Date: Saturday, 13th March 2010, 11.15am
Duration: 30 minutes
Updates:
- mysql 5.0.81 -> 5.1.44
- apache 2.2.13 -> 2.2.15
- php 5.2.9 -> 5.2.13
|
|||||
|
Almost a quarter of the command and control servers ( cnc ) related to the Zeus botnet have gone quiet after 2 East European providers dropped access to a downstream ISP called Troyak on Tuesday. According to ScanSafe, a web security firm, the number of active servers dropped from 249 to 191, resulting in a massive drop in botnet traffic. This take-down comes a week after US and Spanish authorities dented the operations of another large malicious network, the Mariposa botnet. Mariposa’s primary function was the theft of online login credentials for banks, email services and the like from compromised Windows PCs. The malware infected an estimated 12.7 million computers in more than 190 countries. The botnet was shut down on 23 December 2009 following months of collaboration between security firms Panda Security and Defence Intelligence in co-operation with the FBI and Spain’s Guardia Civil. Half of the Fortune 1000 companies harboured machines infected by Mariposa at one time or another, according to Christopher Davis, chief exec at Canada-based Defence Intelligence, who first discovered the Mariposa botnet back in May 2009. Defence Intelligence joined with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice. The Mariposa (Spanish for butterfly) botnet malware spread through P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, compromised machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of infected systems. What’s important here though is that unusually, the operators of the botnet were caught. The main botmaster, nicknamed “Netkairo” and “hamlet1917”, as well as his two alleged lieutenants “Ostiator” and “Johnyloleante” have been charged with cybercrime offences. More arrests are expected to follow. Finally, last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace. The take-down order temporary cut-off of traffic to 277 Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines are programmed to regularly poll these control points for instructions and spam templates. Besides infecting millions of Windows PCs, Waledac was responsible for 1.5 billion spam emails per day. I’m really sorry about the continuous Windows security reports but they just keep on coming so what else can I do… Data Execution Prevention is a security tool that Microsoft added to all versions of Windows since XP SP2. It’s meant to address buffer overflows by working with the CPU to mark all memory locations in a process as non-executable unless it explicitly contains executable code. That way, even if there was a buffer overflow, the malicious code couldn’t run in whatever memory it happened to find itself. Unfortunately, Berend-Jan Wever, aka “Skylined,” a Google security software engineer, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever’s latest trick, the attacking code looks for clues on where to find memory that’s allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system. It seems possible that this technique can be used to defeat ASLR (address space layout randomization) which is another Microsoft security improvement. So 2 of Microsoft’s most important security features in Windows seem to be vulnerable to attack. Makes me feel warm all over knowing I run Linux … As an aside, I’ve just spent half the morning trying to clean 2 Windows machines for a client. These were riddled with viruses which self-replicated to all the network shares. And no, it wasn’t me who hooked them up to the network. I finally managed to get the machines clean and removed all the viruses from the Linux-based network shares using ClamAV. Of course the Linux server didn’t miss a beat. Someone is getting an interesting invoice next week. The headline phrase typically refers to the buying of computers with Windows pre-installed by the OEM vendor when you don’t need or want it. I.e. you’ve paid more for the machine ( because it includes Windows ) when you aren’t going to use it. Unfortunately this time it refers to you, a citizen, paying extra personal tax to fix issues in Microsoft’s software!!! What?!?! World gone crazy ( again )? According to Robert McMillan’s piece on ComputerWorld, Scott Charney (Microsoft’s veep for Trustworthy Computing) suggests that one way to fund fighting botnets is to tax users. “You could say it’s a public safety issue and do it with general taxation” Charney said. For those not in the know, a botnet is a large collection of compromised PCs/computers ( these will typically be made up of almost 100% Windows machines that have been compromised by a virus, malware or some other piece of malicious software ). Most Microsoft software ( not only their operating systems ) have an atrocious track record when it comes to security and as a result, are the subject of frequent attacks, the result of which is large botnets that generate spam email, infect websites ( running Microsoft web servers ) and propagate other malicious software to infect even more machines. 90%+ of all email generated last year was spam – the direct result of the poor security in the operating system you are probably using on your PC. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars. Every year, millions of people are the subject of identity theft, banking account invasion, phishing and pharming scams, money loss, credit card schemes and fake software. All because of that one word – Microsoft. Billions are spent each year buying anti-virus and anti-spyware software for PCs, and these are at best only 33% effective. A complete industry of technicians and consultants grew up just to deal with Microsoft security issues. Are you aware, as a Standard Bank client in South Africa, that every time you draw money from or use an SBIC ATM, you are working with Microsoft Windows XP – the most hacked OS ever? To be clear, botnets are single biggest security threat on the Internet – because of the lax security in Microsoft products. Now you may say that because of Microsoft software’s overarching ubiquity it’s subject to more attacks but that argument has left the building a long time ago. Along with Elvis. Linux is used in everything from phones, to set-top boxes, fridges, cars, industrial applications to your common or garden PC computer at home. MacOS X makes up a good proportion of computer sales world wide. AIX, HPUX, Solaris, VMS and other operating systems have been running the core institutional services of the world for decades without any known security breaches. So the questions you need to ask yourself are:
I switched from the Microsoft Windows platform almost 6 years ago and I’ve never looked back. I work with a simple and reliable operating system that does what I need it to, yet doesn’t put my personal and financial well-being at risk. Can you say the same? No? Perhaps it’s time for a change … I’ve been running Slackware-current ( the development version of Slackware ) for probably close to 5 years now. For the most part, it’s a pretty uneventful stream of upgrades however, every once in a while things get interesting. The March 1 update is massive, has taken a month to release and includes around 465 updated packages. There are 2 main reasons for this:
I had some issues as follows … On reboot I got ‘undefined symbols’ and ‘unknown module format’ when loading some modules. My NVidia binary driver would not load with a message the same as above. I had not upgraded the kernel so this was all a bit strange. First step was to get a new NVidia driver ( 195.36.08 ) which installed fine but the driver still refused to load. Then I thought that a kernel package may have been installed erroneously so I upgraded all of them. Still no go. To the LinuxQuestions forum where I gathered that there may have been an issue with a kernel config option ( CONFIG_PREEMPT ) in this particular kernel. The fix was straightforward – rebuild and install the kernel with the existing config file: cp /boot/config-huge-2.6.33 /usr/src/linux-2.6.33/.config && cd /usr/src/linux-2.6.33 && make && make modules_install && cp arch/x86_64/boot/bzImage /boot/vmlinuz && lilo && echo “blacklist nouveau” >> /etc/modprobe.d/blacklist.conf && telinit 6 There was also an issue with the libgmp library which was updated today and fixed those issues. Some other upgrades/changes:
I’m running AlienBob’s kde 4.4.x packages and hopefully he’ll have an updated ( to 4.4.1 ) set soon. All in all an interesting time however this is dev so it’s to be expected. Th problem is current is generally so stable that this is actually unexpected. No problems either way. Thanks to Pat, Eric, Robby and all the rest. … I spoke about in late January? Well Microsoft has finally come out and acknowledged it. Over a month later. Well actually 9 months later. The hole, which originated with the release of Windows NT back in 1993 and is present in every 32-bit version of Windows since, including Windows 7, was discovered by Tavis Ormandy, a Google security team member in Switzerland. Ormandy said that he notified Microsoft of the hole in June 2009 but, after receiving no response other than an acknowledgment, decided to publish his discussion as well as a proof-of-concept exploit. Compromising a machine requires physical access to the machine as well as authenticated password access, so it’s unlikely to be too serious an issue. Another flaw has been found in versions 7 and 8 of Internet Explorer running on Windows XP. There’s an unpatched bug in VBScript that hackers can use to drop malware on 32-bit Windows XP machines. Microsoft says an exploit “was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.” Further more, “The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types.’ Interesting that Microsoft views their own Help System as unsafe … Microsoft says they are not aware of anyone using this exploit yet but that’s probably just them trying to tame the issue. If an exploit is available, someone will be using it. No patch is available yet so at minimum, switch to another browser; if you’re feeling a little more brave, switch to using another platform completely. UPDATE: the list of platforms affected by this flaw, has now been expanded to include Windows 2000 and 2003, as well as any version of IE on those platforms including IE 6. A new critical flaw has been found in all versions of Windows since Windows 2000 and affects even current releases like Windows 7 and Server 2008 R2. The vulnerability was found by 2X Software which says that the flaw can be used to create a DoS attack against any Windows systems from the last 10 years. The US Copyright Lobby has indicated that using FOSS equates to the undermining of intellectual property rights. Yes you read that correctly. They want the US Trade Representative to place countries like Brazil, India, and Indonesia on the Special 301 list, which is a list of countries that do not, according to mostly the Pharmaceutical Research and Manufacturers of America and the IIPA, do enough to protect intellectual property rights. The governments of the countries the IIPA wants to add have one thing in common: they’ve used or are encouraging the adoption of Free and open source software, which, according to the IIPA, “weakens the software industry” and “fails to build respect for intellectual property rights”. Huh? No I’m not making this up – take a look for yourself. “The Indonesian government’s policy [...] simply weakens the software industry and undermines its long-term competitiveness by creating an artificial preference for companies offering open source software and related services, even as it denies many legitimate companies access to the government market,” the IIPA states, “Rather than fostering a system that will allow users to benefit from the best solution available in the market, irrespective of the development model, it encourages a mindset that does not give due consideration to the value to intellectual creations.” Since when has FOSS denied anyone anything, let alone legitimate companies’ access to the government market? And how is FOSS not an intellectual creation? Besides giving no proof of their statements, these murmurings are just plain fiction. Perhaps the US Copyright Lobby should stop spouting trash in the name of big business and do something for the man in the street for a change. Last week, a story broke in the US concerning invasion of privacy and has become a huge talking point globally. The Lower Merion School District provided Apple Mac laptops to students ( no private machines were allowed ) and installed remote control software on these, allowing the school to remotely activate web-cams in an apparent attempt to curb theft. Unfortunately it appears that these web-cams have been used for a little more than that, as students with perfectly legal laptops indicated that their web-cams seemed to operate at times when not expected ( check many of the comments in this link ). One of the students, Blake Robbins, and his parents, have filed a civil rights lawsuit against the school district accusing the school of turning on the web-cam in his computer while it was inside their Penn Valley home, which they allege violated wire-tap laws and his right to privacy. The suit, which seeks class-action status, alleges that Harriton vice principal Lindy Matsko on Nov. 11 cited a laptop photo in telling Blake that the school thought he was engaging in improper behaviour. He and his family have told reporters that an official mistook a piece of candy for a pill and thought he was selling drugs. Of course the school district is claiming innocence … But things have got a lot more murky with some detailed investigation by Stryde Hax, a security consultant. Some of his findings:
There’s even more information coming from the students themselves:
So there are a few questions to ask here:
No matter the outcome, this appears to be a simple case of invasion of privacy. Under no circumstances should anyone be allowed to remote view a machine without the user’s consent no matter whether that equipment is the user’s or not. Perhaps it’s a matter of bravery on the school district’s part as anti-terrorist laws in the USA have increasingly encroached on citizens’ personal freedoms and civil liberties. If the government can do it, why shouldn’t we? Malicious Acrobat Reader documents made up almost 80% of all exploits for 2009 according to security research company ScanSafe. Vulnerabilities have doubled year on year in Adobe’s PDF reader and they seem to be having a problem in keeping things under any sort of control. To keep yourself safe ( well sort of ) disable Javascript in Reader and don’t use the browser plugin. Adobe is patching several serious vulnerabilities today. Apologies for the late notice on this but I only just learned of it myself: Microsoft will be releasing “Update for Microsoft Windows (KB971033)” today. This however is not an ordinary update. This one will change the current activation and anti-piracy behaviour of Windows 7 by phoning home every 90 days ( for now ). The purpose is to verify that you aren’t running a pirated copy of Windows and to take actions by changing the behaviour of your PC if it appears that you aren’t now properly authenticated and genuine. This falls under the new banner of Windows Activation Technology ( WAT ). There are a few things that are worrying about this:
The update is due for manual release today and is tagged as “important” therefore will be installed no matter the settings of Windows Update on your machine. You should set your machine to manually download and install updates, and then manually deselect this update for installation. It serves no useful purpose w.r.t. the security or stability of Windows, and in addition opens up a whole can of worms w.r.t. your privacy. If this update gets installed and you are still deemed to be genuine, then you should uninstall this update asap. While everyone understands that Microsoft has a serious issue with pirating, I don’t think anyone would willingly agree to the unacceptable level of intrusion that Microsoft is forcing on users with this update. We’ve already had major issues with DRM-encumbered music from Microsoft and now comes their chance to not only disable your music, but your entire PC. It’s just not right and you shouldn’t let them. While I’ve never assumed AV software will protect you from all ills on the Internet, new research from SurfRight shows just how bad things are. A sample of just under 110k users ( a very good sample I think ) shows that 32% ( yes 1/3rd ) of all machines running AV software were infected . What’s even more interesting is that the percentage of machines infected that are not running AV software is only 46%. This gives one some idea of how ineffective AV software is in practice. Of the sampled machines with AV installed, 73% had up-to-date signatures and 27% did not. The report from SurfRight also highlighted the increased coverage provided by OS-level software such as Microsoft’s Malicious Software Tool and Security Pack. The outcome is as always: defense in depth. Run multiple point products to provide more security, eg. AV software ( with definition updates ), a good anti-spam filter, keep your OS patches current and use an anti-malware/spyware tool. And use your head – if that email looks suspicious, it probably is. XStore services will be down this evening at 6pm for scheduled maintenance for about 15 minutes. Services affected include:
This coming Tuesday, Microsoft is releasing a slew of patch fixes, 5 of which are rated critical, 7 important and 1 moderate. All of the critical flaws result in remote code execution and 10 of these patches require a system restart. The list of operating systems affected includes everything from Win2k through to Win2k8 R2. The 17-year old hole reported a week ago is being fixed however the latest IE flaw noted this week is not getting a patch yet. What is worrying, however, is that Redmond says it is still working on a patch for the SMB flaw that can be used crash Windows 7 and Server 2008 R2 remotely. That was disclosed three months ago, so the company is lagging quite a bit with that one. |
|||||
|
Copyright © 2010 Robby Pedrica’s Tech Blog - All Rights Reserved |
|||||