Cisco: The Next Big Security Concern

Which operating system, embedded in more than 80% of enterprise IT environments, represents one of the fastest-growing hacker targets and potentially the most-devastating information-security vulnerability? Hint: It ain’t Windows. Cisco Systems’ Internetwork Operating System now sits at the center of the information security vortex. Because IOS controls the routers that underpin most business networks as well as the Internet, anyone exploiting its flaws stands to wreak havoc on those networks and maybe even reach into the computer systems and databases connected to them. IOS is a highly sophisticated piece of software, but–as with Microsoft’s Windows–that’s a double-edged proposition. Software complexity can be a hacker’s best friend.

Cisco is working hard to better shield its routers and other network equipment from the risks, but there are reasons to believe Cisco security will become a bigger problem before it gets better. The sheer amount of Cisco equipment installed, the many versions of IOS involved, the difficulties of upgrading that software, and the IOS vulnerabilities already out there or yet to be discovered present a major challenge to network administrators and security professionals.

Just last week, Cisco issued a security advisory for a serious IOS “heap-overflow” vulnerability that could let hackers get control of routers and switches running certain versions of the software. Cisco said it’s not aware of any “active exploitation” of the vulnerability, which will give customers at least short-term comfort. But Cisco notes that successful exploitations of similar vulnerabilities in the past have resulted in denial of service when the exploit caused a router to crash and reload. “In the event of successful remote code execution,” Cisco warns, “device integrity will have been completely compromised.”

http://www.crn.com/sections/custom/custom.jhtml?articleId=173500374

Posted in Hardware, Security | No Comments

Better Spyware Defenses Needed

Warning: Long ramble ahead.

A lengthy discussion has popped up on the Bugtraq mailing list. It began with an observation from a user that Microsoft Antispyware missed software from Claria and a whole raft of cookies. It is not surprising that it did not detect the Claria software, since Microsoft has decided that adware will not be detected by default.

The discussion has turned into a series of suggestions for reducing the number of malware infections. New posts are arriving as I write this.

It is an interesting question; and it made me start thinking. As long as it is legal and as long as there is money to be made in doing it, people will continue to create unwanted software parasites. How do we stop those parasites from infecting the average computer?

Everyone seems to agree that computer users need to be educated about the risks. I believe that the people most at risk of becoming infected by spyware are those who have connected to the internet for the first time.

The incident that turned me into a crusader against spyware was an ActiveX driveby installation of Comet Cursor. I had been online for just a couple of days and decided that the default browser security settings were too tight – so I loosened them.

Basically, what I did was to leave the keys of a very nice car sitting in the ignition after parking it in a seedy neighborhood. It happened because I was ignorant of the risk. No one told me that the neighborhood was dangerous, so I dropped my guard. If I had known that spyware could appear on my computer just from surfing a web site, I would have been more likely to tighten the security settings, not loosen them.

Education is not the whole answer. Despite all the warnings, people still become infected. I still receive emails with the “I Love You” virus attached; and that virus is six years old!

Laws will help to a certain point. Unfortunately, the people creating the worst of the malware already realize that what they are doing is wrong. Most of them will not care about laws.

The ultimate solution will have be technological. The software which claims to protect against spyware will have to start living up to that claim. I can think of three things that antispyware software can start doing which will prevent the majority of spyware infections.

Number One:

At the moment, the second most popular method used to install unwanted software is to exploit browser flaws. Microsoft releases patches for most of these flaws but many people do not install them. Going to the wrong web page with an unpatched browser is like leaving home with the front door wide open.

This should be the first thing examined by antispyware software. If a patch, which fixes a flaw used in the installation of malware, is available and it is not installed, the software should point that out and tell the user to install it. It should make such a pest of itself about the patch that the user installs it just to make the program shut up.

You couldn’t do that with the corporate version, because the IT department may have vetoed a patch for causing more problems than it fixes. In the home version, the antispy program should make it difficult to ignore a patch that fixes a hole used by malware.

Number Two:

The most popular way to install spyware continues to be the third-party bundle. For years, most file sharing programs have been installing spyware. The antispy programs should keep a list of those P2P programs known to bundle third-party software and pop up a strong warning if the user is trying to install any of them.

Even better, why not scan any installer package as soon as it loads into memory? Most installers are just scripts which extract archived files to predetermined locations. With most installers and, with the right software, you can see what files are located inside, as if it were a regular Zip file. If the files for Gator or SaveNow are located within an installer, force the installer out of memory and pop up a warning.

Number Three:

After browser flaws and third-party bundles, the next most common source of malware infestation probably is the ActiveX installer. There is a common misconception about ActiveX. People believe that, if ActiveX has a signed digital certificate, it can be trusted. It is the unsigned ActiveX that is the problem, or so people are told.

The fact that an ActiveX program is signed means exactly NOTHING. Every single piece of ActiveX malware that I have seen has been signed. Every single one of them. Even the porn dialers are signed.

In theory, the certificate issuer will revoke a signature if the software is used for malicious purposes. X-Block once tried to convince Verisign to do just that. Verisign would not do it, despite clear evidence that the program was malicious. The digital signature system is nothing but a scam, since the issuers will do nothing about the malicious use of the signed files.

However, since those programs ARE signed, that makes things a little easier. The Antispy program should install a Browser Helper Object that reads each ActiveX certificate as Internet Explorer downloads it. If the ActiveX is signed by a company associated with malware, block it and pop up a warning.

This presents the malware creator with a cruel choice. They can leave their malicious creation unsigned and risk having the browser block it. Or they can choose to sign the files, making it easier to identify them. They can randomize the file names all they want and it will not matter. Not even the wealthiest of adware companies can afford to buy multiple digital signatures in order to avoid this sort of detection.

I know most of the antispyware developers are reading this. I am suggesting very strongly that they look into seeing if these things are possible. If the antispy programs start doing this, I believe it will put up a roadblock to the three main avenues of spyware infection. With those roads blocked and guarded by armed sentries, the neighborhood will become a little safer for everyone.

http://www.spywareinfo.net/oct27,2005#betterdefenses

Posted in Internet, Privacy, Security | No Comments

A Peek at IE7′s New Security

Microsoft has revealed some of the security changes to the upcoming Internet Explorer 7 and Windows Vista–changes that could cause trouble for some Web sites.

One key change is that Explorer will disable SSLv2, an older version of the Secure Sockets Layer (SSL) protocol. SSL is used to carry out secure Web transactions. In its place, Explorer 7 will continue to support SSLv3 and will enable Transport Layer Security (TLS) v1, a newer protocol.

The change means that sites currently requiring SSLv2 will need to allow either SSLv3 or TLSv1, Microsoft said on its Internet Explorer Weblog, part of the Microsoft Developer Network.

Some Sites Need Updates

Microsoft downplayed the possible disruption caused by the change.

“It’s a silent improvement in security. Our research indicates that there are only a handful of sites left on the Internet that require SSLv2,” writes IE program manager Eric Lawrence on the blog. “Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.”

The company said security is a priority for the Explorer update, and has been soliciting suggestions for improvement–even from hackers.

SSLv2 was the first public version of SSL, and suffers from several well-known weaknesses–for example, it doesn’t provide any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys are used for message authentication and for encryption. These and other problems have been fixed in SSLv3, but the older version is still supported by most browsers and is in use on some systems.

IE 7 will introduce some changes to the user experience, including blocking navigation to sites with problematic security certificates. The problems include certificates issued to a hostname other than the current URL’s hostname–for example, secure.example.com instead of www.example.com; the certificate issued by an untrusted root; and expired or revoked certificates.

Instead of giving the user a dialog box asking how to resolve these problems, as IE currently does, the browser will present an error page explaining the problem. The user can, however, choose continue to browse the site, unless the certificate has been revoked, Lawrence said. If the user continues on, the address bar will be colored red as a reminder of the problem.

“Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate,” Lawrence advised.

Other Security Changes

If a page includes both secure and non-secure items, the user will no longer be initially given the option of displaying the non-secure items. Instead, only the secure items will render, and users will have to manually request that the nonsecure items be rendered.

Lawrence said this could head off future types of attacks. “Very few users (or Web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page,” he wrote.

Other changes include the inclusion of AES security in Windows Vista and certificate revocation checking being enabled by default in Vista, Lawrence said.

A change to Vista’s Transport Layer Security (TLS) implementation could cause problems for some sites. TLS will be updated to support Extensions, a feature that can cause some non-standards-compliant TLS servers to refuse connections, Lawrence said.

“If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present,” he wrote.

http://www.pcworld.com/news/article/0,aid,123215,tk,dn102605X,00.asp

Posted in Internet, Security | No Comments

Exploit unleashed for Windows plug-and-play flaw

Exploit code was published on Friday for a Windows flaw similar to the vulnerability that led to the Zotob worm that wreaked havoc in August.

The code takes advantage of a bug related to plug-and-play technology in Windows 2000 and Windows XP. Microsoft provided a patch for the flaw on 11 October in security bulletin MS05-047, along with fixes for 13 other Windows flaws. The software maker rated the issue “important”.

The plug-and-play exploit code is not the first to surface for a flaw that was fixed in Microsoft’s October patch cycle. Other exploits have been published on the internet or reported privately. Release of such code is typically a prelude to an attack. However, while some experts have raised the worm alarm, attacks have yet to appear.

The exploit causes a vulnerable system to crash but it’s unlikely to be used for a worm, a Symantec representative said. “It does not gain local access to machines,” the representative said.

A Microsoft representative said on Friday the company is aware of the latest exploit code but noted that no attacks were reported. “Microsoft is actively monitoring this situation to keep customers informed,” the representative said in an emailed statement.

The vulnerability lies in the same Windows component that Microsoft provided a patch for two months ago. That flaw led to the spread of the Zotob worm, which took down systems across the US, including at television network ABC, cable news station CNN and The New York Times.

Microsoft urges users to apply the MS05-047 patch. Users who updated their system with the MS05-039 fix delivered in August are somewhat protected against this flaw as well, the company said. However, if that patch is not installed, the latest flaw could be exploited remotely by an anonymous user on Windows 2000 systems, the company said.

http://software.silicon.com/malware/0,3800003100,39153583,00.htm

Posted in Security, Windows | No Comments

Threat Alert: Spear Phishing

“After three unsuccessful attempts to access your account, your Online Profile has been locked. This has been done to secure your accounts and to protect your private information. You may unlock your profile by going to: …” Sounds like a normal phishing e-mail, right? But what if the e-mail seemed to come from the head of IT at your small business, warning about your company account? Would you click the link?

Today’s phishers hope so. In fact, the excerpt above didn’t appear in the usual global barrage of e-mail sent out to catch recipients with eBay or PayPal accounts. Instead, it went exclusively to students and faculty of the University of Kentucky as part of a directed, or “spear-phishing,” attack against the small, 33,000-member university credit union this May. Another widely reported incident involved an Israeli company that used spear-phishing techniques to install spyware on PCs at the office of one of its competitors.

According to Peter Cassidy, secretary general of the Anti-Phishing Working Group, spear phishers act much like marketers, crafting a message and then directing it to just the right people.

These targeted attacks make better use of social engineering to trick people who are tuning out the widespread spam of typical phishing attacks, Cassidy says, but who might not expect an e-mail aimed at a smaller company or organization.

Expect it: According to IBM’s Global Security Index report, intercepted spear-phishing attempts exploded from a mere 56 instances in January to more than 600,000 cases in June.

http://www.pcworld.com/news/article/0,aid,122497,tk,spx,00.asp

Posted in Internet, Privacy, Security | No Comments