The Symantec Security Response blog reports a new local escalation of privilege vulnerability for Windows XP and Windows Server 2003 (fully patched and with latest Service Packs applied). Apparently Microsoft is already aware of the issue. Some driver included by default seems to be the culprit.
You’ve probably heard: “More than half of Ubuntu’s production servers had to be pulled offline after a security breach caused those servers to actively attack other machines.”
The root causes of the intrusion and compromise are, according to an email in the Ubuntu community mailing list:
According to Maligno’s blog, the servers had been running unpatched for 9 months and a half!
The probability of intrusion and/or compromise is determined on how well you manage your systems. The choice of OS just means different attack vectors. What is the use of a [sarcasm]Super-Secure-Unbreakable[/sarcasm] operating system if you don’t patch and update it, use poor configuration management, use clear-text passwords, etc?
From an Slashdot commenter:
“Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn’t be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server.”
From the International Herald Tribune:
Approval by the European Aviation Safety Agency means that, from September, passengers aboard Airbus aircraft outfitted with the OnAir system will be able to send and receive phone calls, SMS messages and e-mail messages while flying at altitudes above 3,000 meters, or 9,840 feet.
Cabin staff members will be able to turn off the system or restrict usage to text services like SMS, as they see fit.
This is a good idea. The rule against use of mobile phones while in flight has to be managed as any other risk, that is, modeling the threat, understanding the risk and mitigating it. The rate of change of technological and social environment means that these rules have to be reevaluated every so often. It certainly made no sense to keep early-80’s safety rules as if written in stone.
The provision against mobile phone usage below 3000 meters (during take off and landing) makes sense, although most people will continue to ignore it, as they do now.
The trouble between the Estonian government and Estonia’s ethnic Russians has taken a new dimension in the online world.
Cyber-warfare on an unprecedented scale has hammered Estonian web sites for the last two weeks in the aftermath of the government’s controversial decision to relocate a Soviet-era war monument from the center of Tallinn to the suburbs. Two days of rioting by ethnic Russians, who saw this as an attack on their heritage and on minority rights, quickly transitioned from the real to the virtual world, as government web sites came under DDoS attacks so severe that many agencies shut off access to IP addresses outside Estonia for several days.
Since it seems clear that the attacks come from Russia (some attacks coming allegedly from Russia’s president Putin office), Estonia is raising the issue with NATO. After all, when a NATO-member finds itself under attack, it is the function of NATO to get involved, considering the whole alliance under attack.
According to The Guardian, “NATO has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences“.
Updated (May-18): The Arbor Networks blog (”Security to the Core”) has some information about the targets of the attacks and other quantitative data.
The May 2007 issue of (IN)SECURE Magazine has been released. This issue contains articles about :
Download the (IN)Secure Magazine Issue 11.
Did you apply the workaround suggested by Microsoft for the DNS RPC vulnerability? Do you think you’re safe because you don’t allow RPC ports at the perimeter firewall?
Do you meet these two conditions?
If so, you are in deep trouble. Exploit code for the DNS RPC vulnerability has been incorporated to the Nirbot malware, which is self updating. So, if you were already infected, now your zombie machines can own your Domain Controllers.
Game over.
The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.
The malware connects to x.rofflewaffles.us at port tcp/8080. Block that. Also from Arbor: “Signs of infections include connections to hosts with that hostname on that port, scans on TCP port 1025 (and other exploits in the bot include SYMC06-010, MS06-040, and weak passwords)“
According to Dark Reading, there is a remotely exploitable bug in the madwifi drivers for Linux, discovered by a France Telecom researcher:
A researcher from France Telecom has discovered the first remotely exploitable 802.11 WiFi bug on a Linux machine. The kernel stack-overflow bug, which is in the open-source MadWiFi Linux kernel device driver, lets an attacker run their malicious code remotely on an infected machine — and the infected machine doesn’t even have to be on a WiFi network to get “owned.”
Laurent Butti, senior security expert for France Telecom’s Orange R&D, says all it takes is the client machine’s NIC to be activated and perform its automated scanning feature for WiFi access points in range, and the vulnerability is triggered. The attacker initially must be in wireless range of the victim for the code to execute the exploit, he says.
You probably already heard, but Metasploit Framework 3.0 is out!
An article in Dark Reading comments on the new functionality:
Among the new features for Metasploit 3.0 that weren’t originally shown in the beta are three exploit modules that target WiFi driver vulnerabilities in the Windows kernel. The framework comes with APIs, 177 exploits, as well as modules that handle host discovery, protocol fuzzing, and denial-of-service testing. It’s aimed at researchers, network security pros for penetration testing, system administrators for verifying patch installations, and at vendors testing the security of their products. Metasploit runs across all the main operating systems and works with Unix mainframes and Nokia n800 handheld devices as well.
One feature in the new version lets you manipulate the memory of process that’s running in an exploited system, and another lets you relay attacks through the compromised machine, notes Moore. “From a penetration testing perspective, the most useful features are the combination of the new Meterpreter payload and the ability to relay connections through compromised systems.”
Download Metasploit Framework 3.0 from here.
Some comments about Microsoft’s security performance:
InternetNews quotes Symantec’s Internet Security Threat Report: “Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.”
Jeff Jones releases his 90 Days Vulnerability Report on workstation OS, which includes Vista, XP, MacOS and several popular flavours of Linux.
And Kai from Microsoft, comments (rants) about the fact that Red Hat Enterprise Linux Desktop 5 has been released together with a stack of vulnerabilities at launch date, and how there seems to be a lack of media outcry about this.
From The Independent Online, how to steal 21 million € worth of diamonds:
A thief has evaded one of the world’s most expensive hi-tech security systems, and made off with €21m (£14.5m) worth of diamonds - thanks to a secret weapon rarely used on bank staff: personal charm.
In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
