January 2007

Apple: We have a fix for MOAB-01-01-2007!

Apple has released a fix for QuickTime rtsp:// URL Handler Stack-based Buffer Overflow – aka MOAB-01-01-2007.

There is no any other fixes included to Security Update 2007-001, link here:

docs.info.apple.com/article.html?artnum=304989

As we can see the ‘MOAB-01-01-2007′ was disclosed on 1st Jan as the very first Month of Apple Bugs advisory.

It is worth of noticing that Windows versions 7.1.3.100 and below are affected too.

Best,
Juha-Matti Laurio

Distributing malware over ed2k network

While searching for some legitimate content on e2dk p2p network I’ve stumbled into some strange search results. Those results were looks like forged from the search query. I’ve searched then for surely non existing files and got same forged results.

Quick check of the files shows that at least one of them contains malware.

Malicious server forge ed2k link for every query, by only changing the name of the file, while MD5 remains the same. The malicious server then connects to one of the biggest ones in the network. Users that will use Global search (trans-server) will receive the link on mostly every search and the result may look very legitimate due to good availability of the file. Malicious files are very well shared and will be downloaded in the matter of seconds.

Google, Service Providers and the Future of P2P

in a non-operational nanog discussion about google bandwidth uses, several statements were made. it all started from the following post by mark boolootian:

> cringley has a theory and it involves google, video, and oversubscribed backbones:
> http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html

in the discussion, the following statement was made by rodrick brown:

> the following comment has to be one of the most important comments in
> the entire article and its a bit disturbing.
>
> “right now somewhat more than half of all internet bandwidth is being
> used for bittorrent traffic, which is mainly video. yet if you
> surveyed your neighbors you’d find that few of them are bittorrent
> users. less than 5 percent of all internet users are presently
> consuming more than 50 percent of all bandwidth.”

from there it went down-hill with discussion of the future, with the venice project (streaming p2p for tv), etc. being mentioned. some points were raised about how isps currently fight p2p technologies and may fight these new worlds of functionality, denying what the users want rather than work with them, citing as we have seen above that today, a very small percentage of internet users account for about 50% of all internet traffic. that of course, will increase dramatically in the future — it is where the users want to go.

the isps inhibit this progress, just like in my opinion a bad security “guy” or “gal” would try to prevent functionality from their users as part of their security strategy, rather than work with their users and enable functionality first.

in this discussion, randy bush (who i have had my share of strong disagreements with in the past) said the following, which is admirable:

> the heavy hitters are long known. get over it.
>
> i won’t bother to cite cho et al. and similar actual measurement
> studies, as doing so seems not to cause people to read them, only to say
> they already did or say how unlike japan north america is. the
> phenomonon is part protocol and part social.
>
> the question to me is whether isps and end user borders (universities,
> large enterprises, …) will learn to embrace this as opposed to
> fighting it; i.e. find a business model that embraces delivering what
> the customer wants as opposed to winging and warring against it.
>
> if we do, then the authors of the 2p2 protocols will feel safe in
> improving their customers’ experience by taking advantage of
> localization and proximity, as opposed to focusing on subverting
> perceived fierce opposition by isps and end user border fascists. and
> then, guess what; the traffic will distribute more reasonably and not
> all sum up on the longer glass.

it has been a long time since i bowed before mr. bush’s wisdom, but indeed, i bow now in a very humble fashion.

thing is though, it is equivalent to one or all of the following:
. eff-like thinking (sticking to the moral high-ground or (at times!) impractical concepts. stuff to live by.
. (very) forward thinking (not yet possible for people to get behind – by people i mean those who do this daily), likely to encounter much resistence until it becomes mainstream a few years down the road.
. not connected with what can currently happen to affect change, but rather how things really are which people can not yet accept.

as randy is obviously not much affected when people disagree with him (much the same as me), nor should he be, i am sure he will preach this until it becomes real. with that in mind, if many of us believe this is a philosophical as well as a technological truth — what can be done today to affect this change?

the service providers are not evil — they do this out of operational necessity and business needs. how can this change or shown to be wrong?

some examples may be:
. working with network gear vendors to create better equipment built to handle this and lighten the load.
. working on establishing new standards and topologies to enable both vendors and providers to adopt them.
. presenting case studies after putting our money where our mouth is, and showing how we made it work in a live network.

staying in the philosophical realm is more than respectable, but waiting for fussp-like wide-adoption or for sheep to fly is not going to change the world, much.

for now, the p2p folks who in most cases are not eveel “internet pirates”, are mostly allied whether in name or in practice with illegal activities. the technology isn’t illegal and can be quite good for all of us to save quite a bit of bandwidth rather than waste it (quite a bit of redundancy there!).

so, instead of fighting progress and seeing it [p2p technology] left in the hands of the “pirates” and the privacy folks trying to bypass the firewall of

, why not utilize it?

how can service providers make use of all this redundancy among their top talkers and remove the privacy advocates and warez freaks from the picture, leaving that front with less technology and legitimacy while helping themselves?

this is a pure example of a problem from the operational front [realm] which can be floated to research and the industry, with smarter solutions than port blocking and qos.

it’s about progress and how change is affected and feared, not about who is evil. it is about who will step up and make a difference, and whether business today is smart enough to lead the road rather than adapt after the avalanche has already fallen.

gadi evron,
ge@beyondsecurity.com.

What’s the deal?

in the past week or two, the anti phishing community has been buzzing with this. now it is public and i can finally shout my frustration:
so, we have phishing sites which are doing man-in-the-middle in real time, between the phished site and the phished user.
how is that news?

regular phishing works like so:
victim >> fake site >> real site

middle, see?

now, in most cases in the past, this process was not automatic, and in most cases – it won’t be. distribution across ip addresses, choosing what accounts are worth it to steal from, choosing money mules, etc. is far easier to do off-line.
that said, this isn’t new, it’s just… yet another kit. am i excited about a new kit? kinda. is this big news? no.

why you ask? as this real-time phishing using mitm attacks has been happening for years now using phishing or banking trojan horses. the best we can describe happened is that the technique was now incorporated into older email-based phishing, as well.

new? okay, maybe if we push it. exciting? so-so.

gadi evron,
ge@beyondsecurity.com.