|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[ISN] Is the "Drive-by Pharming" Attack Misnamed?
From: InfoSec News (alerts
infosecnews.org)
Date: Thu Feb 22 2007 - 01:10:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Ontrack Data Recovery: Data loss prevention tips
http://list.windowsitpro.com/t?ctl=4B3D3:57B62BBB09A6927915328BC315BA14AA
Free White Paper: Address the Insider Threat
http://list.windowsitpro.com/t?ctl=4B3DB:57B62BBB09A6927915328BC315BA14AA
Hosted Security: A solution for small and medium-sized businesses
http://list.windowsitpro.com/t?ctl=4B3C7:57B62BBB09A6927915328BC315BA14AA
=== CONTENTS ===================================================
IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed?
NEWS AND FEATURES
- Master AACS Key Found
- 12 Microsoft Security Bulletins for February 2007
- Checking Audit Logs for Tampering
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Schneier on DRM
- FAQ: Administrative Templates for Windows Vista
- From the Forum: Chroot/Jail Implementation for Windows
- Share Your Security Tips
PRODUCTS
- IP Storage Appliances Add Encryption
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: Ontrack Data Recovery =============================
Ontrack Data Recovery: Data loss prevention tips
Snow storms, extreme heat, hurricanes... they all have the potential to
interrupt your business and damage your data storage systems. While
your business might never be directly impacted by a natural disaster,
data loss can strike companies anytime and anywhere.
Be prepared by learning how to prevent data loss and what to do when
data loss affects your business.
Ontrack Data Recovery, the world leader in data recovery services and
software, is pleased to offer a FREE e-newsletter that addresses data
loss prevention and response.
Recent topics discussed in Ontrack's Data Recovery News include:
- Seven things to avoid when your drive crashes
- Data recovery options for flash media
- Do-it-yourself data recovery software products
Sign up for the FREE Ontrack Data Recovery Newsletter today:
http://list.windowsitpro.com/t?ctl=4B3D3:57B62BBB09A6927915328BC315BA14AA
=== IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed? ======
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Any wireless Access Point (AP) that uses a default password is
vulnerable to manipulation by anyone that can gain some form of
connectivity to it. If the wireless AP's management interface is Web-
based, it can be mimicked, and therein resides a problem waiting to
happen.
If an intruder can craft a special Web page that mimics the
functionality of an AP management interface, that Web page could take
any action against an AP that's allowed by the management interface. So
what's to stop an attacker from developing a Web page that, when
viewed, changes any of the available AP settings? Not much, apparently.
Symantec researchers recently blogged about this very scenario, and
they point out how an attacker might use this attack method to change
DNS settings, which could lead to phishing scams. In the blog article,
they wrote, "The attackers create a Web page that includes malicious
JavaScript code. When the Web page is viewed, this code, running in the
context of your Web browser, uses a technique known as 'Cross Site
Request Forgery' and logs into your local home broadband router.... One
simple, but devastating, change is to the user's DNS server settings."
Symantec chose to call this attack "drive-by pharming," and that
bothers me. I saw several headlines about this attack type on the
Internet before I read the Symantec blog, and I thought, "Oh great,
another way to get in your car, drive around, find unprotected APs, and
steal people's information." But this attack has absolutely nothing in
common with war-driving. So Symantec introduced confusion with the
attack name, and some media reports spread the confusion further.
Symantec would do well to stop confusing us about security problems
with its use of misleading attack-type names. In the case of "drive-by
pharming," the attack has nothing to do with being in close proximity
to an AP (as is the case with war-driving) and is related to "pharming"
only in that attackers could use the management interface vector to
manipulate DNS to point to the DNS servers of their choice, which in
turn could resolve certain host names to IPs that point to pharming
sites.
The ability to attack someone's DNS settings could be exploited in a
variety of ways, none of which Symantec bothered to mention. For
example, an attack could install botnet software or other malware, spy
on Web usage habits, intercept email, or intercept sensitive files for
corporate espionage; the list goes on and on. It seems to me that
misnaming attacks is itself a security problem because it misinforms
people who might not have the time to delve deeper into the nuts and
bolts behind a given title. I think Symantec should consider patching
its naming methods. What do you think? Send me an email with your
thoughts on this issue.
If you're interested in the Symantec report, you can read it at:
http://list.windowsitpro.com/t?ctl=4B3C5:57B62BBB09A6927915328BC315BA14AA
=== SPONSOR: NetIQ =============================================
Free White Paper: Address the Insider Threat
Learn how to develop a comprehensive management system that
virtually eliminates the risk of an insider threat. Co-authored by
NetIQ and Dr. Eric Cole, this informative white paper identifies the
key business processes that must be secured and ready to build a
solution to contain the insider threat.
http://list.windowsitpro.com/t?ctl=4B3DB:57B62BBB09A6927915328BC315BA14AA
=== SECURITY NEWS AND FEATURES =================================
Master AACS Key Found
The Advanced Access Content System (AACS) protection used in HD DVD
and Blu-Ray DVD disk systems sustained another attack--this one more
devastating than the last.
http://list.windowsitpro.com/t?ctl=4B3D5:57B62BBB09A6927915328BC315BA14AA
12 Microsoft Security Bulletins for February 2007
Microsoft released 12 security updates for February, rating 6 of
them as critical, including a critical update for the company's malware
protection engine. The engine is used by several Microsoft products,
including Windows Defender--a core component of Windows Vista.
http://list.windowsitpro.com/t?ctl=4B3D4:57B62BBB09A6927915328BC315BA14AA
Checking Audit Logs for Tampering
Many administrators wonder if there is anything built into Windows
that can verify that the Security event log hasn't been tampered with
in some way. Randy Franklin Smith gives you the answer and explains how
to look for signs of tampering.
http://list.windowsitpro.com/t?ctl=4B3D0:57B62BBB09A6927915328BC315BA14AA
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=4B3CB:57B62BBB09A6927915328BC315BA14AA
=== SPONSOR: St. Bernard Software ==============================
Hosted Security: A solution for small and medium-sized businesses
Is effective security out of reach for your small or medium-sized
business? Imagine having a team of IT experts who only focus on
security as part of your staff. Download this free must-have white
paper today and find out how you can eliminate your company's security
risks.
http://list.windowsitpro.com/t?ctl=4B3C7:57B62BBB09A6927915328BC315BA14AA
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: Schneier on DRM
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4B3D9:57B62BBB09A6927915328BC315BA14AA
You've probably heard of Bruce Schneier. Have you heard what he has to
say about DRM? Learn more about my opinion on DRM and get a link to
what Schneier says in this blog article on our Web site.
http://list.windowsitpro.com/t?ctl=4B3D1:57B62BBB09A6927915328BC315BA14AA
FAQ: Administrative Templates for Windows Vista
by John Savill, http://list.windowsitpro.com/t?ctl=4B3D7:57B62BBB09A6927915328BC315BA14AA
Q: Where are the Windows Vista administrative template (i.e., ADMX)
files stored?
Find the answer at
http://list.windowsitpro.com/t?ctl=4B3D2:57B62BBB09A6927915328BC315BA14AA
FROM THE FORUM: Chroot/Jail Implementation for Windows
A forum participant writes that he's aware of WinQuota's WinJail
Desktop software, which implements a type of sandbox/chroot/jail
environment similar to the one found on UNIX and Linux systems. He
wonders if other similar tools are available for Windows and whether
such an approach is useful. Join the conversation at the URL below.
http://list.windowsitpro.com/t?ctl=4B3C6:57B62BBB09A6927915328BC315BA14AA
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2rsecurityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ===================================================
by Renee Munshi, productswindowsitpro.com
IP Storage Appliances Add Encryption
Siafu Software announced that hardware data encryption is now
standard on all Siafu Swarm IP SAN appliances. Siafu Swarm appliances
are available in 1U, 2U, 3U, and 6U configurations, can store from 1TB
to 7.5TB, use iSCSI, and feature RAID 51/61 active/active failover
technology. Siafu Swarm IP encrypted SAN solutions are available
starting at $8,995. For more information, go to
http://list.windowsitpro.com/t?ctl=4B3DE:57B62BBB09A6927915328BC315BA14AA
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshotwindowsitpro.com and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=4B3D6:57B62BBB09A6927915328BC315BA14AA
Deploy Exchange Server 2007 Without a Hitch!
This one-day technical training event teaches you how to preempt
pitfalls and avoid corrupting your infrastructure. You'll learn how to
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register
today!
http://list.windowsitpro.com/t?ctl=4B3CA:57B62BBB09A6927915328BC315BA14AA
Get Ready for the Windows Server Longhorn Roadshow!
Seize control of your Windows infrastructure with Microsoft's
biggest server release since Windows 2003. Get a live, under-the-hood
look at Longhorn virtualization, deployment, Web services, and
breakthroughs in core reliability. This one-day event is filled with
demonstrations and in-depth discussions designed for IT pros who want a
deep understanding of Windows Server Longhorn.
http://list.windowsitpro.com/t?ctl=4B3CE:57B62BBB09A6927915328BC315BA14AA
Tired of outdated and incomplete data modeling solutions? Build or re-
engineer your business applications quickly, cost-effectively, and
consistently with Sybase PowerDesigner 12. Download this free white
paper today and learn how you can easily transfer your ERwin skills and
start taking advantage of all of PowerDesigner's features.
http://list.windowsitpro.com/t?ctl=4B3C9:57B62BBB09A6927915328BC315BA14AA
=== FEATURED WHITE PAPER =======================================
Prevent installation and execution of unauthorized software on the
computers on your network. Download this free white paper today for a
comparison of different techniques for detecting and preventing
unauthorized code. Protect against emerging risks today!
http://list.windowsitpro.com/t?ctl=4B3C8:57B62BBB09A6927915328BC315BA14AA
=== ANNOUNCEMENTS ==============================================
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!
http://list.windowsitpro.com/t?ctl=4B3CC:57B62BBB09A6927915328BC315BA14AA
Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting April nominations now, but only for a limited
time! Submit your nomination today:
http://list.windowsitpro.com/t?ctl=4B3DA:57B62BBB09A6927915328BC315BA14AA
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=4B3D8:57B62BBB09A6927915328BC315BA14AA
http://list.windowsitpro.com/t?ctl=4B3DD:57B62BBB09A6927915328BC315BA14AA
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=4B3CF:57B62BBB09A6927915328BC315BA14AA
Be sure to add Security_UPDATElist.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letterswindowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=4B3DC:57B62BBB09A6927915328BC315BA14AA
About your product news -- productswindowsitpro.com
About your subscription -- windowsitproupdatewindowsitpro.com
About sponsoring Security UPDATE -- salesoppswindowsitpro.com
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=4B3CD:57B62BBB09A6927915328BC315BA14AA
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]