Defense in Depth

Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.

A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of WhiteHat Security.

On Monday, CNET found a few sites still infected with the latest SQL-injection attack.

In the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a generic way to blast the Internet, and they've chosen to attack sites running MS-SQL.

On Friday, Microsoft denied that new vulnerabilities within Internet Information Services are to blame for a rash of Web site defacements. Microsoft insists it's the application developer's responsibility to follow the company's best practices. These include constraining and sanitizing input data, using type-safe SQL parameters for data access, and restricting account permissions in the database.

Grossman agreed it's not Microsoft's fault, and said the attacks could have easily targeted another vendor's software. If users surf to an SQL-injected site, their browser will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins.

Grossman said that just ... Read more

A new contest to be held at this year's DefCon in Las Vegas in August hopes to prove that signature-based antivirus is dead, a move that one leading antivirus researcher says is "not a good idea."

The goal of the Race to Zero is simple: obfuscate a malicious code so that it evades well-known antivirus engines.

Contestants will be given a sample set of viruses and malicious code that they must modify and then upload through the contest portal. Once accepted, the sample will be sent through a number of leading antivirus engines (perhaps using VirusTotal.com to provide real time test results). The first team or individual who manages to evade all the antivirus engines wins that round. The organizers promise that each round will increase in complexity.

On the contest site, organizers list six reasons for hosting this event:

1. Reverse engineering and code analysis is fun.
2. Not all antivirus is equal and poorly performing antivirus vendors should be called out.
3. Signature-based antivirus products can be easily circumvented.
4. It's easier to modify malicious software than it is to write signature protection for it.
5. Signature-based antivirus is dead.
6. Antivirus is just part of the larger picture, you need patching, firewalling and sound security policies to remain virus free.

But Dave Marcus, security research and communications manager at McAfee Avert Labs, said: "Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will ... Read more

Users of Microsoft Windows Live OneCare may have found their antivirus protection a little too proactive. Over the weekend, OneCare informed some Skype users that the popular voice-over-IP application was infected with the Trojan Win32/Vundo.gen!D.

Not true, says Skype, which noted that Microsoft has since repaired its overzealous signature file.

On Friday, OneCare subscribers started seeing their access to Skype blocked. Microsoft says it was trying to block a multiple-component family of programs that deliver "out of context" pop-up advertisements, and mistakenly included Skype.

On Tuesday, four days later, it sent out a revised signature file for Win32/Vundo.gen!D that did not include Skype.

Once again, criminal hackers are targeting a worldwide event to deposit their malicious software on victims' PCs, according to one security vendor.

Within the last six months, MessageLabs has found at least 13 new Trojan horse programs associated with e-mails bearing subjects such as "The Beijing 2008 Torch Relay" and "National Olympic Committee and Ticket Sales Agents."

The problem is, according to a MessageLabs representative, that the hackers' e-mail messages employ an embedded Microsoft Office database file within the zipped attachment. Microsoft said in a recent security advisory that customers not running Windows Vista or Windows Server 2003 are vulnerable to allowing remote attackers to gain full access to a compromised machine.

Once the malicious code is installed, an attacker could steal personal data. MessageLabs further predicts that malicious-code writers will change formats by using 1 Byte XOR Key, Multiple XOR keys, and ROR, ROL, ADD, and SUB formats.

The e-mails, however, are not random. MessageLabs says the Trojan horses are often targeted to individuals within a specific organization in an attempt to gain access to the corporate network. This practice is known as "spear phishing."

So far, such attacks appear to be a corporate threat, as opposed to an individual threat.

Research from MessageLabs shows that while the e-mails state that they come from the International Olympic Committee in Switzerland, most have IP addressed based in Asia.

Two toolkits designed to help ordinary people participate in denial-of-service attacks against Western media have surfaced on the Internet, according to one researcher.

In a blog Tuesday, Jose Nazario of Arbor Networks says one of the toolkits is easier to use than the other though both are designed for "the masses." This isn't new, and toolkits such as these have been created for other political protests in the past.

AntiCNN.exe was the first of the two tools found on the Internet. Nazario reports that it opens a flood of HTTP connections and attempts to hurt the servers with volume.

Sdos.exe is the second tool. According to Nazario, "This one lets you specify a target server and a port, uses a simple connect() loop for the TCP flood."

Nazario says there is a third toolkit out, but it includes a backdoor back to its authors and could be used for other purposes.

Safari users may be subject to crashes or interactions with an attacker's malicious site, according to a warning posted on Tuesday on BugTraq .

Researcher Juan Pablo Lopez Yacubian is credited with finding multiple vulnerabilities in Apple Safari 3.1.1 for Windows. Other versions of Safari may also be affected.

Among the vulnerabilities cited are a denial-of-service (crash) vulnerability caused by a write-access violation, a denial-of-service (crash) vulnerability caused by a read-access violation, and a third vulnerability that allows attackers to spoof the content contained in the address bar. A full write up can be found here .

In a separate mailing to Bugtraq, Juan Pablo Lopez Yacubian says he was also able to use a similar exploit to crash Mozilla Firefox 3 beta 5.

That said, the general workaround is not to use Safari 3.1.1 for Windows until Apple issues a fix. Versions of Firefox 2.x and Opera are recommended.

A CNET Google search reveals sites still infected as of Tuesday noon.

Comparisons between two mass Javascript injection attacks suggest they may be related, according to a security company. The latest attack has compromised various sites including one United Nations and several UK government sites with links to malicious servers.

On Tuesday Websense reported seeing distinct similarities between attacks staged earlier this month and over the weekend. Specifically, they cite the use of the same tool to execute the attack being resident on the malicious server. Last summer various groups used the MPACK toolkit to propagate a similar series of Javascript injections.

Javascript injections are browser attacks and require no more effort than appending a script tag to the end of the URL. If a legitimate site is vulnerable to script injection, an attacker can add a script tag to the Web-facing page of the site so that subsequent views will automatically download whatever content is within the script tag. Often the script tag contains calls out to a malicious server.

A user need only stumble upon a compromised site to become infected. In this case, when viewing a compromised site, the injected Javascript loads a file named 1,js. The file is located on a malicious server, which then attempts to execute eight different exploits targeting Microsoft applications.

As of Tuesday, two other files named McAfee.htm and Yahoo,php were no longer active.

A quick review by CNET News.com found that travel and academic sites continue to

Although CNN escaped a distributed denial-of-service (DDoS) attack planned for Saturday, the site has experienced either random outages or inflated response times over the last 72 hours, according to one Internet research company.

Netcraft reported Tuesday that during a three-hour period on Sunday morning, the CNN.com site was unavailable from its listening post in Pennsylvania. And on Monday, the site experienced inflated response times. CNN.com did suffer a minor DDoS last Thursday, but recovered by limiting access from certain geographic areas, mainly Asia.

Also on Tuesday, The Dark Visitor, a site that tracks Chinese hackers, said a downloadable tool is now available for those wanting to participate in future attacks. Over the weekend, The Dark Visitor reported on the structure in place for launching attacks on Western media. The individuals, loosely calling themselves "Revenge for the Flame" and "HackCNN" feel that Western media have not presented a balanced view in reporting on the protests in Tibet and the Olympic torch runs through major world cities.

For the most part, CNN appears to have avoided the brunt of the Chinese DDoS attacks.

That wasn't the case with The Sports Network. On Monday morning, the site (not affiliated with CNN) was down due to a "political entity in China." Blogger Christine Lu has screenshots of the message and the defaced Sports Network page (scroll down). The group HackCNN has claimed responsibility for The Sports Network attack.

On Monday, Microsoft released to manufacturers (RTM) the final code for Windows XP SP3. The upgrade provides support for WPA2 and the Peer Name Resolution Protocol (PNRP) used in Windows Vista, among other things. The public version will be available for download via the Web on April 29. Based on our initial installation, the upgrade will be effortless for most Windows XP users.

The last Service Pack for Windows XP, SP2, was released in August 2004. The initial release took some users all night to download and install. The company pushed back the initial public release from June 2004 originally. Despite numerous glitches still present in the code, Windows XP SP2 was formally made public on August 20, 2004, and Microsoft had to work hard to convince users to upgrade.

Windows XP SP2 featured a new Security Center, an improved firewall, and other tweaks.

That's not the case with SP3, which was delayed several years while Microsoft did work on Windows Vista.

Microsoft says the service pack includes functionality previously released as updates. Perhaps that's why the download and installation for SP3 was effortless on our test system. XP SP3 took only 30 minutes to download, and 10 minutes to install.

Some updates relevant to the home user include:

• Support for WPA2, the latest standards-based wireless security solution derived from the IEEE 802.11i standard.

• Improvements to black-hole router detection (detecting routers that are silently discarding packets). Windows XP SP3 turns this protection on by default.

• BITS 2.

(Credit: Fujitsu Computer Products of America, Inc.)

On Monday, Fujitsu Computer Products of America announced the Fujitsu MHZ2 CJ series for business notebooks that features full disk encryption. The new 2.5" 7,200RPM SATA hard disk drive (HDD) incorporates the AES-256 encryption standard at the hardware level without the need for additional software.

Unlike encryption with Windows Vista BitLocker, which requires the operating system to be present, the new Fujitsu drive performs its encryption entirely within the BIOS during power on. Encryption performed within the BIOS prevents the keys from being stored in the clear anywhere on the drive.

According to Fujitsu, "the key used to encrypt and decrypt data is cryptographically regenerated at power-on, and is not known even to the HDD when the system is powered off."

Also, since all the encryption generation is done as the laptop is being powered up, there is virtually no performance hit whenever the 256-bit password key is generated.

Fujitsu plans to ship the MHZ2 CJ series starting this summer.