Nach dem Bekanntwerden des Virus, über den in den einschlägigen Medien ausführlich berichtet wurde, stieg der Anteil der nicht mehr anfälligen System zwar nochmals. Doch auch nach über 70 Tagen waren noch über 30 Prozent der Rechner ungeschützt.
Dieses Ergebnis ist nicht besonders ermutigend. Zumal man gerade bei diesem Problem und bei der damit verbundenen Administratorengruppe eine schnellere Reaktion erwartet hätte. Immerhin handelte es sich ja um das schwerwiegende Problem einer Software, die gerade der Erhöhung der Sicherheit dient. Außerdem gehört die überwältigende Mehrheit der OpenSSL-Nutzer dem Unix/Linux-Lager an. Diese Personen haben nach Meinung von Rescorla eine größere Erfahrung in Sachen Server Administration, als Windows-Anwender.
Doch trotz aller Faktoren, die für eine rasche und umfassende Lösung des Problems gesprochen haben, zeigten sich die Administratoren eher träge. Und wenn diese Trägheit schon bei (Unix-) Adminstratoren so ausgeprägt ist, wie nachlässig mag da erst Otto Normal-User mit seinem Windows-Rechner umgehen?
Studie: Security Holes.. Who cares?
http://www.rtfm.com/upgrade.html
Studie im Volltext (PDF)
http://www.rtfm.com/upgrade.pdf
C|Net: Study: System admins slow to zap bugs
http://news.com.com/2100-1001-966398.html
[intern.de]
14:03 |
permanent link |
mail this
Wednesday, 20. November 2002
Latest IE Flaw Exposes Hard Drives via Web
A security hole in Microsoft's Internet Explorer allows hackers to erase or take control of a computer's hard drive through a Web site and possibly through e-mail, according to a warning posted to security mailing list Bugtraq, which is published by Symantec. The vulnerability, just the latest in a string of security holes in the IE browser, also has fanned the flames of disagreement among security experts because the Bugtraq warning included working code that exploits the flaw. [NewsFactor Cybercrime & Security]
09:51 |
permanent link |
mail this
Thursday, 14. November 2002
More Use - and Lose - PDAs
A chain is only as strong as its weakest link, and one of the weakest links in the sprawling field of information technology can be found piling up in the back seats of taxis, airport lost-and-found departments and hotel rooms. Laptops, cell phones and PDAs might make life easier for employees in the field, but short of chaining them to their owners' bodies, these labor-saving devices are being lost and stolen at an alarming rate. And there are growing amounts of sensitive information stored inside. [NewsFactor Cybercrime & Security]
13:01 |
permanent link |
mail this
Friday, 11. October 2002
Introducing the latest hacker exploit: War Phoning
Bluetooth-enabled phones and PDAs with inadequate security could become the target of the next wave of security exploits, allowing phreakers to filch confidential information or even make calls using someone else's identity.
Such War Phoning exploits, as they have been dubbed, arise because security features on Bluetooth-enabled devices are sometimes turned off by default, ZDNet reports.
Early reports of the phenomenon come from this week's RSA Security conference, in Paris.
"I have stood at the RSA booth in conferences, with my phone paging for other devices, and watched other people's devices show up," Magnus Nystrom, technical director of RSA Security, told ZDNet.
He reports that many devices permitted access without requesting a "pairing code", opening the door to all manner of abuse - stealing personal data of passers-by or even making calls on other phones - in the hands of the unscrupulous. [The Register: Security]
17:47 |
permanent link |
mail this
Wednesday, 17. July 2002
E-mail content filtering may kill the medium
E-mail filtering, in an effort to stop spam, has become insidious. Used
properly -- especially by individual users -- it can be quite helpful. Used
sloppily to filter for semi-arbitrary spamlike content (as it often is by
server administrators and others), it risks killing e-mail as a useful form
of communication.
I'd highly recommend the following articles and discussion at the TidBITS
mailing list site, which cover the issue and its hazards in clear and useful
detail:
Killing the Killer App
http://db.tidbits.com/getbits.acgi?tbart=06866
Content Filtering Exposed
http://db.tidbits.com/getbits.acgi?tbart=06869
Various discussion threads:
http://db.tidbits.com/getbits.acgi?tlkthrd=1679
http://db.tidbits.com/getbits.acgi?tlkthrd=1680
http://db.tidbits.com/getbits.acgi?tlkthrd=1681
http://db.tidbits.com/getbits.acgi?tlkthrd=1683
http://db.tidbits.com/getbits.acgi?tlkthrd=1684
Here's a pertinent excerpt:
-
Email is increasingly being filtered for its content;
-
That filtering is often being done without the knowledge or
consent of affected users;
-
Over time, inaccurate filtering will substantially reduce
the general utility of email.
In short, we're starting to see signs that email, often hailed
as the Internet's "killer app," is in danger of becoming an
unreliable, arbitrarily censored medium - and there's very little
we can do about it.
Derek K. Miller, Vancouver, BC, Canada dkmiller@pobox.com
http://www.penmachine.com ["Derek K. Miller" <dkmiller@pobox.com> via risks-digest Volume 22, Issue 16]
19:48 |
permanent link |
mail this
Monday, 08. July 2002
FreeBSD Scalper worm, a bad precedent...
The recent Apache "scalper" worm, targeting FreeBSD systems, represents a
dangerous precedent, even if it is a rather ineffective worm: it linearly
scans randomly selected class Bs, it doesn't employ a very good scanner, and
it can only infect a few types of machines (Apache 1.3.20, .22-24 running on
FreeBSD).
It was roughly 10 days between when Gobbles Security released an exploit for
the recent Apache vulnerability (in response to ISS's statement two days
earlier, announcing the vulnerability and stating that it was only
exploitable on win32 and some 64 bit platforms) that the worm was seen in
the wild. This compared with several months for Code Red and Nimda, between
vulnerability disclosure and appearance of a worm.
We can expect this time to reduce to nearly 0 in the future, as worm authors
prepare worms in advance, or borrow existing worm code, and simply drop in
exploits as they are published. As we have already seen mail worm toolkits,
we can expect similar active scanning worm toolkits. This means that the
window of vulnerability between when an exploit or flaw is published, and
when it is actively exploited, will quickly reduce to zero.
As important, this worm contained a controllable DOS and backdoor module,
something directly useful to a blackhat, as did the Goner mail worm. The
blackhat community has realized that worms are a great way to compromise
machines with little effort and little risk.
My personal, somewhat hazy crystal ball: Over the next year, we will see a
lot of "1 day" worms, where shortly after an exploit is published, a
corresponding worm will be released. These worms will almost invariably
carry DDoS, credit card searchers, or similar payloads optimized for
blackhat goals. We probably will see toolkits!
We will also start to see worms appearing less than 2-3 days after a
detailed vulnerability is reported, as slightly more sophisticated blackhats
create an exploit, drop it into existing frameworks, and release worms.
Be Afraid (tm).
Scalper Worm code and first detection was at
http://www.dammit.lt/apache-worm/
Nicholas C. Weaver <nweaver@cs.berkeley.edu> ["Nicholas C. Weaver" <nweaver@CS.Berkeley.EDU> via risks-digest Volume 22, Issue 15]
22:31 |
permanent link |
mail this
Saturday, 06. July 2002
Biometric programs "more ... toys than of serious security measures"
Since the death of _Byte_, the German magazine _c't_, or _Magazin fuer
Computer Technik_, is probably the best technical computer magazine in the
world.
Some articles from this magazine are translated into English and made
available on its WWW site at http://www.heise.de/ . One recent article
of interest to comp.risks readers is "Biometric Access Protection
Devices and their Programs Put to the Test", from _c't_ 11/2002, dated
22 May 2002, available at http://www.heise.de/ct/english/02/11/114/ .
The conclusion is that "the products in the versions made available to
us were more of the nature of toys than of serious security measures".
One wonders whether the biometric security programs now used by
corporations and governments, especially in the US, are any better.
Yves Bellefeuille <yan@storm.ca>, Ottawa, Canada
Esperanto FAQ: http://www.esperanto.net/veb/faq.html
Rec.travel.europe FAQ: http://www.faqs.org/faqs/travel/europe/faq [yan@storm.ca (Yves Bellefeuille) via risks-digest Volume 22, Issue 15]
07:05 |
permanent link |
mail this
Wednesday, 03. July 2002
MI5 hates encryption so much, they don't use it!
According to Network News (the UK rag) today, MI5, the Home Office, and
others don't use PGP signing at RIPE (the European Internet registry),
although its the only really secure method for updating records. So anyway,
I thought I'd look into it, and, well, its true (edited highlights follow):
www.mi5.gov.uk. 6715 IN A 128.98.11.23
inetnum: 128.98.0.0 - 128.98.255.255
mnt-by: QINETIQ-UK-MNT
mntner: QINETIQ-UK-MNT
auth: MD5-PW $1$tSMW1DGk$GIAERGLu5BwBUXabmYjvs1
I'm sure Qinetiq haven't been so foolish as to choose a guessable password
(after all, they've shown their IT expertise by the masterly handling of the
1901 Census website), but even so, their e-mail must contain the password in
plain text. Of course, if anyone out there runs their password cracker on
that and finds I'm wrong, I'd _love_ to hear about it.
Note: all data above is from publicly available sources.
Incidentally, the article suggests that some people are still using
MAIL-FROM auth, which is, frankly, astonishing. I can't be bothered to
track down who, though.
Ben http://www.apache-ssl.org/ben.html http://www.thebunker.net/
[PS. OK, I lied: I can be bothered. This is just too amazing:
www.gov.uk. 35656 IN CNAME www.ukonline.gov.uk.
www.ukonline.gov.uk. 283 IN A 195.33.102.13
inetnum: 195.33.96.0 - 195.33.127.255
mnt-by: AS12967-MNT
mntner: AS12967-MNT
auth: MAIL-FROM .*@att.nl
auth: MAIL-FROM .*@icoe.att.com
Yes, folks. The UK government's Website uses MAIL-FROM auth. And not even
.uk addresses!] [Ben Laurie <ben@algroup.co.uk> via risks-digest Volume 22, Issue 14]
11:39 |
permanent link |
mail this
disLEXia, a research project by Maximillian Dornseif
|
