I review books.

I submit these book reviews to various mailing lists, where the topic is appropriate.

I also run mailing lists (on Yahoo, Topica, and now Google) that carry the full set of reviews.

Somebody keeps on subscribing “service@amazon.com” to my lists.

service@amazon.com bounces any traffic to it. It tells you to contact Amazon’s help Web site.

As anyone who has tried it knows, Amazon’s help pages are massively unhelpful. (They may be of some marginal assistance if you have placed an order that hasn’t come: not ever having purchased anything through Amazon I wouldn’t know.)

I keep removing and banning service@amazon.com from my lists. It keeps coming back.

I have tried contacting Amazon.com. It is impossible to get past the first level of what is laughingly known as “support.” Their position is that Amazon doesn’t do that. (It is not entirely clear that they have a firm idea of what “that” is.)

It is possible that someone has been spamming out messages using service@amazon.com as a return address. If that were the case, why wouldn’t the address show up on my (many) other mailing lists that are not directly related to books?

It is possible that someone has been trying to set up Amazon by trying to subscribe this address to my book review list. However, if that person were not associated with Amazon, how would they obtain the response that Yahoo (and other mailing list systems) sends back to confirm that the address is good?

It is possible that someone at Amazon, buried deeply enough in the IT area that they have access to the service@amazon.com account, is so technically incompetent that they neither know nor care how annoying this is. At the moment, that seems the most likely option …

The Common Malware Enumeration (CME) initiative aims to provide single, common identifiers to new virus threats (i.e., malware) for the benefit of the public.

says the FAQ section of Mitre’s project site.

But are there ‘common identifiers’ for recently spreaded malwares? Some examples of the different names assigned to new Word Trojan and its dropper component:

BackDoor-CKB (McAfee)
Backdoor.Ginwui (Symantec)
BDS/Ginwui.A.4 (Avira)
Ginwui.A (F-Secure)
Gusi.A (Panda)
Trojan-Dropper.MSWord.1Table.bd, Backdoor.Win32.Gusi.a (Kaspersky)
Troj/Oscor-B (Sophos)
Win32/Ginwui (CA)
Win32/Ginwui.A, BKDR_GINWUI.A (Trend Micro)
W32/Ginwui.A (Norman)
etc.

BTW: Why was it named to Ginwui, when the dll used is Winguis.dll. Maybe the reason is same as in Bagle and W32/Beagle case, some vendors just put ‘e’ to its name… If you are interested, check the CME-328 entry at cme.mitre.org/data/list.html#328.

Some statistics from the CME list:

May: none CMEs
April: none
March: 1
February: 2
January: 1

And back to 2005:

December: none (yes, zero CMEs)
November: 3
October: 1
September: none

Conclusion:
The only remarkable CME name mentioned in the news and being used in security community is CME-24. If I say Nyxem.E. Blackmal.E , Blackworm or Kama Sutra, you’ll probably remember it

BTW: CME is sponsored by the US-CERT, part of DHS. I believe that money is not the problem…

Some related links:
CERT/CC: Computer Virus Resources
(old, but updated frequently)
www.cert.org/other_sources/viruses.html

AV-Test.org -> News
Cross Reference List of Virus Names
(not widely discussed yet)
www.av-test.org/index.php3?lang=en

“To provide a candle in the dark and diminish the current confusion, we created a cross-reference list of all virus names (.ZIP file 139 KB), based on the WildList 02/2006.”

Well, I went to visit pipikaki, the project named as Black Frog. Actually, it’s okopipi, Black Frog merged with them. They mean well and they will send a response to this blog soon with what they are up to. This is a chat and shouldn’t be taken as more than that.

Obviously, this guy has no intentions to destroy the Internet, but it’s an interesting
look at how people view the project.

Here is a chat I had on their IRC channel:

<Arancaytar> hello
<tortanick> intrestingly no one seems to know the fact black frog is not
being used as a name
<Arancaytar> Who calls it black frog?
<tortanick> Cnet mainly, and everyone’s copying them
<ge-> well, red frog will soon show up. don’t feel special.
<Arancaytar> red frog?
<ge-> and 10 other such frogs…
<tortanick> yep
<tortanick> but here, and now, there is only okopipi
<Arancaytar> anyway, I think cnet also mentioned the name Okopipi - not
for the product, only the project though.
<tortanick> they did
<ge-> they did
<ge-> i personally believe the project is doomed to failure, much like
blue security was a complete idiocy to begin with… but who am i to not
let people try?
<tortanick> I posted in the comments a few corrections, but I’m not sure
who to E-mail
<tortanick> well ge-, why do you think so?
<ge-> hmm
<ge-> okay, let me put it this way
<Arancaytar> Anyway, what is redmond magazine on - “after spammers cracked
the Blue Security code, the company decided to shut it down.” (
http://www.redmondmag.com/reports/article.asp?EditorialsID=296)
<tortanick> drugs J/K
<ge-> even if DDoS by itself wasn’t hurting the Internet badly
<Arancaytar> I don’t remember the spammers “cracking” anything in the
client though.
<ge-> even if DDoS didn’t attack the server and whoever is on it, not just
the spammer (in the rare case it’s the spammers server and that they
didn’t move on by the time you attack them)
<ge-> even if it doesn’t affect the ISP
<ge-> or the Internet
<ge-> you nearly never attack the spammers
<ge-> they buy 5K domains a day, use one for spam, and throw it away
<ge-> same goes for IP’s
<ge-> (servers)
<ge-> so who do you attack?
<ge-> further, P2P is just as vulnerable to attack
<tortanick> we don’t go after spammers, far to hard a target. But there
are statioary websites, the ones who advertise by contracting out to
spammers
<ge-> that’s my 2 cents
<tortanick> we go for them
<tortanick> and blue frog proved it works
<ge-> these change even faster
<ge-> nope, they really didn’t
<tortanick> obviously not
<tortanick> they got 6 out of the 10 biggest spammers to scrub their lists
<ge-> why do every anti spam guy out there say blue security is wrong?
<ge-> you really believe that?
<tortanick> yep
<ge-> i will give you a very good reason why they didn’t
<ge-> they said they “protect their users”, correct?
<tortanick> why did all their customers reporting a drop in spam?
<ge-> do you honestly believe that?
<tortanick> yes
<frip> well, that really happened to me, for instance
<ge-> first, a list of known anti-spam people is always good for
spammers. second, a list of confirmed addresses is even better. this has
been attempted before
<tortanick> and if it didn’t work who would be willing to work on Okopipi
<ge-> plus, blue security claimed their users are safe, yet they gave
their lists to spammers
<tortanick> they gave encrypited lists
<ge-> people like you, who want to do good, know their stuff, but don’t
understand the mafia world of spam and the current technology
<ge-> no, they didnt
<ge-> see, let me ask you a question
<omry|work> ge-, they didn’t give them the list. they gave list of
hashes. its not the same.
<ge-> if you are a spammer, and you run a tool that removed addresses from
your list, can’t you see what addresses were removed?
<tortanick> You can
<ge-> okay, you run the hashes against their hashes, same difference
<tortanick> thats how the spammers got the addresses
<ge-> yep
<tortanick> but they had those addresses allready
<omry|work> ge-, of course. it was very clear to me that this is what they
did.
<omry|work> (spammers)
<ge-> further, they said that they remove random addresses
<ge-> and that way are safe from being found out (their users), right?
<tortanick> add random addresses
<ge-> exactly
<ge-> now, answer me this
<ge-> if you are a spammer, and you know that every time you run their
tool, you lose random addresses that may want to get your spam.. would you
run it?
<ge-> every time you lose more potential customers
<tortanick> if you don’t run it your clients refuse to deal with you
<tortanick> so yes I’d run it
<ge-> spam is good business
<ge-> they have clients
<ge-> those who buy from spammers obviously don’t care about blue security
<ge-> so why should they?
<tortanick> All the more reason to clean the lists
<tortanick> remove antis and you’ve only got customers left
<omry|work> because bsec put presured their clients. (advertisers)
<ge-> so: 1. they never attacked real spammers, just the INternet and
innocent bystanders, and 2. their lists were always compromised to begin
with, and no spammer would use them
<tortanick> in a word, wrong
<ge-> why is that wrong?
<tortanick> people who pay spammers to advertise are not “innocent
bystanders”
<ge-> ahh, but these people are the spammers and the mafia. further, their
sites move IP’s even every 10 minutes and a domain every time they make a
spam run. so you never attack spammers, just innocent bystanders and the
Internet
<ge-> maybe you get lucky, sometimes, but the spammer already moved on
<tortanick> thats not true ge-
<ge-> yes, it is
<tortanick> those sites are stationary
<ge-> which? where?
<tortanick> or at least, enough of them are for BS to make an impact
<ge-> i can show moving sites
* NewOkopipiUser (n=NewOkopi at 82-70-238-82.dsl.in-addr.zen.co.uk) has
joined #okopipi
<ge-> can you or BS show stationary sites?
<tortanick> I’m sure spam experts can show static
<ge-> exactly
<tortanick> I can’t though, I don’t get spam
<ge-> spam experts - ALL OF THEM, show BS was wrong
<tortanick> well mailwasher didn’t for one.
<ge-> show me a second one, and you will get 2 out of 10,000
<ge-> and the clueless ones at that
<ge-> all i am saying is
<ge-> don’t take my word for it
<ge-> check the facts on your own
<tortanick> I did
<ge-> and?
<tortanick> Blue security was the target of a DDoS, its important enough
to be a target
<ge-> of course
<ge-> the spammers got pissed and attacked
<tortanick> Download.com gave it a good rateing
<ge-> is your purpose to get attacked?
<ge-> okay, so you do this for a good download rating, making people
believe they are fighting spammers when they are not?
<tortanick> nope, but you said BS would just be going for sites that
vanish to quickly to do anything
<ge-> or sites that the spammers don’t care about or own
<ge-> yes
<tortanick> Download.com is very hard to rig
<ge-> download.com is not a spammer nor was spammed that i know of
<ge-> they offered them for download
<tortanick> if the spammers didn’t care about those sites, why did they
launch a DDoS?
<ge-> do they need a reason?
<tortanick> yes
<ge-> first, we can’t prove it was the spammers, second, I believe it was
them
<ge-> they got pissed
<tortanick> DDoS uses botnets that can’t be used for making money at the
same time
<ge-> so they got BS down
<ge-> i happen to know a thing or two about botnets
<tortanick> proving BS was effective enough to piss spammers
<ge-> and you can use them for whatever you want
<ge-> ahh, so your goal is to piss spammers off and get them to ddos the
internet?
<tortanick> nope, thats just proof that BS worked
<ge-> i am not trying to attack you, i am trying to show you that maybe
you didn’t think this though
<ge-> through
<tortanick> we did though
<ge-> so, because you piss someone off you were successful?
<ge-> apparently not enough, no offence.
<tortanick> yep
<tortanick> piss someone off and you’ve obviously found a way to affect
them
<ge-> okay, so if spamhaus goes and says spammers suck, they won’t get
attacked too?
<ge-> it’s about who mouths off more.
<tortanick> spammers are secrative, they ignore “mouthing off”
<ge-> okay, so let’s start a war. we will piss spammers off without
affecting their business, and cause a network wide ddos attack
<tortanick> you have to hit them in the wallet
<ge-> you obviously don’t know much about spam or anti spam
<tortanick> and even if that were true
<ge-> no offense, but i’d suggest cluing up
<ge-> as others less nice than me will ask you these same questions
<tortanick> causing them to rampage across the net would finally wake the
governments up
<ge-> ahh, so it’s a Scortched Earth strategy
<ge-> your goal in this project is to cause the Internet to die so that
the Government gets involved?
<ge> having irc client trouble here.
<tortanick> that explains your silence
<ge> <ge-> ahh, so it’s a Scortched Earth strategy
<ge> <ge-> your goal in this project is to cause the Internet to die so that the Government gets involved?
<ge> that’s what i last sent
<ge> but i have to go very soon
<ge> i wish you guys luck in fighting spammers
<tortanick> thats not the plan
<ge> i’m sure you have no wish to destroy the world
<tortanick> its just silver lining on the possible failure of the real plan
<Ehm> Hopefully the spammers will utilise the 2 braincells they have collectively and just clean their lists
<ge>
<tortanick> hit the spammers in the wallet like blue frog did and make them clean their lists
<ge> i sent this log to the botnets@ mailing list, let’s see what people think and who they agree with
<ge> time to discuss this once and for all.
<ge> actually, that’s the one thing i agree on this far
<tortanick> you seem quite in with the spammers crowd
<ge> it’s an economic problem, hit them economically
<ge> not really
<ge> you can google me, my name is in my /whois
<ge-> as others less nice than me will ask you these same questions
<ge-> ahh, so it’s a Scortched Earth strategy
<ge-> your goal in this project is to cause the Internet to die so that the Government gets involved?
* ge- has quit (Read error: 104 (Connection reset by peer))
<ge> erm, damn, that client was lagged
<tortanick> yep
* Entvex (n=Entvex@194.192.108.108) has joined #okopipi
<ge> and by the way, repeating something doesn’t make it right.
<Entvex> HI
<Ehm> lol
<Ehm> hi Entvex
<tortanick> no, but it was the awnser to sevral diffrent questions
<tortanick> hi Entvex
<tortanick> btw ge, this you? http://blogs.securiteam.com/?author=6
<ge> yes
* tortanick looks for comment button
* Flinty (n=Flinty@84.12.79.104) has joined #okopipi
<ge>
<ge> what’s your job with the project?
<Entvex> i been looking at the google grops but i can relly get an ider where the projeket is atm do any one know
<tortanick> Public relations
<tortanick> still planning Entvex
<Entvex> ok
<ge> well than, how would you like to write a response to my blog entry?
<tortanick> you know ge, its normally the job of the one making accusations to prove it
<tortanick> I’d be happy to write one but I think we’ll do it collaboratively
<ge> tortanick: everyone can make accusations
<ge> *shrug*
<Ehm> wow ge, couldn’t get it more wrong (@ that blog)
<ge> iehm, did you read my conversation with tortanick ?
<tortanick> lible laws, slander laws, its illegal to make reputation dammaging accusations without proof
<tortanick> we were both talking past eachother, quite an itresting log
<ge> it’s not about your reputation. it’s about what you do
<ge> what you do, in simple terms..
<ge> erm
<Ehm> no I didn’t
<ge> and without trying to hurt you, as you guys are trying to also fight the good fight
<ge> is stupid and proven wrong
<ge> ehm: try reading it, maybe you can prove me wrong
<tortanick> As the accusor though, the legal system says you have to prove it
<Ehm> okopipi will throttle the opt-outs… to make sure we don’t DoS the spamvertised
<tortanick> but we’ll try and prove you wrong anyway
<ge> deal
<tortanick> lets get to work Ehm
<kork> good morning *cough*
<tortanick> morning
<ge>
<Ehm> afternoon kork
<kork> that’s what you get for going to bed at 8am
<ge> i will post this log, and let’s see what people think. i will mention you guys will send something in to prove me wrong.
<Ehm> lol
<ge> 5 am? that’s it? geek!
<tortanick> Ok, but this log isn’t what I’d call a resonable discussion
<tortanick> we were both to sure we were right for one
<ge> agreed!
<Ehm> ge: What we’re doign is perfectly legal: One opt-out per spam recieved…
<ge> ehm: times how many?
<ge> let’s stop now, and contrinue this with your response to my blog?
<tortanick> of course
<ge> actually, it’s not my blog really, but the author 6 is mine
<tortanick> btw, want to change the news link from black frog to okopipi
<tortanick> or will you leave that for us to point out in our response
<ge> i think black frog is your name from now on

And I must be wrong, we will hear their response soon.

Gadi Evron,
ge@linuxbox.org.

Information about new trojan Trojan.Hoosmi is available. It opens Word document when executed, using current file name (maybe recent file opened to Word at time of infection).

Like Ginwui did, reportedly it hides all its files, registry keys etc. using rootkit technologies. It has keylogger features and it attempts to download a file from 3322.org site (SANS ISC summary here). This same domain was being used in Ginwui threat as well.
New service named “sdqgvqcm” generated is something totally new.
At time of writing there is no information is this malware exploiting undocumented MS Word vulnerabilities like this.
Information about ways of delivery will be upated to this writing too.

Direct link to Symantec’s write-up:
securityresponse.symantec.com/avcenter/venc/data/trojan.hoosmi.html


UPDATE: Files named sdqgvqcm (including saved keystrokes in .log file) in System folder are generated by this trojan.

# May 26th: New Trojan.Agentdoc.B uses site 3322.org too.

Black Frog – a new effort to continue the SO-CALLED Blue Security fight against spammers. A botnet, a crime, a stupid idea that I wish would have worked.

News items on Black Frog.

Blue Frog by Blue Security was a good effort. Why? Because they wanted to “get spammers back”.

They withstood tremendous Distributed Denial of Service (DDoS) attacks and abuse reports, getting kicked from ISP after ISP.
They withtood the entire anti spam and security community and industry saying they are bad.

The road to heaven is filled with good intentions. Their’s was golden, but they got to hell, quite literally, non-the-less.

They did not hurt any spammer (okay, maybe one), as their attacks reaches servers spammers already moved from, domains spammers already dumped for the sake of thousands of other bulk-registered throw-away domains and so on.

Their attacks did reach hacked machines which hosted other sites. Their attacks reached ISP’s with other users and their attacks hurt the Internet as well as these other legitimate targets.

Blue Security also got a lot of PR, good and bad, but they were not here first. Lycos Europe with their “make love not spam” effort was. ISP’s globally nullrouted that service, as it was indeed, much like Blue Security’s, a DDoS tool by the use of a botnet. A botnet in this case being numerous computers controlled from a centralized point to launch, say, an attack.

Lycos Europe soon realized their mistake and took their service off the air. Blue Security had 5 Millions USD of VC money to burn, so they stayed.

Even if they did reach spammers with their attacks (which they didn’t), they would still hurt so many others with the attacks, and the Internet itself. When Blue Security came under attack they themselves said how DDoS attacks are bad, and their fallout hurts so much more than just their designated target.

That said, who is to determine said target?

When Blue Security went down, some of us made a bet as to when two bored guys sitting and planning their millions in some caffe would show up, with Blue Security’s business plan minus the DDoS factor. Well - they just did.

Thing is, a P2P network is just as easy to DDoS. It has centralized points.

It is, indeed, a botnet.

I want to kick spammer behind too, but all I would accomplish by helping these guys is performing illegal attacks and hurting the Internet as well as innocent bystanders.

This business model will not last. It will get PR, but it will not be alone. 10 other efforts just such as this will follow. Now that Black Frog made their appearance - sooner rather than later.

How long is this journey of folly going to continue? Any service provider which hosts them is as guilty of the illegal DDoS attacks as anyone who signs up with them.

The way to kick spammer behinds is to, plain and simple, put them in jail. I.e., change the economics. Make it more risky and less cost-effective for them Bad Guys to spam.

Stop Black Frog Now.

I will keep updating about this latest useless harmful project on the blog where this is written, http://blogs.securiteam.com.

Gadi Evron,
ge@linuxbox.org.

US based folks may be more interested in the privacy implications of the recent AT&T/NSA “gate”. I am too, but what interests me even more is the detailed technology disclosed on how AT&T implemented sniffing on fiber optics, how ISP’s handle the logistics of answering the legal call of wiretap needs, as well as analyzing possible security fail points in the NSA’s operation (if indeed it was theirs).

Why the NSA did good
It’s been known for years that listening to optical lines is possible. It has been known for years the NSA listens to the Internet. It has been known for years that much of the Internet’s backbone sits in the US and AT&T is a big part of that. It’s been known that US citizens also use the Internet.

No one really wrote about how listening to optical lines is possible until now, or how, but my most serious reply to that is carbon-copied from a friend: DUH.

How else did the American citizens expect the NSA to do this? There are naturally other ways which we will not discuss today, but the backbone sits on American soil, are you telling me the NSA should not use it? That is just plain silly.

The NSA’s mandate as far as I understand it, especially after the 70’s fiasco’s, is SIGINT on everything except US citizens/companies/etc. I bet it is very difficult to filter out such possible domestic communication, but that is why they have such brilliant minds working for them. Which brings us to the FBI and Carnivore -

Why the FBI f*cked up working with ISP’s
I should probably point out that if I was a major ISP often asked to answer the call of law enforcement with legal wiretaps, this could be very annoying as well as technologically a killer to my network architecture.
Just sticking some hub somewhere in my network may not cut it, and will certainly not cover all of the communication. What about different lines and locations?

As a large provider, AT&T probably had to find better solutions to the call of the law, or reply on the law’s technology to not kill their business.

This indeed happened before. According to one NANOGer at the FBI’s Carnivore presentation a few years ago, “sticking” just such a hub is what caused his network to break-down.

Creating a centralized wiretapping point under strict security may be just the thing to both comply and save costs, not to mention staying on the air.

The technology
Unlike with copper lines where you can use the EM emissions to “listen in” to the lines, or even cut them in half and connect them to a sniffer, with fiber optics you simply can’t. As you must be aware of, optical lines work by “transmitting” light. In order to listen in on that communication one must somehow see some of that light.
Without going too much into how this actually works, the protocols using this layer-1 and layer-2 optical hardware beams a lot of redundant light, which bounces off the “walls” in different directions in the tube until at least one of the beams in the data stream reaches the next repeater/switching point/routing point. A single sustained beam of light is often used in bigger pipes, but these also have a lot of redundancy.

Being able to use one photon for each bit of data is what everyone wants to do, but isn’t happening quite yet outside the lab. This would get even more interesting in the future with Quantum Cryptography.

In this paper released by Wired detailing the spying operation from the perspective of an AT&T employee, there are also a couple of other papers attached which detail the network architecture AT&T used to enable sniffing of the information, as well as some interesting information from a related “legal wiretapping” technology conference, ISS World.

Operational f*k-ups?
Ignoring the privacy and US legal issues for a moment, the NSA does not seem that stupid to me, as to trust the operation and technology to be developed by a third-party localized organization.
My guess is that AT&T was asked to prepare the infrastructure where the NSA could use their own gear from. Perhaps even under certain guidelines, conditions and rules (such as even security clearance for employees and key-pad combination locks, as the paper mentions).

Writing a paper about it so that it can be recreated seems like a good idea.

A security issue which comes to mind here is how the information was handled. This reminds me of an incident in Israel where IBM was contracted to do a certain job with The Arrow anti-missile project, and some of the code in the system was legacy code which was originally developed in the Egypt IBM office. This was a serious security concern in the Israeli military industry, and was the result of lack of supervision over third-party contractors.

I don’t see “TOP SECRET” on the AT&T document, which would at least mean this was meant to stay quiet. If it was, than AT&T obviously wasn’t very much following the NSA’s wishes on security. We do see on some of the pages “AT&T Proprietary” and “Use Pursuant to Company Instructions”.

On the physical security level the “secret” room used for the spying seems to be somewhat in paranoid security mode with quite a bit of physical security measurements, probably by NSA decree… therefore I don’t know where the security breach occurred, but was this document supposed to be released? If not, who is at fault? AT&T, the NSA or a traitor?

Maybe non of the above. This doesn’t seem like a security breach to me.

I tend to believe this information was not a secret, but just a technical solution to a business problem with complying to a potentially hazardous technical requirement by the law.

It is possible although unlikely that the NSA decided the existence of the physical wiretap was not a secret (hey, congressional hearing?), nor was the fact that fiber optics can be sniffed. If that is the case I see no security implications here either.
However, if everything but the existence of the room was to be a secret, from what happens there (physical wiretapping for SIGINT purposes) to how (breaking the optical line), security was indeed breached.

Was this breach critical? Not in the slightest.

I doubt the NSA as a serious western intelligence organization, as well as a secretive one would want even that known. Still, we don’t know what their technology to gather the data was, how the information was processed, how and where it was saved and where it was relayed to. Then we don’t know which of it was actually seen by a human. We don’t know what their interest was, except a vague indication of “terrorism”.

Seems like this was run smoothly after all, and we, due to lack of information, run to make the wrong conclusions.

My opinion
Privacy implications.. what exactly was done with the wiretap, etc. we don’t know. It is far from me to even guess. It is well within the realm of possibility it was all used legally, but the infrastructure needed to exist for that. I am sure the different investigation bodies who will look into it will come to some sort of conclusions and find some scape-goats if indeed something evil was done.
They will probably even look into better monitoring of what the NSA does (i.e. more people in the know).

I don’t know much about the particulars of this case, nor what President Bush instructed. That is for the high-paranoia privacy guys in the US to find out.

I doubt the NSA, FBI and others on their own have any reason to spy on or allow spying of US citizens and/or businesses. Than again, I am not a US citizen, what do I know?

I know about logistics with network service providers, the business need to stay on the air and the problems of complying to such requests. I also know such wiretapping is possible and I know that the backbone sits on US soil.

What else do I need to know except that every other country in the world tries the same thing? Well, that the Internet is not a secure medium and people need to secure themselves. Surprise people show sometimes shocks me.

Gadi Evron,
ge@linuxbox.org.

I came across this nice article: Reporting Vulnerabilities is for the Brave by Pascal Meunier. The article speaks about how frequently vulnerability researchers come face to face with the ugly side of disclosing vulnerabilities, such as in the case of Eric McCarty.

In my opinion this post is worth reading, however I don’t agree with his conclusion that it is better to keep quiet than tell anyone, as this is the same problem that allows (for example - though it is not for the same outcome) organized crime to still exist, or even more to find security issues that are “previously” unknown - or such as in the case of this article, unpublished due to fear of being sued by the vendor.

A new vulnerability has been uncovered in Microsoft Word that appears to permit the execution of arbitrary code when an unsuspecting victim opens a malicious Word document. The vulnerability is known to affect Office XP and Office 2003, but I would not rule out other versions being affected as well.

The vulnerability was first used in what appears to be a highly-targeted attack. As such, the number of compromises attributed to this vulnerability is low, and I’d expect that we’ll have at least a few days before that number climbs significantly. It is of note that the payloads of the known in-the-wild exploits require the user to be running Microsoft Word with the privileges of an administrative user. As such, organizations and individuals who follow best-practice and log on interactively as non-administrators are currently not at risk. Based on feedback, I should also note that you are at less risk from any exploit of this vulnerability if the vulnerable application is running without full privilege.

Windows XP users have a little-used weapon that they can use to blunt the effect of the in-the-wild malicious code targeting this vulnerability: software restriction policies. By using the “Basic User” SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to. This is a stop-gap measure based on the threat profile of the in-the-wild malware at this time and is only necessary if you’re still running interactively as an administrator. If you are, it should be a priority to change that if at all possible.

I’ve produced a simple registry script that sets a Software Restriction Policy that runs any instance of ‘winword.exe’ with the ‘Basic User’ policy. Once the registry script has been imported, the SRP can be rolled back (if desired) via the Security Policy snap-in.

The registry script is available here. It is PGP signed with my new (as of May 15th) RSA key. For reference, I have signed this new key with the (shorter, older) DSA key. However, the DSA key is deprecated and will be allowed to expire, due to the reliance of DSS on the weakened SHA-1 hash and the shorter lengths of DSA signing keys.

In addition to the standard disclaimer that you assume any and all risk associated with applying this change, I should also note that the effectiveness of this registry fix is entirely based on known characteristics of the payload, rather than the exploit itself. As such, it is possible that future variants of the in-the-wild exploits (which target the same underlying vulnerability) will eliminate the dependence on administrative privileges and thus, reduce the effectiveness of this workaround.

SANS ISC (Internet Storm Center) has a coverage Diary entry about recommended defenses related to this case.

. . . .

* consider additional filtering, for example using software which converts Word DOC format to something which cannot carry the virus, e.g. RTF. Consider using the free wvWare library. You will lose formatting but that might be an acceptable bargain for e-mail incoming from outside your organisation.

* consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.

Some related references:
MSRC - Reports of a new vulnerability in Microsoft Word
Another ISC entry - Targeted attack: Word exploit
Original ISC report from Thursday - Targeted attack: experience from the trenches
US-CERT VU#446012 - Microsoft Word buffer overfow Vulnerability Note
CVE entry - CVE-2006-2492
Summary-type ISC entry - Microsoft Word Vulnerability
Microsoft Security Advisory #919637 - Vulnerability in Word Could Allow Remote Code Execution

And US-CERT is pointing to Cyber Security Tip document Using Caution with Email Attachments, in turn.

UPDATE: Added CVE name reference and link to ISC’s summary-type story.
UPDATE #2: Added link to Microsoft Security Advisory.

When I read this article, posted earlier: ‘Fly-by-wireless’ plane takes to the air, I couldn’t stop imagining what would happen if someone would try to play with his laptop’s bluetooth sniffer/snooper/flooder/etc while this plane was in the air, or even during take-off.

What disturbs me even more is this line: But Santos and colleagues are working on this. She says Bluetooth is already fairly resistant to disruption as it is designed to guarantee a certain minimum data stream will always get through. “It has mechanisms for dealing with interference,” she says., ha? what? if I am jamming/blocking/etc there is no way for you to get ANY data through, that is what jamming means, further, can you navigate a plane with MINIMUM wires? no you need them all, you have redundancy, but you can’t cope with MINIMUM wires, they are either there, or not.

I hope this sort this fiasco before anyone decides to prove that bluetooth jamming on an airplane is just as lethal as placing a bomb on the plane.

Hacked, tenth strip of this new comics.

Click on the image for full size.

It appears that the reply from Mr. Paul Laudanski to phpBB 2.0.20 Full Path Disclosure and SQL Errors posting from cxib at securityreason com was in my Inbox early this morning.

My mail client says:

Sent: 10.5.2006 3:25:59

When checking the headers we have this exact information about the Bugtraq mailing list posting:

Date: Tue, 9 May 2006 20:25:59 -0400 (EDT)
From: Paul Laudanski zx at castlecops dot com

The exact Received time stamp is the following:

Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26]) by fe11.mail.saunalahti.fi (Postfix) .....; Sat, 13 May 2006 04:06:05 +0300 (EEST)

It is more than three days.

Date included to Bugtraq archive title field is the following:

May 08 2006 02:49AM

This case is at ‘Page 5 of 600′ at www.securityfocus.com/archive/1.

Do you have any comments?

The third ‘06 security update for Mac OS X has been released.

This update fixes 25 separate vulnerabilities, including several issues related to zipped files and image files reported by Tom Ferris too.

The original security advisory from Apple is located at
docs.info.apple.com/article.html?artnum=303737.
Exploitation of many issues may lead to arbitrary code execution.

Some statistics:

Security Update 2006-001 - 15 issues
Security Update 2006-002 - 3 issues
Security Update 2006-003 - 25 issues

From the SANS Top 20 Spring Update:

2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on Apple OS/X

It’s time to visit Apple Downloads site or use your Software Update feature.

UPDATE: I missed to include link to McAfee’s new white paper The New Apple of Malware’s Eye: Is Mac OS X the Next Windows? [PDF document, 6 p.]
UPDATE #2: According to Ferris’s new posting ‘All f the Safari flaws within the Apple OS X Safari 2.0.3 Multiple Vulnerabilities advisory are still unpatched. Additionally, ‘The core issue “ReadBMP ()” .bmp Heap Overflow has not been fixed’.

How do you tell that news in security has gone downhill? Well, if today is any indication, you tell when the headlines are: Microsoft Releases Flash Player Patch and TippingPoint Buys Vulnerability Information on its Own Code.

Here at SecuriTeam, we often read that vulnerability researchers provide free quality-assurance for vendors. Unless, of course, that vendor is Tipping Point. Yesterday’s ZDI disclosure avoided the “patch or run for the bunkers” theme of major vulnerabilities in widely-used software:

ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure Vulnerability

I don’t know about you, but if I have a choice between two IPS vendors with good products and one is willing to pay researchers who report even minor vulnerabilities in the code, I know where my money’s going.

One place your money probably didn’t go was on this:

MS06-020: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution

Yes, that’s right folks, a Microsoft patch for Flash Player. I was checking my eyes, too. This patch, for many desktop users, will be the only significant one from May.

Exploit code to Internet Explorer CSS Attribute Denial of Service Vulnerability has been released yesterday. The behavior of code is interesting:

When the “position” CSS attribute is set to HTML table only hovering cursor over malformed table triggers the flaw.
I’m not linking to the code. Reportedly MSIE 6.0.2900 SP2 is affected. Microsoft is aware about the issue.
However, If there are upcoming security advisories via mailing lists I will update this entry.

But the most interesting point is the future severity level. According to Microsoft vulnerability is Critical is no user interaction is needed to exploit the flaw. Is moving the mouse pointer user activity?

I was building some chicken and rabbit coops the other day. The object of the endeavor being to keep the snakes, rats, foxes, racoons, etc. away from:

1) my animals’ food supply (my money)
2) my animals (my food), and
3) the by-products of my animals (again, my food).

Building the coops was like building a defensible network. This got me thinking about the differences between a mathematician (a theorist - aka me), an engineer (an applied theorist), and an artist.

My finished work looked like what a blind man would create given a chainsaw, plywood, a stack of 2×4’s and a nail gun. Nothing was plumb, only the internal flooring was level, liberal use of poultry netting was required in order to shore up gaps, etc. That’s what you get when a math guy builds something. Production ceases when functionality is addressed. Period.

My brother is an engineer. His chicken coops, dog pens, horse fences, etc. are all optimal. “Optimal” being the key word. If he needed to, he could expand any one of his habitats. I, on the other hand, would have to rebuild mine from scratch if I ever needed more space.

My other brother is an artist. If he built a chicken coop, it would be a beautiful thing to behold but wouldn’t contain any tar because it didn’t go with his color schemes. It wouldn’t have front steps because that would detract from the ornate design of the front door. Poultry netting would be verboten… In short, his animals would all die horrible deaths in beautiful surroundings…and then, he would write a poem or short story about it while crying over a bottle of wine.

Lessons learned.

1) Theorists can be used in a limited capacity when building a defensible network…they should not be depended upon to deliver scaleable, optimal products, however. Idea guys shouldn’t be implementing their ideas.

2) Engineers design and implement solutions which the idea guys throw at them.

3) Artists should never be used until the engineer is done. Sorry. Artists take the well-engineered framework and make it look like the Taj Mahal.

So, when creating defensible networks (or software that protects defensible networks) you should plan on dividing your labour into at least 3 categories

A) Idea guys come up with the great ideas. These guys could be mathematicians, philosophers, jazz history majors, marketers, whatever. The net result of the idea guys is…(wait, here it comes)…unique ideas.

B) Engineers validate that the ideas can be implemented and then build it.

C) The artists come in and make the engineers work look a lot better. The Marketing guys will appreciate this.

With only A & B, you get products that the ‘techies’ will love, but will never get approved through a Corporate budget committee (think CANVAS). This product won’t sell very well…sadly.

With only A & C, you get products that the ‘techies’ will love initially and that the Corporate budget committee will approve. However, the techies will quickly learn to abhor the product as it doesn’t scale…and then, some artist will find a buffer overflow in the security product and that’s that (think ISS). This product will sell (sadly). However, the company will often have to ‘reinvent’ themselves…And, by ‘reinventing themselves’ they actually mean ‘We screwed up initially so we’re just scrapping the whole thing and starting over but please keep paying on that support contract because you’re gonna *love* our next version’

With only B & C, you don’t have an ‘idea’ to begin with…so, you end up with well-engineered, snazzy products that don’t really do anyone any good (think IPS). Don’t underestimate the persuasive powers of marketing artists…this product will sell

Peace be unto ye,

!Dmitry