Slashdot Mirror

Microsoft Security. What's it all about? Is it good, or it is whack?

I'd have to say whack. As is this report. Crowing about the lack of reported vulnerabilities means nothing when you have paid security firms not to report vulnerabilities! Of COURSE the vulnerabilities reported have decreased. But have the real vulnerabilities decreased? Thanks to Microsoft, we will never know.

Without subjecting themselves to the same review other operating systems undergo, they have no cause to crow about a perceived dearth of vulnerabilities, especially since many previously reported vulnerabilities persist and will not be patched (but are not included in this report since they are not newly reported).

For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.

All because they couldn't fix this simple problem quickly.

Yeah, that's taking security seriously!

For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.

All because they couldn't fix this simple problem quickly.

Yeah, that's taking security seriously!

Frankly, I find the lines between the two becoming a bit blurry, hence my "just" linking.

Were you aware that the US is placing customs officials in European ports? Requiring all airlines flying to the US to submit passenger data within x minutes of taking off? Is mandating (at least on Qantas flights to .au) that you're not allowed to stand in line in front of airline toilets? Is attempting to prosecute foreign nationals for breaking (insipid) US laws by proxy? Is sending foreign travellers suspected (incorrectly) of terrorist affiliations to be tortured by third world secret police?

Seemingly unrelated, right?

I'm an American citizen living abroad, who is proud of the values that my country stands for, at least in theory. I want to be able to stand up and use "us" as a shining example to others--I actually believe all that "poor, huddled unwashed bell-bottom-clad masses crap", and bits about freedom of speech and assembly and religion and and and.

It just pains me right now to see the US setting such a shitty example to the rest of the world, both by childish, idiotic policies at home, and ham-handed attempts to bring a lot of aspects of international politics in line with the government's way of thinking; it sets a bad precedent, and doesn't present my country in the enlightened manner in which I think it could.

That's all.

Yep-Here and here and here and here

Ahh, go look for yourself:

Here

Let's see...

For this month...

$top

13:04:33 up 30 days, 8:58, 0 users, load average: 0.36, 0.96, 0.60 Tasks, 131 total, 2 running 129 sleeping 0 stopped, 0 zombie.

About the only time wasted this month is getting OpenOffice.org to start. But that's when I go get something to drink, and it is usually running by the time I come back. And that should change for the better when I upgrade to the latest release whenever I decide to do that. I generally leave it running in the background when I'm using it frequently.

In fact, prior to the Microsoft blackout in the Northeast last summer, the uptime on my desktop was over 100 days. And I'm averaging about a month uptime now because I'm adjusting my configuration for other reasons and need to shut down about once a month.

How much time are you wasting solely on booting? Virus scanning? How much time virus scanning for the year? How much of your computer's resources are being used to run that virus scanner in the background? I've seen a few friends and former co-workers computers running virus scanning in the background. It isn't pretty. How much time cleaning out other computers in the family for viruses? How much $ are you wasting on the anti-virus protection racket every year?

I guess you don't mind having a compromised system. Or haven't you heard? That's right, along with Debian and GNU, Mozilla's servers had the recent misfortune of being rooted. One more security failure for the open sores community.

Your post reminded me of an article I read a few weeks ago (probably posted on /.), where a distributed spamming technique was exposed. The method was exploiting a php weakness (register_globals), to upload and run a script that installs a binary file in /tmp it's purpose being to send spam from several (hard to evaluate how many servers could be infected by that kind of weakness) web servers.

This very interesting article can be found here : http://www.securityfocus.com/guest/24043

AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...

There are worms for ICQ, AIM and MSN. Yahoo IM is the only one that doesn't have a worm right now.

MSN worms have been around for a while now. This isn't news in any way. The worm relied on a website that is now shut, so the worm is effectively disabled.

If you want to know about IM spreading worms, read this or this

Will VoIP be Wiretap Ready?

"according to FCC filings, FBI officials had a more private meeting with half-a-dozen FCC staffers to reiterated the Bureau's view on the matter: VoIP should be regulated-- at least enough to ensure that the FBI can listen-in."

Here's a pretty good recent thread on the subject from SecurityFocus' secprog list.

I got an impression that it was exactly OnStar technology

Minor quibble. Same technology, but not the same company. It was Tele Aid (from ATX, used by Mercedes Benz), not OnStar, that was involved in this case. This is covered by Kevin Poulsen in this SecurityFocus article.

..make sure that you have read this
Discusses some serious considerations before deciding to use ipsec and ike. And since ipsec/ike is the only serious solution in many cases, these concerns should not be taken lightly. For example did you know that the ike implementation in 2000/XP simply checks the signer of the servers certificate and not the actual identity that is signed? This means that any other user with a certificate which is signed by the same authority as you can impersonate the server.

The article is very lengthy, I know, but definitely worth your time.

Securityfocus belongs to Microsoft, that seems to be very likely. They don't seem to be experts in It security.

SecurityFocus was acquired by Symantec Corporation in the fall of 2002, and Symantec has since incorporated the SecurityFocus commercial products DeepSight Threat Management System and Alert Services into its product line. Part of the purchase agreement was to keep SecurityFocus as an independent Website that is not influenced by Symantec corporate policies or products. The SecurityFocus Website retains full editorial discretion for all content and remains a vendor-neutral voice for the security community.

This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years. From one computer, if I understood correctly. Quite worthless, considering recent Security Focus spam column.

Hey guys, I'm here at my office running on a Win2k machine, with IE 6.0.2800.1106. I just installed the patch then tested it against the proof of concept code at this location and the exploit still worked for me. The code went through, and did display www.microsoft.com in the address bar as it should of.

I'm not sure if anyone else is having luck with this patch working or not. Maybe I did something wrong? But for my inital test, it failed for me. Proof of concept code was located through Bugtraq

Well, if default settings in OS X made Lance Ulanoff excited, this is going to give him wet dreams... SecurityFocus's Bugtraq mailing list just posted this. The message seems to indicate other exploits exist but were not mentioned. The exploit in question appears to deal with Apple's ISO 9660 file system implementation. No word on whether "Max" alerted Apple or anyone outside of the Bugtraq mailing list though.

http://www.securityfocus.com/archive/1/347578

I considered a USB coffee cup warmer for my husband until I read that it only keeps coffee lukewarm. I also considered the WFS-1 wifi detector, which is far superior to the Kensington model, but I nixed that because it doesn't distinguish between open and closed networks.

If we were filling stockings for grown-ups, I'd have gotten a bunch of Cyberguy Power Strip Liberators, which double your outlet access and are only $2.39 each. I have some and love them.

I was going to get my puzzle-loving brother-in-law a Shmuzzle Puzzle, but the U.S. rerelease, which had been scheduled for Dec. 3 on QVC has been postponed indefinitely. Canadians can buy them over the counter.

Some of the geekier presents I ordered for my nieces and nephews, all of whom are of course brilliant:

• Harry Potter Wizard Chess and Chess for Juniors for 8 year old.
• Skyrail Suspension Marble Run for artistic 9yo and engineering 5yo.
• Smart the Dog LEGO set for 9yo (also considered Motor the Monkey set.
• Techno Blocks, "the world's only preschool remote-control construction toy", for my 5yo engineer.
• Terry Pratchett's delightful Bromeliad (fun for ages 5 to adult) to begin reading aloud and then leave behind.
• Grow-a-Frog kit for 8yo naturalist.
• Geometric and creative Images coloring kit for artistic 6yo.
• Cattus Petasatus [Cat in the Hat] and a Latin dictionary for a sister-in-law.
• 500-in-1 electronic project lab for grown sister-in-law because you're never too old to learn. (Note the large discount over the Amazon price.)
• Disney's Princess Magical Dress Up software to encourage my 6yo niece to wrest the family computer from her 8yo brother (although that may be futile, since we're also giving him a Real One Arcade subscription).

Slightly less geeky gifts:

• Family Classics 50 Movie Mega Pack 12-DVDs at only $29.99

Information on how to stop SYN attacks has been available for ages.

Agreed, I've got a 6310i myself and it's great. Definetly rock solid. You also forgot to mention the great battery it has. ;-)

Unfortunetly though, Nokia kind of fell through on their bluetooth implementation. (i.e. don't go walking around with bluetooth enabled on it. Think wardriving for cell phones, kind of). Another poster also mentioned that it doesn't support iSync. Shame for both of those

As with some of the other posters in this thread, you seem to have misunderstood my origonal post...I do not argue that spam is a problem, but I would also argue that it is also not a threat to the infrastructure of the network...

I would (perhaps) have been more inclined to agree with you before I read this.

The problem is that we shouldn't blow this out of proportion. We need to look at this from both a social and technical angle.

Quite true. I agree wholeheartedly.

From what I've seen in the past, many companies have not even taken some of the most basic counter-measures against spam.

I'm not sure on which end you mean. Unsecured "open relay" mailservers are not a major source of spam these days, the spammers have moved on to exploiting vulnerabilities and installing zombie networks for that. It's true that adoption of filtering technology has taken a long time to reach the end user, but for the most part I attribute that to the bizarre and complex nature of spam filtering. It's one of the more complex parsers you'll ever see, for sure. Its not every day something that complex becomes a "killer-app".

Spam filters and block lists should be standard for almost any mail server installation.

Hear hear!

This article at securityfocus says IE 6 and possibly earlier versions of IE. No Mozilla, Netscape, Opera, Links, Safari, Konq, Firebird, etc.

Don't drop the connection. Tarpit.

Also, if spammers are using distributed networks of hijacked computers, you might get the same spam from two different systems. It might be worthwhile to collect the full text of the spam you get on your tarpit machine so that you can use the hashes to identify spam sent via other methods.

(None of these are new ideas of course.)

Google for 'honeypot' or 'proxypot.' In fact, Security Focus ran a series of comprehensive articles on honeypots, one of which is here. There's also a huge web site devoted to nothing but honeypots at this link.

Proxypots are a variation of the honeypot idea. A proxypot pretends to be an open proxy server which, instead of actually passing traffic sent to it, simply logs what's going on and sends the actual traffic to a specific destination specified by the proxypot operator. This can be Dave Null's in-box or anywhere else said operator wants.

Details of proxypots may be found here, and here, just to name a couple.

Keep the peace(es).

I think all and all its more secure. If theres an exploit with linksys then its much more well known than if ipcop, or smoothwall had one. seems that everyone and their brother has a linksys router.

that, but really isn't the problem that their software was riddled with design and security problems?

That's a pretty common problem with Diebold systems though - they give a very good impression of having no understanding at all of any computer security concepts... pop quiz, would you rather trust them with your votes or your money?

BugTraq FAQ, 0.1.8 What is the proper protocol to report a security vulnerability?

Quoting:

A sensible protocol to follow while reporting a security vulnerability is as follows:

1. Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list.
2. If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list.
3. If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list.

While this text says "appropriate time to fix the vulnerability", I've seen the 1 month estimate thrown around many times. I did not make it up either, but it's not as trivial to find as the 1 week guideline. It is true that some types of bugs should be fixed (and tested) more rapidly while others may take longer, so perhaps this bugtraq guideline is best. But "right now or else" and "within hours" are certainly unreasonable.

Witness the recent openssh bug, which was fixed within a day (possibly several hours). Then, only a day or two later, yet another patch was issued because another instance of essentially the same problem was discovered in the course of testing the first fix. At least it didn't break anything... but there have been plenty of examples of quickly-released patches that did break something because there was not enough time for testing. My point is that is it IS reasonable for the fix to take a bit of time, in the interest of getting it done correctly and testing it well, especially if the bug isn't currently being exploited and exploits aren't immenent because of public disclosure.

>If he would've reported it to the vendor (in this case Microsoft), it wouldn't have been 'a known hole', but to the Microsoft developers. They would've came up with a patch...

Oh... you mean like this, this, this, and this?

It is a *new* security exploit, based on several new security holes that Li Die Yu found. Given Microsoft's history of rapid responses, I guess one could be forgiven for not even attempting a notification. Has anyone seen a patch from Microsoft yet? ;)

Oh, and the way to avoid potential future exploits, disable scripting within the Internet zone... (or use another browser!)

This time around however, Li Die Yu has released an exploit which is based on new unreleased security issues with Internet Explorer. See the original posting on Bugtraq for the full details.

hey folks, this was posted to bugtraq some two months ago.

While my firm is a strong supporter of full disclosure, this is rather over the top.

What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.

Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.

We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.

Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .

Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.

Customers using Cisco's network admission control system can permit network access only to compliant and trusted endpoint devices (for example, PCs, servers, personal digital assistants) and restrict the access of non-compliant devices.

ISP's can install these new Cisco routers and you will be denied internet access unless you submit to Trusted Computing.

The routers are advertized as fighting "viruses", but they do not in fact scan for or block viruses. What they do is first check if you are running Trusted Computing. If not they deny you a connection. They can then be configured to verify that you are running specific software such as up to date anti-virus software.

-

They don't, in case you didn't realize... at least not in the US where there is plenty of precedent for organizations being able to hurt those who develop technology that merely has potential for "badness". For example, DirecTV. See also RIAA v. ChewPlastic.com.

There is hope, however. DirecTV is facing racketeering charges for their efforts.

at http://www.securityfocus.com/columnists/198

Electronic Voting Debacle

Grave concerns over the security of electronic voting machines in the United States means the heart of American democracy is at risk.

[snip]

"...The Big Issue: Security

So, how do you know that the machine actually counted your vote? You don't! Oh sure, you may see a screen at the end of the process that shows you what you selected ... but how do you know that those choices are actually tabulated? The answer: trust the companies that make the machines. But that attitude, if it ever made sense, has been shown to be not just wrong but foolhardy in the past several months... "

I was bit dubious at first, but the patch includes source code. I did install the supplied binary, though...

What I'm really surprised about however is the fact that a) a third-party developer can fix a problem like this at all, and how easily the fix can be hooked into Safari. It appears that this OpenStep/Cocoa framework stuff is really flexible...

Oh and yes, it does work!

Being labelled arrogant is maybe the worst thing someone can say to me. You hit a loaded point here. Whatever. But I maintain my point : Linux is more secure than Windows.

For viruses : go there

For vulnerabilities : go there, or there.
Again, crude attack figures does not mean anything. And vulnerabilities, in my opinion, does not mean much, for they cater to local overcomes.

Maybe a more interesting comparison would be to know how much money did the OSS and proprietary software worlds lost in the following of viruses, and vulnerabilities.

Regards,
Jdif

http://www.securityfocus.com/archive/1/345221

You must work at Lowe's,!

System and method for counteracting message filtering

Abstract

A system and method for circumventing schemes that use duplication detection to detect and block unsolicited e-mail (spam.) An address on a list is assigned to one of m sublists, where m is an integer that is greater than one. A set of m different messages are created. A different message from the set of m different messages is sent to the addresses on each sublist. In this way, spam countermeasures based upon duplicate detection schemes are foiled.

most hackers are just out to do good

Meantime, somewhere else on security focus Wireless hacking bust in Michigan.

And as this is a duo, the statistics for today totals: 1 team of good hackers and 1 duo of bad hackers.

What would happen if people didn't make conclusion based on nothing?

When someone sent out spams attempting to scam people with accounts with Sony Financial Services, I contacted them about it and they promised they'd have someone call me first thing next day. They never did.

Sadly, the only thing that corporations care about today is bottom line. (This is the reason Microsoft antitrust was such a farce, by the way.) This story reminds me the story about Kevin Mitnick testifying against Sprint in Vice Hack Case:

[...] "to my knowledge there's no way that a computer hacker could get into our systems." [...] to the company's knowledge Sprint's network had "never been penetrated or compromised by so-called computer hackers." [...] Two hours later, Mitnick returned to the hearing room clutching a crumpled, dog-eared and torn sheet of paper, and a small stack of copies for the commissioner, lawyers, and staff. At the top of the paper was printed "3703-03 Remote Access Password List." A column listed 100 "seeds", numbered "00" through "99," corresponding to a column of four digit hexadecimal "passwords," like "d4d5" and "1554."

Truely scary. Scary and sad.

A somehow similar, i.e. a semi-private Internet Auditing Project by Liraz Siri (for which BASS was written) five years ago (only 36,431,374 hosts, mind you) took twenty days with five scanning nodes. I highly doubt today Internet could be scanned in one day with a single host. Remember that this single host will be attacked, like the Liraz Siri's hosts was:

"Wednesday, our Russian scanner runs into trouble. A denial of service attack, 512kbps stream of packets amplified 120 times strong over an unsuspecting Canadian broadcast amplifier. Half a world a way, the packet storm brings a large Russian ISP to it's knees, overwhelming it's available bandwidth. Ouch.

Apparently, we stepped on someone's toes. At first, we assumed this was somehow connected to yesterday's *.mil scan, but no, it was just some ill-tempered English fellow who didn't appreciate getting probed last Monday. [...]

The attack lasted 16 hours straight [...] Anyway, one of our backups (also in Russia) quickly substituted for the lost computer as soon as we noticed the attack 6 hours later at 255 JPM, with no other significant setbacks to our week's schedule." [emphasis added]

The keyword here is "backups." Remember that scanning the entire Internet you will step on someone's toes.

(By the way, it's good that this story was posted on Slashdot, since I could be the one counterattacking them and making idiot out of myself --- not that it has ever happened before...)

...Much worse than "Citibank didn't care". Look down lower on the SecurityFocus report and you'll see that Citibank's own fraud reporting webpage appears to be compromised, they know about it, and they hadn't (as of publication date) tried to correct it. The email reply from the fraud page is itself fraudulent, and directs users to a nonexistent toll-free number or a private AOL email address, although it appears to come from Citibank's own servers!

Also, there's a CNET article about the August 16 version of the scam, reported on August 18, 2003. The article is supposed to be here at http://news.com.com/2011-10173-5065394.html?tag=ma instry (Link)

But when you check that link, it first comes up, then a second or two later gets redirected to a search page claiming that the article is "expired".

Strangely, the CNET search page (which searches on terms similar to the title) comes up with 2 flattering articles about Citibank's quality process, one dated 2002, the other dated 2000. Neither of those articles has "expired". Draw your own conclusions here.

For those who aren't too quick on the mouse, part of the text of the "expired" article is here:

Citibank, a division of Citigroup, said "numerous" people received the e-mail, which purported to advise them of conditions affecting their accounts.

It said the e-mail linked to a Web site that looks like Citibank's, and asked customers for their Social Security numbers, a form of identification. Scammers can use such data to obtain credit cards or access to bank and other accounts.

The bank urged recipients to delete the e-mail and call the customer service number on their automatic teller machine cards. It said that the company is working with law enforcement and that its systems have not been compromised.

Want to link to this message? Use this URL:
http://www.securityfocus.com/archive/1/344214

Just have a look at bugtraq to get a feeling about how many bugs are Windows only, how many Linux/Unix related and how many cross site scripting (XSS).

We shouldn't fear biased comparisions which are made only to spread FUD.

According to this message that I read on Bugtraq, http://securityfocus.com/archive/1/342825/2003-10- 30/2003-11-05/2, Chris Sysopal from @stake says "When we reported these issues to Apple they told us that they would have them fixed in the Panther release timeframe. To be honest, I assumed there would also be a patch for 10.2. We certainly didn't dictate any specific way of releasing the fixes. "

...with a Carnivore review team...

...with a justice department document...

...and a CIA document containing agent's names

W

This is one of those common trolls. You'll see it every other linux story if you browse at -1.
It even ends up on other sites.

Doesn't change the fact that it's rather amusing. But when you get this many replies... ugghh... my fag-senses get tingly.