March = Patch Office Month

The latest dose of monthly medicine from Microsoft includes 4 critical patches for Microsoft Office. You can get the Microsoft details or the SANS Internet Storm Center Handler’s Diary always provides a simplified view highlighting the most serious of the patches with their own ratings. Of this month’s releases, MS08-14 gets a SANS ISC rating of “Patch Now” due to active exploits in the wild.

If you haven’t done so, it’s highly recommended to configure Windows auto-update (for XP and Vista).

Firewire burns a hole through locked workstations

The Register, among others, reported the release of a tool that allows easy access to a locked workstation. The caveat is that it requires physical access to the Windows computer and is executed by connecting a Linux device to a Windows computer via firewire. The vulnerability has been documented since 2006, but only recently was a tool released to simplify the exploit. As El Reg notes, one wouldn’t think this would be that difficult to repair, but Microsoft has yet to address it. We can argue semantics over whether firewire or the Microsoft implementation of firewire is at fault, but that doesn’t do much for resolving the issue. Due to the need for physical access, I can’t deem this a critical vulnerability, but physical computer security is often as neglected as electronic computer security so it’s still worthy of note.

PayPal bug squashed, but is it dead?

CA has a nice writeup from last month (thanks for the tip Brian) on a jsp vulnerability recently toyed with on the PayPal site. It’s a fine example of good disclosure; identifying a vulnerability, reporting it effectively, receiving prompt resolution and then documenting how it works in an informed and easy to read way. It’s also a scary little hole. If a money changer like PayPal had it and didn’t know about it, chances are others are vulnerable too. Who built your web site and is it using jsp pages? I’ll keep my eyes peeled for any indicators as to how broad this vulnerability may be as I honestly am not sure exactly how utilized jsp pages are these days.

Mining google…

Cult of the Dead Cow (cDc, famous for the backdoor suite Back Orifice) enter the news again bringing attention this time to using Google as a tool for reconnaissance and assessment with the release of Gulag. While this hacking technique isn’t new – Google Hacking has been well documented by the likes of Johnny Long (http://johnny.ihackstuff.com) – the press is.

Some will be angry at a publicized release that simplifies a hacking technique and some will be pleased. Personally, I’m a little torn. I applaud the intent of such a tool; it draws attention to a serious security concern and provides another useful method of assessing your network. And lets face it, the bad guys are using this method already, so giving people a tool that makes it easier to see what is already known to the attackers is a good thing.

If I get around to checking it out any time soon, I’ll post an update.

Hard disk encryption not so secure?

Well, well, well. It will be interesting to see whether businesses will be backing away from desktop encryption. While the hard work of the folks at Princeton University showed nothing is impenetrable, disk based encryption methods can still provide a level of security that surpasses unencrypted filesystems. There is no silver bullet nor is there a single solution that will solve security problems. The only approach is one that involves layered technologies.

A beginning…a prediction

SANS was all over this right after Christmas. I’m glad to see it getting a bit more press and must admit that Deborah Gage’s write-up lacks the confusion we typically see in the media reporting of incidents. (Although I guess the media confusion applies to all subject matter.) If an infection subverts your anti-virus, you’re pretty much guaranteed to be screwed. In this case, you’ve been infected by some attackers that were willing to take more risks than normal in launching the attack; physical access is my greatest fear.

In short, several brands of digital picture frames were purchased in big name stores bearing an unexpected gift (read trojan horse). Simply connecting one of these fine products to your Windows computer would pretty much guarantee you a rootkit. We’ve heard this song before with hard drives and USB drives. This time, according to the article, we’re relatively lucky that the infection is only a keylogger that attempts to steal user names and passwords for select online games…for now.

Between downloaders, self-patching and self-healing malware, I won’t be surprised to see additional functionality from these infections in the coming months. And even if we don’t, we’re still looking at a source of attack that further damages the trust relationship we as consumers have with manufacturers. Lead in children’s toys? Poison in dog food? As much as they think they can, governments can’t effectively regulate everything and attack vectors like this are vulnerable. We have further proof of the need for awareness and caution.

I’m inclined to think this is a well-organized group behind this attack. The attack method is shrewd. You avoid the unreliability of social engineering and spam and eliminate the variables and risk of alluring someone to the infection. The attack is limited in that it will only initially infect consumers who purchase the tainted wares. The supply chain is fraught with opportunity to induce such an infection, from manufacturing to shipping/distribution to the reseller. But let’s imagine for a minute that the picture frame is wireless and displaying pictures of lattes and muffins at a Starbucks full of users enjoying the free wireless access. It starts to get a little scarier, doesn’t it?

So what better way to cap a new beginning than a prediction? In the not too distant future there is going to be another spate of attacks where the source of infection is a product tainted before it reaches the end-user and it will be a more malicious and effective attack than this one. Government will look to enforce some kind of regulation on any type of electronic device that interacts with another device and all the while we’ll be poisoning our animals and watching our kids chew on that shiny and colorful piece of lead.