|
|
The unpatched LNK vulnerability in all versions of Windows ( from XP onwards ) is attracting a lot more attention from malicious code authors. A further 2 exploits have been detected in the wild. The 1st .lnk trojan Stuxnet, was very specific about it’s payload, attacking Siemens SCADA software specifically. But the effectiveness of .lnk attacks lies in the fact that the payload can be customised and changed as required to suit the attack.
Win32/TrojanDownloader.Chymine.A contacts a server in the US and downloads the Win32/Spy.Agent.NSO key logger from there. The Win32/Autorun.VB.RP worm is now also said to have discovered the .lnk hole as a suitable means for propagation. The worm even actively produces further compromised .lnk files so it can spread faster.
The German Federal Office for Security in Information Technology (BSI) has issued a warning (German language link): until the hole has been patched users are to follow the steps for the work around described in Microsoft’s security advisory. Microsoft’s fix-it is indeed the easiest way to protect a system from impending attacks. However, it does cause a loss of convenience, as Windows will only display standard icons for all short-cuts once the fix-it has been applied.
Incidentally, Microsoft has removed the official documentation for the .lnk file format from its server without comment. Critics sneer that this was done to remove the description of the format’s security measures on page 48 (see screen-shot below).
A new malicious attack has been spreading through the internet in the last few weeks, initially using USB memory sticks to propagate. Called, the LNK vulnerability, the attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited.
The exploit has now been tested as working from SMB network shares as well as Windows’ WebClient services. The nature of this attack is very serious as noted by the ISC raising its Infocon level to Yellow. Even Microsoft is worried enough about this vulnerability that the guys from Redmond said, “Anyone believed to have been affected by this issue … should contact the national law enforcement agency in their country.”
The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple and potentially dangerous. ( Question: why would anyone use Windows software for controlling industrial equipment? )
Recommended temporary solutions are to turn off icons for shortcuts and disabling WebClient Services, but these are fairly intrusive and confusing for the average user. The recent protections for AutoRun capability are useless in this case. All versions of Windows from XP/200 and later are affected. Anti-virus vendors are so far unable to successfully halt the spread of this attack.
I always find it quite amusing ( and ironic ) when security vendors eat their own dog food – and get bitten. Here are a few gems:
Earlier this year, Mcafee released a definition file which a Windows XP SP3 system file ( svchost.exe ) it thought was a threat resulting in thousands of machines not being able to boot, bringing corporate networks to their knees.
In February, a hacker gained access to the Kaspersky website as well as confidential customer information. The hacker had actually warned Kaspersky repeatedly but after no response, decided to go head with the publication of the information.
An erroneous update for the BitDefender antivirus software in March, saw an unknown number of 64-bit Windows PCs crashing or unable to be rebooted. The update falsely detected several Windows and BitDefender files as infected with the Trojan.FakeAlert.5 virus and quarantined them accordingly.
In 2008, Norton Antivirus Endpoint released a virus definition approximate that detected the file “microsexplorer.exe” on the Micros POS system as a virus. As a result, thousands of POS terminals were broken.
In 2009, a glitch in virus definition updates for the popular AVG Anti-Virus software from Grisoft mis-identified libraries required by Apple’s iTunes software as harmful – and disabled the software.
The reason I’m bringing up all of these is that often security vendors come across as holier-than-thow and having your best interests at heart, yet they end up breaking things for many people. It all seems like a Las Vegas kind-of-shabby attempt at trying to show their products as being the best, in the ever growing war of king of the security hill.
And the worst of these in my mind is Symantec. Not happy with bringing out a series of shocking anti-virus products for a number of years, they’ve now resorted to peddling their apparent security superiority with an online site called 2010NetThreats ( yes I know, another company trying to take advantage of the WC ).
Unfortunately, under almost every security tip published, there are comments from spammers with links for purses, T-shirts, metal parts, hotels, sport shoes, and other dubious sales offers. Distributed via comment spam, the links appear to all lead to more or less harmless online shops, but it would be easy for spammers to put in links leading to servers infected with malware.
There’s no registration required to comment, nor is there any CAPTCHA mechanisms in use. Considering that most pro CMSs have these security functions these days, this is careless at the very least. There is also no rel=”nofollow” protection for posted urls in comments.
And Symantec are punting themselves as a security company? Hmmm, yes, maybe in an alternate universe …
Then we have classic tips like the following on the site:
According to Symantec’s Con Mallon, while most South African cybercafes are legitimate businesses, experience has shown that they can be hotspots for cybercriminals, both physical and virtual.
Con has the inside track – SA cyber-criminals are vastly more proficient than others in the rest of the world, whose internet cafes are devoid of issues like this … Must have something to do with our crime issues!!!
Dan Bleaken, Senior Malware Analyst, Symantec Hosted Services: As we approach the semi-final stage of the 2010 World Cup, Symantec’s MessageLabs Intelligence has recorded a great variety of online threats relating to the event.
Sorry Dan, are you trying to tell us something new?
Everyone knows how frustrating a slow PC can be, particularly when you’re trying to stream a live match. Often, this can be a slow Internet connection or too much software clogging up your machine, but it can also be a sign that you have malware, such as viruses, worms or Trojans, sitting on your PC.
How can you fix it? A security software suite, such as Norton 360 version 3.0, goes through all of your PC’s processes to spot the problems.
Ok …
Unfortunately, this does highlight a greater issue relating to Windows PC and online security specifically. The average man in the street is continuously bombarded with advertising for security products and is not in a position to either choose effectively or test packages in a bid to find the ‘right’ one. The same side of the coin also exposes the high cost of operating Windows PCs in the modern internet world – cost in both time and software.
And finally, no matter how much security you have, zero-day threats can eat through all the firewalls, anti-malware and virus apps that you have, exposing your data and potentially misappropriating your system. A no-win situation any way you look at it.
So don’t automatically trust your security vendor just because they are in the security business. Keeping your wits about you may end up being a better security application than any provided by the so-called pros.
UPDATE: ah, very interesting to note that there are no longer any comments whatsoever on the entire site – I wonder where they have gone …
I’m subscribed to a Microsoft UK email newsletter that I get once a month. The latest one started as follows:
As someone who is fully aware of the potential dangers that the internet poses to those who use it for banking, shopping and social networking, you must get a lot of people asking for your recommendations on the best anti-virus software available?
Yes I do get a lot of people asking me, and my response, apart from the usual suspects, is to recommend that they just get off the Microsoft platform completely – that’s the only way you’re going to have any semblance of safety.
It’s very interesting that the company that makes the most insecure platform on the market, offers to provide you with security products to fix that platform’s issues. How ironic. Why not just provide a secure platform to begin with?
Anyone who runs a business ( from small SMEs to large corporates ) these days, with computing facilities for their employees, faces a tough battle with network and computer security. The list of external malicious vectors are endless, including phishing attacks, spyware, viruses, DoS attacks and many others.
The Mariposa virus, shut down in March this year, was responsible for stealing credit card numbers and banking credentials from as many as 12 million PCs. This virus was spread through instant messaging links and propagated through USB flash drives and p2p file sharing networks. Reports indicated that more than half the Fortune 1000 companies and more than 40 major banks were infected. *
According to RSA, EMC’s Security Division, even at Fortune 500 companies 88% of them had systems that had been accessed by infected machines and 60 percent of them had experienced stolen email account information. Rob Jamison, Manager of Network intelligence, BT Managed Security Solutions Group, added that “some of the larger botnets are de facto controlled by Eastern European crime syndicates, but many others have botmasters in North America, Brazil, and Europe. Chinese hackers also have been extremely effective in infiltrating organizations via spear-phishing attacks and use botnet technology in their attempt to exfiltrate information. While credit card theft is on the decline as it has become more difficult to profit from a stolen credit card number outside of the country of issue, selling stolen banking information to the highest bidder in the secondary market is still the leading business model. The stolen banking information is most often used with ‘money mule’ operations to steal money from victims’ bank and credit card accounts. The botnet operators generally focus only on acquiring and selling the stolen information to separate criminal groups who operate the money mule scams.” **
While external malicious activity gets the bulk of our attention, what’s often forgotten though are the employees themselves. The task for a business owner, is to safeguard the information generated by the employees of the business as well as any IP, trade secrets or other valuable information. Employees often don’t understand the cost or importance of this information and therefore are prone to using the provided computer facilities without due consideration for the security of the data within the organisation. There are a number of issues which an employee may be unaware of:
- internet bandwidth costs – this business expense has a high cost ( especially in the South African internet context ) and uncontrolled use of this provision can cost the business heavily
- malicious vectors – these can not only cause an inconvenience in terms of infection but can compromise data and business operations in a variety of ways
- blackmail as a result of DoS attacks
- destruction/corruption of business data on computer workstations due to virus activity
- loss or disruption of public-facing or internal computing facilities
- support costs – any computer issue requires either support from an internal IT group or external contractor
- loss of productivity as a result of computer issues
- business information exposed – inadvertent, or otherwise, exposure of critical information to outsiders
Beyond the usual security measures one may take ( firewalls, antivirus, etc. ), a certain onus lies on the computer user in terms of their activities and behaviour in their daily computer use. This would include safe internet surfing practices, being mindful and watchful of the content of email and web-sites, constantly being on the lookout for malicious activity. Of course employees are not security experts so there is a responsibility on the management to afford the user good training in this regard. Fast moving changes on the Internet landscape mean that this is a continuous process. Social networking, IM, p2p and corporate apps integrating internet technologies are a constant barrier to keeping pace with security needs.
In addition, Acceptable Use Policies ( AUP ) are a must – these guide the employee in the use of the computer facilities. There should either be a number of AUPs covering a variety of different areas or these can be incorporated into a single document. Areas of coverage should include but are not limited to:
- Email etiquette and usage
- Web surfing practices
- Instant Messaging, social networking
- Local and network document storage
- External storage such as USB and hard disks
Larger corporates typically have the infrastructure and staff to implement effective monitoring of a security policy while smaller companies need to rely on AUPs and periodic inspections to make sure that the business information and operations remain safe. In either case, technologies are available to implement and assist with security strategies that minimise the attack surface that a company has:
- proxies
- content filtering
- firewalls
- anti-spam/virus
- logging
- data loss prevention
- desktop monitoring software and key-loggers
- access control
What factors does one take into account when designing a security policy:
- regulatory compliance
- HR policy
- budget
- corporate culture
While most security incidences are due to ineffective security or employee knowledge, there is also the case for nefarious action – deliberate and willful actions on the part of the employee to subvert the operations of the business. These cases are often the most difficult to deal with as they are typically unexpected.
Many employees may find security practices and AUPs, within a business, restrictive but the ultimate aim is to protect business data and value. 10% of companies that suffer a catastrophic data loss, will be out of business within a year, with the resulting loss of jobs – employees can help safeguard their companies against problems like this by accepting and working with security policies.
Policies and procedures need to be comprehensive and enforced – these are ineffective otherwise. Corporate monitoring and effective security strategies protect the organisation against theft, fraud, harassment, compliance violations and maximise employee productivity. Employee training aids in the enforcement of security strategies, and improves computer use and productivity. Taken altogether, these provisions can make the difference in an era where security threats are the norm and keeping control of corporate data is a moving target.
* INSECURE Magazine issue 26
** ITWorld – http://www.itworld.com/security/106428/the-botnet-business
The ether has been strangely quiet about SCO’s recent defeat at the hands of a jury, on the issue of suing IBM for copyright infringement. After 2 judges and 1 jury decision, it was found comprehensively, that Novell never sold the copyrights to UNIX as part of its sale of UnixWare to SCO in 2003. Therefore SCO could not sue anyone for copyright infringement when it did not own the copyrights.
The 1st big fact here is that SCO ( Caldera at the time ) was using GPL’d code in its Linux product, and under that license you forgo the option to sue someone for copyright infringement because any GPL source code has to be made freely available. No other license can exceed the use of GPL if GPL is applied to those works. When you use Linux or FOSS, you can’t sue for copyright infringement – period. If you adopt the GPL license, you are telling everyone that they are allowed to use your work and derive it, if you want. The only situation under which someone can sue under the GPL, is where the GPL and copyright notices are not distributed along with the code ( something that happens more often than you’d imagine – don’t people learn? ).
By selling and using a GPL’d product, SCO in effect shot itself in the foot – it would be just as guilty under this lawsuit as IBM if SCO won the suit. Which is a paradox. Which means SCO could not win the lawsuit under any circumstance.
The 2nd big fact is of course that SCO never showed any infringing code in Linux. Not a thing. In 7 years. Nada, nil, nothing!!! If they had such a watertight case, why keep the reason for suing, from everyone?
SCO has essentially wasted 7 years of time and countless millions of dollars for a lawsuit which had no foundation to begin with. In retrospect, it can only be seen as a pure money-making scheme on the back of nothing. And yes, many a stock was sold between 2003 ( when the suit was started ) and 2004. The SCO Group wanted billions of dollars from IBM for work that, assuming all of the SCO Group’s claims had been accurate, SCO only spent a few million dollars developing and were only able to realize a few million from its own products.
Finally, we have to listen to SCO shills like Paul Murphy and Maureen O Gara espouse theories on why SCO was right and the rest of the world wrong. Huh? Are they that ignorant of the facts or just stuck so far up SCO’s arse that the rest of the world no longer exists. Half and half methinks. Paul says “Overall this is a case in which the next surprise has almost always seemed a red herring to those judging on the basis of the underlying issues – and red meat to those using any available means or information to attack SCO.” SCO has been attacking Linux for 7 years and wasting everyone’s time – does it expect anything less in return?
So is SCO dead? Well it should be. But somehow I think Darl and friends will be hovering in a corner trying to make a quick buck. Good luck to them in the meantime, the rest of us will get on with our lives.
Further on from my previous articles on online data storage and services ( On-line storage – safe or not?,
Windows and online banking, Local insurance company loses client data, Data loss for Sidekick users Part 2 and
Apple and data leakage? ) AT&T have had a massive data leak of email addresses and ICC-IDs (unique serial numbers that identify each SIM card ). And the information could apparently be used for more than snding the users a little extra spam.
Attackers can use the information to learn the names and phone numbers of the leaked users, and can even track their position. The iPad’s SIMs are going to be used for data, rather than voice, connectivity, which does reduce the impact of the problem a bit—attackers can’t eavesdrop on phone calls that don’t even exist, and encrypted Internet traffic will remain protected—but the breach does still leave iPad users trackable, and vulnerable to hijacking or eavesdropping of any unencrypted traffic.
The FBI has previously said they are looking into how the details of approximately 114000 users were compromised. The list includes officials from the FCC, FAA, NASA, and the Army members as early technology users.
A new worm is spreading rapidly via Facebook. The cause is a problem disclosed weeks ago which Facebook seems unable to fix. As a result, there has been another wave of crafted status messages – this time they refer to a web page which allegedly presents the “101 hottest women in the world”. Those who click on the link are directed to a fairly neutral page with a picture of Jessica Alba and the message “Click here to continue”. At this point nothing bad has happened, however, in the background the web page has opened an iFrame which posts the link to Facebook. This works because users are already logged into Facebook when they read their messages.
The basic problem has been known for several weeks and Facebook has been hit by waves of attacks exploiting the flaw. Those who want to protect themselves can, at least in Firefox, enable the NoScript extension. This extension not only filters out JavaScript, it also detects transparent iFrames and warns of potential “clickjacking attacks”.
Those using IE unfortunately have no protection if they click through and will be compromised.
It seems that Microsoft just can’t help itself. As part of its regular Patch Tuesday, Microsoft released an update for its various toolbars, and this update came with more than just documented fixes. The update also installs an add-on for Internet Explorer and an extension for Mozilla Firefox, both without the user’s permission.
The update is listed as “Update for Microsoft Search Enhancement Pack” which doesn’t have any relation to browser add-ons or extensions. In addition, the update is marked as Important instead of Optional which means that it’s likely to be installed automatically, depending on the users’ update settings.
Users starting seeing this item as installed due to the fact that Firefox will show newly installed extensions on restart ( IE does not do this ). Apparently Microsoft is not even aware of the issue …
Microsoft anounced a public beta of SP1 for Windows 7 and Server 2008 R2 at TechEd in New Orleans this week. Yes that’s right – the same package is used to update both platforms due to them using the same kernel. While Windows 7 doesn’t gain any new functionlity from this update, Server 2008 R2 will gain RemoteFX which allows acceleration of graphics and audio for Remote Desktop sessions.
Another new feature added to Server 2008 R2 is Dynamic Memory which allows memory to be dynamically allocated to Hyper-V guests - this is equivalent to KVM’s memory ballooning feature.
It didn’t take long for someone to start exploiting zero-day vulnerabilities in Adobe’s software. In fact, having the the honour of designing the most hacked software on the planet, means that Adobe’s products are always going to be on the front-line of attacks. Since late Friday attackers have been exploiting a critical vulnerability in the company’s most widely-used software: Flash Player and Adobe Reader.
?Adobe said that the bug affects Flash Player 10.0.45.2, the most up-to-date version of the popular media player, as well as older editions on Windows, Macintosh, Linux and Solaris. Also vulnerable: PDF viewer Adobe Reader 9.x and PDF creation software Adobe Acrobat 9.x on Windows, Macintosh and Unix.
The threat has been rate as ‘extremely critical’ by security firm Secunia and US-CERT have also posted a warning of the vulnerability. Ironically, the newest warning came just days after Brad Arkin, Adobe’s director of security and privacy, said the company is in the security spotlight , but had taken several countering steps, including emphasizing development practices that have resulted in more secure code.
Meanwhile Adobe has recommended users switch to the unfinished 10.1 RC which is available here.
UPDATE: Adobe has indicated that a fix for this issue will be made available tomorrow, Thursday 10 June.
Slackware releases are like a big shiny new birthday present for me ( in fact mine’s just around the corner, hint hint ) even though I follow -current mostly. It means that the distro is at a point where new packages have been added, others upgraded and bugs worked out. And Patrick, and the rest of the dev gang, are happy …
What’s new?
One of the views of Slackware in the past has been that it’s reliable and stable, but older versions of packages are used in a bid to combat instability in newer package releases. While that has been true in the past, I’ve found that since 13.0 especially, Slackware has been released with more up-to-date packages while retaining its stability.
The big upgrade in this new release is the move from the KDE 4.2 series to 4.4 with PolicyKit ( thanks to Eric Hameleers for all his KDE dev releases ). While some may not notice, there are performance, feature and stability improvements in this upgrade that make this ‘new’ desktop environment even better than before. Read H Online’s 4.4 review for more information.
The kernel is now at a 2.6.33.4 level, gcc at 4.4.4 and glibc at 2.11.1. X is updated to 1.7.x along with all the accompanying drivers, thanks to Robby Workman.
All the security apps have been updated with OpenVPN now being included by default and the LAMP stack is at Apache 2.2.15, PHP 5.2.13 and Mysql 5.1.46. The Cups package has had usblp support added back in, something that a number of people were looking for. Related, the hplip package has ijs support again. Firefox, Thunderbird and Seamonkey are at their latest releases – I was hoping Thunderbird 3.1 would be released before Slackware 13.1 but no matter as I’m sure it will be in -current soon.
In other news, the libv4l package has been replaced by v4l-utils, bittornado and emacsspeak are in /extra, /dev/sr0 is now searched for install media before the old IDE devices, JDK and JRE are at Update 20, Amarok 2.3.0.90 is in /testing and firmware for a number of wireless devices are added/upgraded.
In general
I won’t rehash information from my previous Interviews except to say that the stability, robustness and performance carries on from previous releases. Slackware continues to perform well in both server and desktop roles with support for most current desktop technologies ( bluetooth, wireless, etc. ) and server-side services and development. Don’t expect to find the customisations you’ll find in other mainstream distributions – Slackware is raw and to the point.
The ncurses-based installer hasn’t changed ( much ) while the newer txz package format gets support from 3rd-party solutions like Gilbert Ashley’s excellent src2pkg tool. The GSB project is tracking ( according to their website ) 13.1 closely and hopefully we can expect a release of this Gnome add-on to Slackware soon. In the meantime, a dev version of 2.28 is available from them. The Dropline Gnome and Gware projects appear to have stagnated as there is no recent news from them.
Many of the audio-video libraries I would have previously compiled manually are now included by default which makes Slackware very capable from a desktop audio point of view. These include libraw1394, libmsn, libdiscid, mpg123, libmtp, loudmouth, fftw, liblastfm and others.
64-bit support, introduced in Slackware 13.0, continues to mature in 13.1 and Eric Hameleers is tracking the mainline development effort with his MultiLib libraries very closely ( even when on holiday! ), allowing one to run a combined 32- and 64-bit system without too much extra effort.
Those who mirror the -current tree can go to sligdo for a method of generating ISOs.
Conclusion
Having built a number of 64-bit 13.0 servers in recent months, I can confirm that no issues have cropped up with the addition of the 64-bit version and these machines are running beautifully. My own 64-bit MultiLib desktop remains a pleasure to use even on slightly older hardware ( yes time to upgrade ). Slackware on the whole, retains a vibrant end-user community with many blogs, websites and forums dedicated to this venerable distribution. One of the busiest places on the ‘net is the LinuxQuestions forum where many Slackers hang out.
13.1 continues the Slackware tradition of a simple, no-frills, reliable distribution for those wanting a rock-solid Linux implementation, and also those wanting to learn the ins and outs of Linux. Thanks to Pat and everyone else involved in this wonderful project – support them through the Slackware store if possible so we can continue getting our Slackware fix.
|
