Network Security Warning ..... How to Protect Yourself On The Internet - Page 14

PCBruiser · 06-12-2004, 05:08 PM

Well, I replaced a dead DLink with the Netgear Access Point. I find the interface much better than the one the DLink had (admittedly that probably has changed in the last year or so), the range to be superior, and that it was much more compatible with other brands' adaptors. Other than that, and that the DLink died about two weeks after the warrantee ran out, and DLink Customer Service told me to get lost when I called them, why I liked it just fine.

But, everyone's brand experience and preference is different, and the point of this thread isn't brand likes or dislikes, but protecting yourself properly. So, if your DLink has SPI and port stealthing, then fine, it is protecting you. Use it and browse safely, that's the important thing. And, thanks for the link on the specs showing that it has SPI.

wonderwrench · 06-12-2004, 08:57 PM

Quote:

Originally Posted by PCBruiser

Well, I replaced a dead DLink with the Netgear Access Point. I find the interface much better than the one the DLink had (admittedly that probably has changed in the last year or so), the range to be superior, and that it was much more compatible with other brands' adaptors. Other than that, and that the DLink died about two weeks after the warrantee ran out, and DLink Customer Service told me to get lost when I called them, why I liked it just fine.

But, everyone's brand experience and preference is different, and the point of this thread isn't brand likes or dislikes, but protecting yourself properly. So, if your DLink has SPI and port stealthing, then fine, it is protecting you. Use it and browse safely, that's the important thing. And, thanks for the link on the specs showing that it has SPI.

You are correct sorry about jumping you. I should have just posted a link to the spi info and left it at that.

PCBruiser · 06-12-2004, 09:19 PM

No problem, wonderwrench, we each have our favorite brands and tend to both migrate and defend our choices. It's good to have altering opinions here, it adds diversity and provides alternatives and choices for everyone.

johto · 06-23-2004, 07:09 PM

"Real men" builds their own Linux box that does routing & firewall. Snort+Demarcs Puresecurity for example is kinda nice to have running :P

Snort:
http://www.snort.org/about.html

PureSecure:
http://www.demarc.com/products/puresecure/features/

wayne_abx · 06-23-2004, 09:04 PM

Quote:

Originally Posted by johto

"Real men"

Wingit · 06-23-2004, 09:12 PM

Quote:

Originally Posted by wayne

you know, wayne.....penguins on steroids!

wayne_abx · 06-23-2004, 09:29 PM

mktsurf · 06-27-2004, 10:22 PM

Ok.
Dumb question.
Using older Linksys router 4 port BEFSR41
Dont think it has SPI.
BUT at GRC all is stealth.
So should I worry about no SPI?
Confusing.

thx.

mktsurf

mktsurf · 06-27-2004, 10:38 PM

Is there a safe website for dowloading currports
so I dont have to unzip?
No utility for that here.
I know behind the times.
Thx.

mktsurf

PCBruiser · 06-28-2004, 12:35 AM

If you have XP it has zip file handling built in, otherwise you can download the evaluation version of winzip from their site and use that. Unfortunately we can't post .exe files here, and there is no place to download the non-zip version AFAIK, unless you find one with a google. If you can't find an .exe file that way, send me a PM with an email address I can use, and I will email you the .exe file. It's small, and as long as your ISP doesn't block .exe attachment containing email, I can get it to you that way.

Regarding SPI and stealth mode, they are two very different things. Even if your port is in stealth mode, SPI still serves as a "one way door" for outbound packet requests, forbidding any inbound packets which might enter at the time of a request from entering if they are not specifically in answer to an outbound request. Really stealth and SPI are two sdifferent things. Eventually, consider replacing your current older model which doesn't have SPI, with a newer one that does have it. A worthwhile investment. Being in full stealth does, however help considerably, and will help protect you until you can make the investment.

PCBruiser · 06-28-2004, 03:48 PM

OK, folks, just in case you haven't thought long and hard about security, here is a truly STAGGERING statistic. DShield reports, which tracks attacks real time over the internet via reports from participating companies and individuals will break a spectatular number this month. By the end of June they will have accumulated over 1 BILLION attack reports this month alone. And that's just those reported into their data base, a small percentage of the actual number. Over 35 MILLION reported today alone.

Take a look yourself if you have a problem comprehending these staggering numbers:

http://www.dshield.org/index.php

Deliriou5? · 06-30-2004, 06:10 PM

Thx PCB for this extremely useful thread. I ran the test and my linksys befsx41 is all stealth except for port 113

not to happy about that.

mktsurf · 06-30-2004, 09:11 PM

Pop-up program reads keystrokes, steals passwords
Last modified: June 29, 2004, 12:56 PM PDT
By Robert Lemos
Staff Writer, CNET News.com
Print story E-mail story Your take

A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday.

News.context

What's new:
A malicious program that installs itself by way of a pop-up ad can read keystrokes and steal passwords when victims visit any one of nearly 50 targeted banking sites.

Bottom line:
The program is part of a larger trend, as malicious hackers increasingly focus not on random acts of destruction but on stealing money.

For more info:
More stories on this topic.

The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.

"If (the program) recognizes that you are on one of those sites, it does keystroke logging," said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. "The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web."

Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch.

Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware.

Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers.

The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money. In April, security experts warned that 'bot networks'--large networks of zombified home PCs--are a greater threat than high-profile worms such as Sasser and MSBlast, because they could be used to steal financial information or to send untraceable spam.

"In the past, the most common way to collect financial information was through fraud like the Nigerian e-mail scam," said Oliver Friedrichs, senior manager in antivirus company Symantec's security response center. Friedrichs said that in the past few months, Symantec analysts have studied threats similar to the current Trojan horse.

Because it carries a .gif file extension, the Trojan horse appears to be a graphic in a compressed format commonly found on the Internet. In reality, it's two programs: a browser helper file that surreptitiously captures usernames and passwords; and a "file dropper" that installs the keyword logger on the victim's computer.

The first file attempts to run itself by using an old Internet Explorer flaw, and the second file uses a feature of most major browsers, known as helper files, to intercept data, Sachs said.

"Before data goes through your browser, it can be processed by a helper file," he said. "What makes this one really clever is that (it takes) advantage of the ability in all browsers to use helper files and defeat the encryption."

Once the Trojan horse captures financial information, it encrypts the data by using a program hosted on an Internet server and sends the data back to the attackers, who appear to be in South America, Sachs said.

Security experts have stressed the vulnerability of Microsoft's Internet Explorer recently, following public warnings of vulnerabilities in the browser that could enable attackers to install malicious programs. Those flaws have not yet been fixed by Microsoft.

An attack that had used a vulnerability to turn some Web sites into points of digital infection was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said.

"Sometimes, there's not much difference between a feature and a flaw," he said.

mktsurf · 06-30-2004, 09:14 PM

Web site virus attack blunted
Last modified: June 25, 2004, 12:58 PM PDT
By Robert Lemos
Staff Writer, CNET News.com
Print story E-mail story Your take

Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.

The attack, which had turned some Web sites into points of digital infection, was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

Still, Web surfers should take precautions, as the Internet underground is increasingly using this type of attack as a way to get by network defenses and infect officer workers' and home users' computers.

"This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again."

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The attack worked by infecting some Web sites so that when Net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been. Some have speculated that the purpose could have been spam distribution.

"It is a tremendously powerful way to get into a corporation," Huger said of this sort of attack. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself on victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected. Additionally, last fall, a similar attack may have been facilitated through a mass intrusion at Interland, sources familiar with that case said.

The Internet Explorer flaws that enabled the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some Web functionality. The company also promised a patch for the flaws soon.

"We are not seeing that this threat is widespread, but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response center.

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server, or IIS.

After that code redirected them to one of two sites, most often to the server in Russia, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer.

It's unknown how many Web sites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected sites is relatively small, given the total number of sites that exist.

Still, the network of compromised sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, a Net threat-monitoring site.

"This is the first time that this many Web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well, because the exploit wasn't as effective."

Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the Internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.

mktsurf · 06-30-2004, 09:17 PM

IE competitors mull ActiveX alternative
Last modified: June 30, 2004, 1:44 PM PDT
By Paul Festa
Staff Writer, CNET News.com
Print story E-mail story Your take

Everybody who is anybody who is not Microsoft has joined forces to create a new way of running software applications inside a Web browser.

At stake is the future of Web "plug-ins," third-party programs such as Macromedia's Flash animation software that operate within browsers. Microsoft's rivals want to enhance plug-ins to match capabilities available in Internet Explorer through Microsoft's ActiveX technology.

The Mozilla Foundation, Opera Software and Apple Computer--all browser makers--said on Wednesday that they have teamed up with plug-in vendors Sun Microsystems, Adobe Systems and Macromedia to revise the way plug-ins run in non-Microsoft browsers.

ActiveX lets plug-ins interact directly with the content on a Web page, creating a powerful tool that's gained notoriety for repeated security problems. Using ActiveX, a music Web page can play a song list through Microsoft's Windows Media Player plug-in, or a Flash e-commerce movie can send price totals back to a billing Web page.

The rest of the browser world has long relied on the NPAPI (Netscape Plug-in Application Programming Interface) to launch plug-ins.

The Mozilla Foundation is an open-source group developing browser code that originated with Netscape Communications before Netscape was acquired by America Online. Last year, AOL spun off the open-source group as a nonprofit foundation and renewed its browser ties with Microsoft.

"There's currently a hole in what's available, if you're not willing to be part of the Microsoft ActiveX world," said Mozilla Foundation President Mitchell Baker. "That's existed for a while and appeared to be difficult to fix, but we made the decision to gather up the players and fix it not only for Mozilla, but (also) for the rest of the browser and plug-in providers."

Mozilla's update to the NPAPI relies on a World Wide Web Consortium (W3C) recommendation called the DOM, or Document Object Model. The DOM is designed to let scripting languages like JavaScript act directly on elements of a Web page.

Microsoft's powerful and proprietary ActiveX technology has long been faulted for its lack of security. Mozilla said its updated NPAPI would address security concerns head-on but did not say how.

Baker said her group would start implementing the new NPAPI in nightly builds of the Mozilla code base over the next few weeks, before entering a testing phase. The technology won't be usable until plug-in vendors support it, and Baker said there is no time frame for that phase of the upgrade.

Scripting aficionados hailed the partnership.

"It's good news that there's cooperation from Mozilla, Opera and the other players," said Dave Winer, the owner of Scripting News and, until tomorrow, a fellow at the Berkman Center for the Internet & Society at Harvard Law School. "And it's just generally a very good thing to see the Web going forward as a platform and making progress.

06-12-2004, 05:08 PM	#196
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Well, I replaced a dead DLink with the Netgear Access Point. I find the interface much better than the one the DLink had (admittedly that probably has changed in the last year or so), the range to be superior, and that it was much more compatible with other brands' adaptors. Other than that, and that the DLink died about two weeks after the warrantee ran out, and DLink Customer Service told me to get lost when I called them, why I liked it just fine. But, everyone's brand experience and preference is different, and the point of this thread isn't brand likes or dislikes, but protecting yourself properly. So, if your DLink has SPI and port stealthing, then fine, it is protecting you. Use it and browse safely, that's the important thing. And, thanks for the link on the specs showing that it has SPI.
(Offline)

06-12-2004, 09:19 PM	#198
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	No problem, wonderwrench, we each have our favorite brands and tend to both migrate and defend our choices. It's good to have altering opinions here, it adds diversity and provides alternatives and choices for everyone.
(Offline)

06-23-2004, 07:09 PM	#199
johto Registered User Join Date: May 2004 Posts: 2	"Real men" builds their own Linux box that does routing & firewall. Snort+Demarcs Puresecurity for example is kinda nice to have running :P Snort: http://www.snort.org/about.html PureSecure: http://www.demarc.com/products/puresecure/features/
(Offline)

06-23-2004, 09:29 PM	#202
wayne_abx Never Ending Join Date: Jul 2002 Location: Vancouver, Washington (State) Posts: 4,188	__________________ System-1 (primary) Intel D875PBZLK FMB 1.5 > Pentium 4/ 3.0E (D0) > Crucial Ballistix 512mb PC4000 (Dual Channel) > ATI Radeon 9500 Pro (128) > Audigy 2 Platinum > Thermaltake P4 Spark 7+ (Xaser Edition) - Antec 80x80mm x5 > 1x 80GB WD SE - 2x Seagate 200GB 7200RPM Barracuda 7200.7 Plus SATA > Lite-On LDW811s dvd +/- Tashiba SDM1712 DvD > Antec 430 TP > WinXP W/SP-2 Gigabit Network, Linksys WRT54GS, Linksys EG008W 8-port gigabit switch, ximeta network storage, Motorola SB4200
(Offline)

06-27-2004, 10:22 PM	#203
mktsurf Registered User Join Date: Oct 2003 Posts: 277	Older Linksys Ok. Dumb question. Using older Linksys router 4 port BEFSR41 Dont think it has SPI. BUT at GRC all is stealth. So should I worry about no SPI? Confusing. thx. mktsurf
(Offline)

06-27-2004, 10:38 PM	#204
mktsurf Registered User Join Date: Oct 2003 Posts: 277	Currports Is there a safe website for dowloading currports so I dont have to unzip? No utility for that here. I know behind the times. Thx. mktsurf
(Offline)

06-28-2004, 12:35 AM	#205
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	If you have XP it has zip file handling built in, otherwise you can download the evaluation version of winzip from their site and use that. Unfortunately we can't post .exe files here, and there is no place to download the non-zip version AFAIK, unless you find one with a google. If you can't find an .exe file that way, send me a PM with an email address I can use, and I will email you the .exe file. It's small, and as long as your ISP doesn't block .exe attachment containing email, I can get it to you that way. Regarding SPI and stealth mode, they are two very different things. Even if your port is in stealth mode, SPI still serves as a "one way door" for outbound packet requests, forbidding any inbound packets which might enter at the time of a request from entering if they are not specifically in answer to an outbound request. Really stealth and SPI are two sdifferent things. Eventually, consider replacing your current older model which doesn't have SPI, with a newer one that does have it. A worthwhile investment. Being in full stealth does, however help considerably, and will help protect you until you can make the investment. Last edited by PCBruiser : 06-28-2004 at 12:45 AM.
(Offline)

06-28-2004, 03:48 PM	#206
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	They Keep on Coming! OK, folks, just in case you haven't thought long and hard about security, here is a truly STAGGERING statistic. DShield reports, which tracks attacks real time over the internet via reports from participating companies and individuals will break a spectatular number this month. By the end of June they will have accumulated over 1 BILLION attack reports this month alone. And that's just those reported into their data base, a small percentage of the actual number. Over 35 MILLION reported today alone. Take a look yourself if you have a problem comprehending these staggering numbers: http://www.dshield.org/index.php
(Offline)

06-30-2004, 06:10 PM	#207
Deliriou5? Registered User Join Date: Jan 2004 Location: New Gloucester,Maine Posts: 486	Thx PCB for this extremely useful thread. I ran the test and my linksys befsx41 is all stealth except for port 113 not to happy about that. __________________ DFI LanpartyUT nF4 Ultra-D 704-2bta bigtoe bios Opteron 165 (0546 mpmw 311x9 1.55v) 2gb OCZ pc4000GX XTC (DDR550) \| BBA x800xl 256mb PCI-E x16 SoundBlaster Audigy 2 zs \| 2 x WD Raptor 36gb raid 0 \| 2 x Seagate 160gb 7200.9 raid 0 NEC DVD+/-RW ND-3520AW \| OCZ Powerstream 520 G4 Storm\|DD Maze4 gpu\|50z\|PA120.3 My other hobby Last edited by Deliriou5? : 07-01-2004 at 09:38 AM.
(Offline)

06-30-2004, 09:11 PM	#208
mktsurf Registered User Join Date: Oct 2003 Posts: 277	Examples of why warnings should be taken seriously Pop-up program reads keystrokes, steals passwords Last modified: June 29, 2004, 12:56 PM PDT By Robert Lemos Staff Writer, CNET News.com Print story E-mail story Your take A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday. News.context What's new: A malicious program that installs itself by way of a pop-up ad can read keystrokes and steal passwords when victims visit any one of nearly 50 targeted banking sites. Bottom line: The program is part of a larger trend, as malicious hackers increasingly focus not on random acts of destruction but on stealing money. For more info: More stories on this topic. The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday. "If (the program) recognizes that you are on one of those sites, it does keystroke logging," said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. "The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web." Sachs said the Trojan horse was first discovered on the computer of "an employee at a major dot-com." The victim apparently picked up the program from a malicious pop-up ad that used a flaw in Internet Explorer's helper server to install itself on the user's PC. In this case, because of the computer's security settings, the installation failed. Microsoft said IE users should raise the security settings to high until the company issues a patch. Two other IE flaws, which Microsoft has yet to fix, were used recently in two other hacking schemes, one last week that turned some Web sites into points of digital infection, and another, earlier in the month, that installed a toolbar on victims' computers that triggered pop-ups. This most recent Trojan horse differs from the attack software used in last week's Web site compromises but could be paired with that technique to spread spyware. Researchers at the Internet Storm Center studied the Trojan horse file, called "img1big.gif," which was provided by the dot-com. Working through the weekend, the security experts reverse-engineered the program and discovered that it targeted a long list of banks and attempted to steal the account information of those institutions' customers. The program points to a recent trend in computer viruses and remote-access Trojan horse, or RAT, programs: Attackers are increasingly after money. In April, security experts warned that 'bot networks'--large networks of zombified home PCs--are a greater threat than high-profile worms such as Sasser and MSBlast, because they could be used to steal financial information or to send untraceable spam. "In the past, the most common way to collect financial information was through fraud like the Nigerian e-mail scam," said Oliver Friedrichs, senior manager in antivirus company Symantec's security response center. Friedrichs said that in the past few months, Symantec analysts have studied threats similar to the current Trojan horse. Because it carries a .gif file extension, the Trojan horse appears to be a graphic in a compressed format commonly found on the Internet. In reality, it's two programs: a browser helper file that surreptitiously captures usernames and passwords; and a "file dropper" that installs the keyword logger on the victim's computer. The first file attempts to run itself by using an old Internet Explorer flaw, and the second file uses a feature of most major browsers, known as helper files, to intercept data, Sachs said. "Before data goes through your browser, it can be processed by a helper file," he said. "What makes this one really clever is that (it takes) advantage of the ability in all browsers to use helper files and defeat the encryption." Once the Trojan horse captures financial information, it encrypts the data by using a program hosted on an Internet server and sends the data back to the attackers, who appear to be in South America, Sachs said. Security experts have stressed the vulnerability of Microsoft's Internet Explorer recently, following public warnings of vulnerabilities in the browser that could enable attackers to install malicious programs. Those flaws have not yet been fixed by Microsoft. An attack that had used a vulnerability to turn some Web sites into points of digital infection was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached. While the latest program is installed on Windows computers using a known vulnerability, the helper file hack exploits a feature, not a flaw, and could work with most major browsers, Sachs said. "Sometimes, there's not much difference between a feature and a flaw," he said.
(Offline)

06-30-2004, 09:14 PM	#209
mktsurf Registered User Join Date: Oct 2003 Posts: 277	More Web site virus attack blunted Last modified: June 25, 2004, 12:58 PM PDT By Robert Lemos Staff Writer, CNET News.com Print story E-mail story Your take Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed. The attack, which had turned some Web sites into points of digital infection, was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached. Still, Web surfers should take precautions, as the Internet underground is increasingly using this type of attack as a way to get by network defenses and infect officer workers' and home users' computers. "This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again." Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. The attack worked by infecting some Web sites so that when Net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been. Some have speculated that the purpose could have been spam distribution. "It is a tremendously powerful way to get into a corporation," Huger said of this sort of attack. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure." The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself on victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected. Additionally, last fall, a similar attack may have been facilitated through a mass intrusion at Interland, sources familiar with that case said. The Internet Explorer flaws that enabled the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some Web functionality. The company also promised a patch for the flaws soon. "We are not seeing that this threat is widespread, but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response center. Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server, or IIS. After that code redirected them to one of two sites, most often to the server in Russia, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer. It's unknown how many Web sites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected sites is relatively small, given the total number of sites that exist. Still, the network of compromised sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, a Net threat-monitoring site. "This is the first time that this many Web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well, because the exploit wasn't as effective." Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the Internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.
(Offline)

06-30-2004, 09:17 PM	#210
mktsurf Registered User Join Date: Oct 2003 Posts: 277	Progress IE competitors mull ActiveX alternative Last modified: June 30, 2004, 1:44 PM PDT By Paul Festa Staff Writer, CNET News.com Print story E-mail story Your take Everybody who is anybody who is not Microsoft has joined forces to create a new way of running software applications inside a Web browser. At stake is the future of Web "plug-ins," third-party programs such as Macromedia's Flash animation software that operate within browsers. Microsoft's rivals want to enhance plug-ins to match capabilities available in Internet Explorer through Microsoft's ActiveX technology. The Mozilla Foundation, Opera Software and Apple Computer--all browser makers--said on Wednesday that they have teamed up with plug-in vendors Sun Microsystems, Adobe Systems and Macromedia to revise the way plug-ins run in non-Microsoft browsers. ActiveX lets plug-ins interact directly with the content on a Web page, creating a powerful tool that's gained notoriety for repeated security problems. Using ActiveX, a music Web page can play a song list through Microsoft's Windows Media Player plug-in, or a Flash e-commerce movie can send price totals back to a billing Web page. The rest of the browser world has long relied on the NPAPI (Netscape Plug-in Application Programming Interface) to launch plug-ins. The Mozilla Foundation is an open-source group developing browser code that originated with Netscape Communications before Netscape was acquired by America Online. Last year, AOL spun off the open-source group as a nonprofit foundation and renewed its browser ties with Microsoft. "There's currently a hole in what's available, if you're not willing to be part of the Microsoft ActiveX world," said Mozilla Foundation President Mitchell Baker. "That's existed for a while and appeared to be difficult to fix, but we made the decision to gather up the players and fix it not only for Mozilla, but (also) for the rest of the browser and plug-in providers." Mozilla's update to the NPAPI relies on a World Wide Web Consortium (W3C) recommendation called the DOM, or Document Object Model. The DOM is designed to let scripting languages like JavaScript act directly on elements of a Web page. Microsoft's powerful and proprietary ActiveX technology has long been faulted for its lack of security. Mozilla said its updated NPAPI would address security concerns head-on but did not say how. Baker said her group would start implementing the new NPAPI in nightly builds of the Mozilla code base over the next few weeks, before entering a testing phase. The technology won't be usable until plug-in vendors support it, and Baker said there is no time frame for that phase of the upgrade. Scripting aficionados hailed the partnership. "It's good news that there's cooperation from Mozilla, Opera and the other players," said Dave Winer, the owner of Scripting News and, until tomorrow, a fellow at the Berkman Center for the Internet & Society at Harvard Law School. "And it's just generally a very good thing to see the Web going forward as a platform and making progress.
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode