Edit: How about we change the title here to "How a 'Catch-22' Revealed Behavioral Differences in Web Browsers".  I have add some updates at the bottom of the story based on feedback from some of our users and further research into SSL validation.

============================

We received a submission yesterday from a user who was complaining about a Catch-22 that Microsoft had set up.  Microsoft Security Advisory (917077) addresses a vulnerability in Internet Explorer and how it handles HTML objects.  The workaround is to change the security setting for ActiveScripting, to either disable it completely or to set it to prompt the user before running each script.  On the advisory's web page, there is a link to this feedback page. The potential issue here is that the feedback page is using ActiveScripting.  Oops  ;-)

Now its not actually that bad for two reasons.  First, if you have changed your ActiveScripting setting to "Prompt", you can enable the scripts for this page.  Second, even if you have disabled ActiveScripting or choose to not allow it for this page, you will see the error message about needing JavaScript for this page and a link to a page with a non-JavaScript form and you will be redirected to the non-JavaScript page.  So while this may be a little annoying, its not a total show stopper.

So after figuring this out in Internet Explorer, I decided to try viewing the page in Firefox.  Pulled up the page and whoops, I got a popup about an error with the SSL certificate verification.



That's odd. It came up ok in Internet Explorer. Let's click on 'Examine Certificate...' and take a look at the details.  Hmm, this certificate is signed by the 'Microsoft Secure Server Authority'.  I bet we don't know who they are.



Let's go click on Tools->Options..., Advanced, View Certificates, Authorities and see what is there.
Nope, don't see any entries for Microsoft certificate authorities.



Let's go back to Internet Explorer and take a look at the certificate information.  Click on the yellow lock icon and we see that the certificate was issued by the 'Microsoft Secure Server Authority'.  Click on the 'Certification Path' tab



So now we see that this certificate was issued by the 'Microsoft Secure Server Authority' which in turn is trusted by the 'Microsoft Internet Authority' which in turn is trusted by a GTE Root CA.



Ok, now let's go look at Internet Explorer's built-in certificates.  Click on Tools->Internet Options..., Content, Certificates..., Intermediate Certification Authorities.  Ah hah!!  Here we see both the 'Microsoft Internet Authority' and the 'Microsoft Secure Server Authority' CA certificates.



So why is this bad?  Microsoft is using an internal CA to issue the SSL certificate for their web site.  Only folks using Internet Explorer to view the page will not get complaints about the certificate.  Anyone using any other browser will get an alert.

Now since this page deals with security (specifically web browser) security, it is counterproductive to the mindset we are trying to train people to have to use an SSL certificate that they can't verify.  If folks just think to them self "Hey this came from Microsoft's security folks, it should be ok" it sets up reinforcement of ignoring SSL certificate errors.

The solution is for Microsoft to either use a certificate from a publicly trusted CA or to have their CA certificates included in other browsers.  Since there are so many alternative browsers, using a publicly trusted CA is probably the best option.

You can export the Microsoft CA certificates from Internet Explorer and import them into Firefox (or another browser) and then you will not see the popup about the server's SSL certificate not being verified.

Update 1:

We received an email from Cesar pointing us to a blog entry here from June 2004 that talks about this issue on another Microsoft web site.  Apparently RFC2459 defines how the Authority Information Access (AIA) 48.2 id-ad-caIssuers OID can be used to included a URL reference where to retrieve information about the certificate.  Internet Explorer uses this information to retrieve the intermediate CA certificates needed to verify the host-specific certifcate.

I happened to have a brand-new laptop here with Windows XP that had not been connected to the network.  I checked it's certificate store and did not see the two intermediate Microsoft certificates.  I then connected to the network and went to the same SSL page on Microsoft's site.  Then I checked the certificate store again and found the two intermediate Microsoft CA certificates were now installed.

So according to the above RFC, Internet Explorer is following a document that is on the Standards Track.  Other browsers such as Mozilla have chosen not to implement this option due to some ambiguity in the RFC.  You can see more discussion about this here in the Bugzilla entry created on this topic. 

It is not clear as to what can be provided through this reference URL and so the Mozilla developers have chosen not to implement it. Apparently Opera, Safari and Konqueror also ignore the AIA data included in a server certificate.

A few weeks ago, uber-handler Tom "I-Write-Spyware" Liston and I were working on some tests of anti-spyware applications.  One of the experiments we performed was to take an ultra-infected box and run various anti-spyware tools to see if any of them could clean up the mess.  The Windows machine we had was so thoroughly laced with spyware that IE couldn't run, Task Manager couldn't start, and the services control panel was kaput.  Pretty much every GUI-based management and analysis tool on the box was hosed.  Ouch!  And, no, booting into Safe Mode didn't help at all (we tried it of course), because the system was so corrupted.  You see, the spyware altered various crucial reg keys and used the SafeBoot reg key for auto-startup, as Tommy-boy described briefly here.

So, how could we do analysis on this machine without resorting to these GUI tools?  Of course, there is the stunning arsenal of handy investigating tools from www.sysinternals.com (Process Explorer, TCPView, et al), but we wanted to go with tools built-in to Windows, preferably command line.  We didn't even want to use the Resource Kits.

So, what did we resort to?  In large measure, we relied on the immense power of the WMIC tool, built into WinXP Pro and Win2003.  Sorry, but WinXP Home isn't a professional-class operating system, and it lacks many useful management tools like WMIC.  But, for WinXP Pro and Win2003, WMIC is a command-line console to access Windows machines via Windows Management Instrumentation, a framework established by everyone's favorite software vendor for locally and remotely managing Windows boxes (although installed on XP Pro and 2003, it can be used to manage Win2K, WinXP, and Win2003 systems remotely with admin credentials).  Before WMIC, you had to write scripts or get a specialized tool to pull data via WMI.  But no more…  WMIC gives us command console access to the powerful framework of WMI.

WMIC is a world unto itself, immensely complex, able to read several thousands of settings on a Windows box, and update hundreds, again both locally and remotely.  It includes its own query language, called WQL, for WMI Query Language, a subset of ANSI SQL.

But enough pontificating!  Let's get hands-on.  Here are some fun things you can do with WMIC that served us very well in our anti-spyware research:

C:\> wmic process [pid] delete

That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".

Or, better yet, try this one on for size:

C:\> wmic process where name='cmd.exe' delete

I love that one!  It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.

And, check this out:

C:\> wmic process list brief /every:1

Sort of like (but not exactly) the Linux/UNIX top command.

But, wait!  There's more...

C:\> wmic useraccount

This one gives a lot more detail than the old "net user" command.  With "wmic useraccount" you get user names, SIDs, and various security settings.

Fun, fun, fun!  Here's another:

C:\> wmic qfe

This one shows all hotfixes and service packs.  For you old-school Sun-heads out there (both of you! -- Just Kidding), qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.

For a list of some of the items WMIC can touch, run this:

C:\> wmic /?

Now, here's a request.  Do you guys have any other fun WMIC tricks?   Specifically, have you used WMIC in an investigation or in sysadmin duties to pull some vital data that other readers of the Internet Storm Center can benefit from?  Please note that we do not want WMI scripts…  We want WMIC command-lines that do cool things of interest to Incident Handlers.  Send in your suggestions, and I'll post them throughout the day, giving you full credit (if you want it) for your elite WMIC kung-fu.

What's your favorite thing to do with WMIC?

We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio.  According to Microsoft:

"So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."

That's not the end of the world, but it is worth noting.

What does this mean to you?  On April 11, some of your ActiveX controls may stop working.  You can test this new IE voodoo by downloading an optional patch for IE from Windows Update.  Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.

For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory, and read this blog posting from a Microsoft employee working this issue.  The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)

--Ed Skoudis.
Intelguardians

1. You can't secure something you don't know or understand.  If you don't understand what you are dealing with then you won't know what you need to do.  Do you want a surgeon operating on your brain when they specialize in orthopedic surgery?  I mean he/she could follow a manual and might get it 80% correct.  The same care should be taken with our network.  When you start installing things you don't understand or know how they work ... you might get it 80% correct. But can you afford that?  From John:  "Let's all remember today that no matter how tight your security, if you can't actually run your box you're owned."
   
   
2. Let's say you know your system and your applications. Now you can't secure something and forget about it.  All applications need TLC.   There's bound to be a patch or upgrade that needs to happen. Many times its the small things such as a default password that get forgotten (or a weak one that doesn't get changed) or a service that doesn't get turned off.  All a hacker needs is just a small hand hold and then go from there.  Its easy to overlook the small stuff.  Constantly watching networks and checking things are a must.  
   
   
3. The unknown.  What do I mean by this?  Well, one night Mr. Helpful SysAdmin installs something on the network that someone claimed they needed and you didn't know they put it there.  Someone installs something, makes a change etc and it doesn't get documented and/or approved.  This is something that I know has happened to everyone at some point in time.  Now good policy and procedures can help alleviate that, but we'll talk about that in a minute.  If you don't know something is there, you can't secure it and you don't know what kind of security risk its created on your network.

• The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
  
• We have not been able to vet the patch. However, source code is available for the eEye and the Detmina  patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)
  
• Exploit attempts are so far limited. But this could change at any time.

Reactive or Pro-Active Security Planning?

Looks like that with few exceptions, the most correct answer for my last question about when you started to think seriously about security is: Reactive!

Why? The answer is that most of people/companies started to think about security after a bad security experience. From gvmt to .edus and private companies...almost the same, which I thought was kind of funny...:)

Another point that should be noticed is that some companies started to think about a security team/specialist only for marketing and not for real security jobs, which was kind of sad...:(

If I could chose an average year, I would say 2001/2002, according most of the answers, and there is a reason for that, if you remember well, that was the year of most new generation worms (remember Code Red ?)

What follows below is a list of some testimonials that I think that is very informative...:)

Thanks for all the answers!

----------------------------------------------------------------------------------------------------------

Various steps:
1995 - preparation for y2k and acquisition of new enterprise accounting and payroll systems
Summer of '98 - connected to the Internet
2002 - preparation for HIPAA Privacy Rule and Security Rule

It's a company that refuses to think that threats can originate from inside the firewall (users). IT
computers are out in the open with the "normal" users computers. We have a long way to go before we are "secure".

To answer your question more directly, its been maybe the past year and a bit that we had started to think about security in a serious way.

I work for a County government, and except for what I do because I feel SECURITY is a BIG issue, we do nothing.
I have a firewall(linux box with iptables) in place and try to institute what I feel will do the
best for the County, but I have NO budget.

In 1994-1997 I worked as an employee at Company X.  Like Company Y this was an  organization that could incorporate security deeply into the ways things  were done (in many divisions)  There were some places where
security was lax and some where (in a post Mitnick world) very tight.

I would trace our thinking seriously about security to November 5, 2002, the day that we changed our primary firewall from a default-allow to a default-deny configuration.  Shortly thereafter, we started managing patch status on our 5000 (no 9000+) Microsoft workstations using SMS.

* In November 2002, I got a DSL line.  After I configured up ipchains on the box that would be my firewall/file server/domain controller/etc., I went to Steve Gibson's site to test my configuration.  It said I had everything open.  Well, I didn't believe it, and I just left it.  It wasn't two days before my box was hacked through a telnetd vulnerability.  So that got me thinking seriously about security at home.

* In March of 2003, the place I worked had someone (in the same office where I worked) that was bypassing security measures by running programs like MyIE2 and trying to hack our boxes.  It came to a head in September when he took down one of our machines.  I became the computer tech for the department in October and started locking down our machines as tightly as possible.  We haven't had an incident since.  This is also what got me interested in computer forensics.  I received training in the field and am pursuing volunteering for my local police department to get some experience in the field.

Well my company has been thinking (and doing) seriously about security since 2001, so 5 years.  I have been since 2000.

It was in April of 1999 when we got hit with the Melissa worm and we realized that user education was lacking, and even where sufficient, the antivirus software could only be trusted so far... so we had to invest time in locking down workstations and generally paying attention to internal security.

Server security happened first, following the need for external security in 1996 when we put up a website (a year after getting a domain name registered so that we had email).  This is because we were hard on the outside from the outset; even though we're a Windows shop, we never had issues with hanging Windows boxes on the Internet and having issues with CodeRed, Nimda or Windows Message spim.

When we first went from paper to a computer, back about 1989 or so, the 'server' had access through 'terminals'.  Security at this time meant, as perhaps some of your readers will remember, limiting access to the system through a variety of ways, running a specific 'shell' .profile and .login to prevent access to the command line, limiting rwx rights, and limiting 'server' functions according to needs.

By this time, several free standing personal computers were beginning to show up in the workplace, data on 5 ¼ floppies was making rounds.  Our server data was backed up daily and stored off site.  The server security was pretty good, no access other than dumb terminals inside the complex.  It was about this time we discovered the term 'virus' and a program called f-prot.  A small outbreak of a boot virus actually started the business of limiting access to data which had been 'screened' before loading on our internal machines.

Time went on, we started a WIN3.1 network and did away with many of the terminals.  The internet started in earnest about this time, and dial up and dial in on dedicated lines was established to reach the internal network from remote locations.  That's were the 'profession' of security probably really started.  Security issues, sure, but that's it, 'issues' handled by a few individuals with some sage advice and implementing innovative techniques. 

I started thinking about security in a serious way about 8 years ago, when my company began installing web servers in data centers. I knew publicly accessible servers could be trouble. It occurred to me then that securing the public servers was not enough, and that all of our systems had to be secured lest we become a vector for our own demise.
Since then we've been trying to keep up with vulnerabilities and exploits.

So far we have only been affected once, by the original Code Red worm. Our security budget is now our second highest IT expenditure, just behind hardware. I always chuckle when I hear media reports of this year being the
year of infosec. To me, every year is the year of infosec.

This is an easy one -- never. My employer at $DAY_JOB had to be dragged kicking and screaming into at least SOME form of security policy. I was continually being second-guessed by silly buggers from "executive row", for example, about why we required a VPN to access the internal mailserver when their friend, sibling, Mom, or dog didn't have to at THEIR company. (sigh)

It's usually only some form of object lesson (usually painful) that convinces executives to pay attention to security. Education doesn't seem to help -- too many of them think that since they were able to set up a WiFi router at their house they're qualified to make decisions about IT Infrastructure. (sigh)

Until Sasser, even computers at the help desk had public IPs and every folders and printers were shared with the rest of the world...
We were told by our administrators and our senior technicians to say to our clients to remove the Windows XP firewall because it can blocked several softwares using Internet.
This thing changed with the arrival of Blaster (Maybe the half of our clients - dialup and broadband - were infected) and then, I began to analyse my firewall logs and to read your daily news on ISC.SANS.ORG .
I had to put pressure on our administrators to block or to restrict NetBIOS and SMB ports but they denied my requests... maybe because they weren't able to create ACL on Cisco equipments...
The arrival of Sasser finally forced them to go in my way... because our own Internet provider told to the admins how to block incoming and outgoing NetBIOS and SMB traffic.

I began to think/learn about security five years ago and it all started with a security incident of course: we had our broadband link shut down because of a misconfigured proxy (mind you).Here at this company there's been some talk about a written policy of use and to train personnel on security (me for the case), but nothing serious yet. As long as nobody get her documents lost everyone is confident everything is ok.

I've been taking it seriously since I got my internet connection and learned about all the rubbish that's out there.I've burried myself in book on security since then.
From firewalls to vpn's to all the spy,virus,adware scanners we need these days.
I'm currently working for a large Telecom multinational in a network control centre.
They take network security extremely serious.
I was amazed by the tightness of their internal network.

Two years ago we ran exclusively windows software (mainly XP) on all the units
and I found (in spite of having firewall/anti-virus/spy-sweeper software
installed) that I was spending about 2 hours of every day, 7 days a week,
doing nothing but checking, scanning and updating, and of course worrying !
One year ago we migrated to running OpenOffice, FireFox and Thunderbird on the
windows box's in an effort to mitigate some of the risks that were apparently
inherent in the windows software.
We made the decision in November of 2005 to migrate ALL of our systems onto
linux using XXXXX for the in house server and FC4 for all the workstations.
The change went without (too many) headaches and, from 1st January 2006, we
are now 100% linux/open source  - the result is that the time I need to spend
on the security/upgrades has dropped from nearly 2 full working days a week
to about 4 hours a week - a considerable saving and relational increase in
productivity - not to mention the savings in software costs associated with
this route. Incidentally, the overall stability of the new systems and the
speed that it runs at would make the change worth while even if one didn't
take the security aspects into account !!!
I was gratified to read one of your handlers articles detailing what security
measures he had put into place on his business systems and realise that I was
running an identical security infrastructure on our new linux network.

In 2000, my company, a large healthcare system in XXXXX, hired their first security specialist - someone devoted entirely to security.  That was only 5 years ago.  He left because the company didn't take security seriously, even though they had hired him under the pretense of being "security conscious".  They thought just having someone on staff labeled, "Security Specialist" was enough.  I took his position a little over a year ago and now I've found a new job in Information Security because I had the same frustrations as the previous security specialist.  It seems the company wants to be compliant (especially to HIPAA), but doesn't want to do what it needs to do to get there.

The company that I'm at now didn't start thinking about security until late 2004, which is when they hired me, and
it wasn't until the middle of last year that real security initiatives started happening.  This is contrast to the trading firm where I started my security career in 1996.  They already had a full security plan in place.  The insurance firm that I went to work for after that implemented a full security architecture around 2000.

XXX.edu has been thinking about security in a comprehensive and org.-wide way since approximately 1992.  Our current security plan was written in 1996, and has stood the test of time very well since.  The revisions of it in progress are mostly to translate it into the language that funding agencies say they'll begin expecting for initial security plans in 2007.

Microsoft Updated Security Advisory (917077) (Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution) and says "Advisory updated with indication of limited attacks." In this instance, "attacks" = malicious websites. And speaking of attacks/malicious websites, the APWG January Phishing Trends Report (APWG Report graph below) was released and reports "The number of unique phishing websites detected by APWG was 9715 in January 2006, a huge increase in unique phishing sites from the previous two months.". I wonder if the authors of trojans that steal banking information are capable of deploying 9,715 "attack" websites a month with exploits for unpatched IE vulnerabilities? Handler Donald Smith mentioned how easy it'd be to spam links to the world. What's your IE threat analysis folks? Drop me a line!
Update - McAfee calls malware used with an exploit for this vulnerability PWS-PartyPooper.

Workarounds/mitigation

References

echo "this works if \"phpicalendar_publishing\" is set to 1 in config.inc.php\r\n\r\n";

• rsync: by default rsync does not run as a server on OS X, so you should be ok with respect to simple remote exploits. Recent rsync vulnerabilities required the user to be logged in.
  
• php: only an issue if you have Apache with php default enabled. By default, apache is not enabled, and Apple does not load php in its default httpd.conf. Recent vulnerabilities in php, which are likely addressed in this update, protect against local users overstepping restrictions provided by php safe_mode. This is likely a "must apply" patch if you provide shared web hosting with php support. Of course, validating the patch is in particular tricky in such an environment.
• "Safe file execution": You should keep this option disabled in Safari. Keeping a wrapper around 'terminal' or protecting terminal from execution by untrusted users via the parental controls is another appropriate workarround if it does not restrict your users too much.

Phishing messages are becoming increasingly personalized in attempts to convince the recipients to trust originators of the messages. A phishing email recently submitted to us illustrates this trend. In this case, the message that arrived in the victim's inbox included the person's full name and postal address:

We reported this phishing attempt to Anti-Phishing Working Group and Citibank. If you have witnessed highly-personalized phishing scams of this nature as well, please send us the details.

This note incorporates comments from several ISC handlers. I am very grateful for their contributions.

Lenny Zeltser
ISC Handler
www.zeltser.com

MS06-011: Priviledge Escalation in Windows (Important)

• CoreTypes: CVE-2006-0400
  

• Mail: CVE-2006-0396
  

• Safari, LaunchServices, CoreTypes: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399
  

• Various non security rated regression fixes in a.o.  apache_mod_php (still based on PHP 4.4.1, not on the latest 4.4.2) and rsync.

$ rsync --version
rsync  version 2.5.5  protocol version 26
Copyright (C) 1996-2002 by Andrew Tridgell and others
«http://rsync.samba.org/»
Capabilities: 64-bit files, socketpairs, hard links, symlinks, batchfiles, 
              no IPv6, 32-bit system inums, 64-bit internal inums

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.

In the beginning

Now maybe we're getting somewhere

So, can we look upstream?

So how do we finally solve it

Well, my cursory reading of RFC 2474, suggests that we shouldn't be calling this the TOS byte anymore.  That usage has been superseded.  Further, it appears that the DSCP value shouldn't really be propagated beyond the bounds of a single organization's administrative control.  Cisco has a couple of documents for service providers that recommends that the DSCP values be re-marked (the term used in RFC 2474) at administrative boundaries (lest someone try to run their traffic through the service provider's network with an artificially high priority).  So, one conclusion is that we should be sure we are clearing these bits when they leave or enter our administrative control.  The client is waiting on change control approval and debating whether to remove the policy-map completely or change the DSCP value to 3 (which is also undefined in the IANA registry mentioned above and doesn't conflict with any old TOS uses of that byte).  I'm sure there are lots of other conclusions that could be drawn from this, but for the moment, I'm not going to draw anymore.  I'll leave that to you, our faithful readers.

----------------------------

Jim Clausing, jclausing --at-- isc.sans.org

  * Tidy up after Malone bug #34606, which left passwords exposed in
    /var/log/installer/cdebconf/questions.dat, by removing those passwords;
    for good measure, make /var/log/installer/cdebconf/* world-unreadable if
    this bug is detected.

Cheers,

Adrien 

ISC participants report excerpts;

Arms Race ?

As with anything the bad guys do, they react to anything we do to try to prevent them from having success. One of the things we told our users was to ignore alerting messages that their bank (and any other bank they are not a customer of) seems to send them and tells them their account has been abused. It seems that it is finally having it's effect as the phishers are changing tactics.

These kind of arms races require us to increase awareness constantly and to make users more resilient all the time. If we fail this our users, customers, ... will fall prey and we will have failed our users and/or customers in the end.

Example of one of these new phishing attempts

From: Chase Manhattan Bank  
To: victim@example.com
Subject: [ $20 Reward Survey ]

Dear Chase Bank Customer,

CONGRATULATIONS! 

You have been chosen by the Chase Manhattan Bank online department
to take part in our quick and easy 5 question survey.
In return we will credit $20 to your account - Just for your time!
Helping us better understand how our customers feel benefits everyone.
With the information collected we can decide to direct a number of
changes to improve and expand our online service.
We kindly ask you to spare two minutes of your time
in taking part with this unique offer!

SERVICE: Chase Online? $20 Reward Survey

EXPIRATION: March -  13 - 2006

Confirm Now your $20 Reward Survey with Chase Online? Reward
services. 

The information you provide us is all non-sensitive and anonymous
No part of it is handed down to any third party groups.
It will be stored in our secure database for maximum of 3 days
while we process the results of this nationwide survey.

Please do not reply to this message. For any inquiries, contact
Customer Service.

Document Reference: (87051203)
Copyright 1996 - 2006 Chase Bank, N.A. Member FDIC Copyright © 2006

It was formatted much more fancy in html, but I chose not to show that here.

Of course the link in there doesn't go to anything owned by JPMorgan Chase & Co.

Now let's have a look at that website collecting so called "non-sensitive and anonymous" information.

It starts out all rather innocent

but then it goes on to ask you more details. Details that are far from non-sensitive and anonymous. But remember the psychology: the user just has answered a whopping 5 questions and is now going to get his 20 bucks. He'll even sell his mother for it, or at least tell them her name along with what is going to cost him much more than that 20 bucks he'll never get.

The details they want to know:

New tactic: better servers

• "premium" service from a well known name on the Internet
• very redundant DNS service
  
• lots of servers
  

chaseonline.new-reward-survey.us. 600 IN CNAME  premium.geo.yahoo.akadns.net.
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.174
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.175
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.177
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.184
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.185
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.186
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.188
premium.geo.yahoo.akadns.net. 300 IN    A       66.218.79.173

The not so good news goes on:

A Security Update: version v0.1217  has been released for peercast it addresses a serious vulnerability.

= = =

Hi there lovely,I was searching the net few days ago and 
saw your profile. I decided to email you cause I found you 
attractive. I might come down to your city infew weeks. 
Let me know if we can meet each other in person.I am 
attractive girl. I am sure you won't regret it. Reply to 
my personal email at ***.

= = =

= = =

Hello my lonely boy,I am so happy to see that you have 
decided to reply. I don't want to live in Russia because 
I have not any chances here. My best friend last year met 
the man from the USA when she worked there for three months, 
too. She had two jobs. From morning till 4 pm she worked in 
amusement park and after it she worked as a waitress in some 
bar till midnight. I will leave Russia in two weeks or so 
(I can't tell you everything exactly right now) and I would 
like to be sure that I have the man who waits for me there. 
I will work all day and I want to find a man to spend all 
free time together to get to know each other better. If you 
have any interest to meet me I will be more than happy to 
meet you too. Please send picture of you too!!! Now I write 
you from my personal mailbox(***), please write me back here 
and here only. I will be checking it often. 

Kiss you your Elena, (this is my name)

= = =

• How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
• Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ?  Where exactly do these patterns come from ?  Is the previous pattern version available there as well ?
  

This one is for our readers in Europe... If one of your users should be searching for a "currency" or "exchange rate" conversion tool with one of the more popular search engines, chances are he/she will end up on a link or site like this one



Maybe it's best if you don't go there now - we can't vouch for what the page does once they become aware that their "tool" is mentioned in our diary. What the page used to do as of 10min ago is present the user with a lovely, extensive and complete list of currencies and exchange rates to convert from and to. All for free. The only catch being, the user gets the "result" of his calculation as ... an EXE download



The download contains what some of the AV vendors refer to as Dropped:Trojan.Downloader and Trojan.Muldrop.  If you are using any sort of URL filter, web-url.de and wechselkursrechner.de should maybe be part of your filter list if exe downloads make it past your perimeter otherwise.

apache_mod_php patch

automount

BOM

Directory Services (passwd)

File Vault

IPSEC

Libsystem

Mail

Perl

rsync

Safari (multiple)

Before going into the detailed bugs: The #1 issue here is the "Launch Services" bug. This is a classic case where a secure-by-default configuration would reduce exposure.  Other browsers exist for OS X (Opera, Firefox). It is not clear which one should be recommended for OS X users. Either way, you may want to review your configuration.

Heap Overflow in WebKit

Javascript Stack Overflow

Launch Services

Syndication

iChat

Summary

Personalized portal start pages have been around for some time, represented by sites such as My Yahoo! and My Excite. Encouraging users to use these sites as browser start pages, such personalized pages offer the convenience of fitting lots of data, such as news, weather, and stocks, on a single web page.

The new generation of portal sites, such as Netvibes and Google Personal Homepage, offers rich functionality that allows the users to include interactive modules in the start page. Before embedding your email or del.icio.us accounts in one of these pages, be mindful the potential risks of using such sites to process sensitive data.

I'd like to bring up two such risks for your consideration:

1. Providing such portal sites with login credentials to your other accounts threatens confidentiality of your username and password.
2. Using portlet modules created by a third party may allow unauthorized access to the web session and other information.

From some years already, every year you hear that this will be the 'Security Year', that companies will invest lots of money in security, that will be the 'Security Boom', etc,etc...but still, thing are happening slowly.

Today I was talking with some friends about security in companies...and thinking some years back, we were trying to figure out when we started to think about security in a serious way, that would cover all company, from security policy, hardening, security monitoring, access control,etc,etc...and we realized that there are not even 10-15 years...

Then I thought, why not ask our fellow readers about this, as a personal poll? So the question is , when did you/your company start to think about security in a serious way?

I know that some technologies and concepts are new, and that Gov't agencies are usually exception on this, but anyway, it would be interesting to know.

So, trying to not flood tomorrow's handler on duty, please answer directly to me. I will try to consolidate the answers and put in my next shift.

1. This is a civil, not a criminal case.  For those of you who keep claiming that this case proves that port scanning is legal, here is a dime. Take it, call your mother, and tell her there is serious doubt about you ever becoming a lawyer. (...with apologies to Prof. Charles Kingsfield.)
   
2. While there was a criminal investigation that preceeded the whole Moulton v VC3 (and VC3 v Moulton) hoopla, all it spoke to was that the costs of investigating a port scan could not be used to push the case beyond the damage limit for criminal prosecution.  The judge stated that the statute required "that the damage must be an impairment to the integrity and availability of the network", and that this particular case did not meet that criteria.
   
3. Remember: Most computer crime cases are about damages, and damages are all about interpretation.  This particular damage interpretation took place in the year 2000.  The "cost" of a security incident is a very slippery subject.  Care to be a 2006 test case?
   

Apple released a security update called "2006-001".  It is claiming to update following components:

• apache_mod_php
  CVE-2005-3319, CVE-2005-3353, CVE-2005-3391, CVE-2005-3392
• automount
  CVE-2006-0384
• Bom
  CVE-2006-0391
• Directory Services
  CVE-2005-2713, CVE-2005-2714
• iChat
  
• IPSec
  CVE-2006-0383
• LaunchServices
  CVE-2006-0394
• LibSystem
  CVE-2005-3706
• loginwindow
• Mail
  CVE-2006-0395
• rsync
  CVE-2005-3712
• Safari
  CVE-2006-0390/CVE-2005-4504, CVE-2006-0387, CVE-2006-0388, CVE-2006-0394
• Syndication
  CVE-2006-0389

• filevault
  CVE-2006-0386
• perl
  CVE-2005-4217

For detailed information on this update, we'll refer you to apple's article 303382.

This update is very critical to install on your Mac OS X machines:

• safari gets fixes for 4 separate issues: one of them with the public PoC; 3 of them result in arbitrary code execution and one looks like it allows javascript access to local resources.
  At this point it's unclear how effective the patch against the PoC is. To quote Apple: "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)". We know from experience that warning users is hardly enough in real life. Still it's better than nothing.
  
• ichat, mail get file type protection warnings in an effort to help twarth the worm threat (as exposed by the PoC virus Leap.A)
• many more ... but you get those for free anyway
  

On the not so good side: (before I get every Apple fan on my case: I love my powerbook, but it does not mean Apple should not clean up their act a bit)

• Nice to get an update to PHP 4.4.1, but do note that a quick visit to php.net learns that it released PHP 4.4.1 on October 31st, 2005. That's 4 months!  Add to that that PHP 4.4.2 has been released on January 13th, 2006.  For a open source package this isn't cutting it I'm afraid. Apple really needs to speed up it's testing and dramatically reduce the window of exposure (even if it's not enabled by default).
• Apple references article 108009 but it's putting all responsability with the end user. Can't we please have it promote using things like anti-virus and other malware preventing software? Sure users should not accept everything and click on anything. But the windows world has proven this approach doesn't work well enough once the OS gets targeted by malware.

--
Swa Frantzen

1. Avoid the use of public networks if possible. Its just too easy to 'fat finger' an IP address. It is all too easy to unintenionally shut down a critical system using an attack as simple as a portscan.
2. If you have to use a public network, try to setup a VPN to isolate the sources and targets involved.
3. Ask participants to remove or turn off additional network interfaces (in particular wireless interfaces).

Update #1

We have received an overwhelming number of emails as a result of this diary.  This is to clarify a couple of things.  Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately.

We have also received several emails asking us to release the name of the institution that this refers to.  We won't do that as we were asked not to in the diary.  It is our policy at the ISC to provide confidentiality when requested.  That is what allows us to cover such controversial subjects as we do.  Yes what is being done by this Institution of Higher Education is incorrect. We are pursuing a satisfactory resolution to this as best we can. We also have not and will not publish the entire document. 

John Bambenek one of our handlers that works at University of Illinois had this to say on the subject:

It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.

We also have received a number of emails suggesting that we have a legal obligation to report this.  We are aware that this maybe a possibility.  We will assure all of our readers that we will indeed do what is right. We may not talk about what we did but we will do our best to make sure that this type of activity does not continue to go on.  We truly want the Internet to be a safe place for all to work and play. 

Hopefully this will answer some of the questions and concerns that are arising from this article.

Update #2

We have received indications there has been a partial callback of the assignment. We're inviting the professor to contact us directly for any statement and/or clarification he might want to offer.

If he does contact us with a statement we will update the diary again.  Again thanks to all who  did contact us concerning this. Both the good and the bad. We have responded to as many as we could (of course not to the ones that gave us phony email addresses).  We at the ISC appreciate the participation of everyone, whether you agree with us or not. We learn a lot from the pro's and the con's and enjoy the interaction.

Update #3

We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.

So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).

The "TASK"

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.

Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.

Ok so now what must the students submit in writing to Professor Packetslinger?

Let's see what he wants:

What the student must submit

The note to the students:

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations [AKA break ins, our words], examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.

Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:

Dates of student's incarceration so that they can be excused from class and not counted absent.

Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:

"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."

In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.

This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:

Illegal, unethical, immoral.
How about just plain stupid and ignorant.

And handler Swa had this to say:

Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.

Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.

First thing to do: recall the assignment; tell the students they should not even consider it.  Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.

This from our resident comedian Tom:

Spamming for Fun and Profit.

It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.

How about the school?

As fellow Handler Lorna put it

Wonder how the school would feel about a law suit launched against THEM because of this assignment!

The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.