- Email: [email protected]
Browser attacks “can wipe out almost anything”
issue.qxd
8/16/01
11:52 AM
Page 1
ISSN 1353-4858 August 2001
Incorporating E-Commerce, Internet and Telecommunications Security
Dario Forte offers some advice about securing networks against Internet abuse 9 Winn Schwartau explains his theoretical model for Time Based Security 11 Wayne Madsen fills us in on the political machinations surrounding Code Red
14
Editor: Chloë Palmer International Editoral Advisory Board: Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected] Subscription Price for one year: (12 issues) US$691/1360NLG including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2001 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Science Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: www.compseconline.com
Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report
Browser attacks “can wipe out almost anything” The 4th generation of attacks has arrived. And it is, “so significant that it can wipe out almost everything,” according to security expert David Duke of Cryptic Software. And the most debilitating new attack is one which, “infects people by the pure process of browsing a Web page”. The consequence of this innocent activity could be having your machine wiped out. Duke explained that by using the “Internet transport method you can load whatever you like, and you are just as at risk from browsing a website.” Duke told Network Security that researchers at his R&D Labs are able to track new threats as they occur and that they have recently discovered a number of nasty and sophisticated new methods of attack. One such exploit that Duke has discovered uses active code — such as ActiveX, (something which 60-80% people have enabled by default) — that is embedded in the Web page. To guard against this, Duke recommends disabling active code. However, this may be impractical as Flash and other popular site design features require it in order to run properly. A better, if less secure,
method is to switch active code tolerance to 'prompt mode' and only allow the execution of code when visiting trusted sites. The Internet's development, a sign of which is the adoption of more sophisticated design tools such as Flash, has caused the nature of practical threats to change. But a bigger factor, says Duke, is that the “thinking of the people has changed”. It is not just script kiddies downloading hackneyed tools any more — the people who are writing exploits are technical and, “have no morals”. The advent of a new breed of laterally thinking hackers means that, in Duke's experience, “most people are only protected against 20% of the risk.” The general methodology has changed too. It has become more sinister. Black hats “used to make tools to hide themselves, now they are making attack tools to target security tools and make them fall over.” If Duke is right, the scope for new and bigger threats has grown and the generation of script kiddies will be superseded by an educated menace.
Contents
Hacking News Browser attacks "can wipe out almost everything" Encryption expert released on bail
1 2
Virus News Code Red — hype or horror? SirCam stampedes mail servers PDF no longer quite so Peachy
2 3 3
Wireless News WEP: ready in 15 minutes
4
Technology News AI used to catch pirates on Net Port cloaking saves zombies
4 4
Reports PoizonB0x Vandalizes Security Sites 5 California Energy Network Under Attack 5 Watching Hackers In the Honeynet 6
Features Yet Another Paradigm! Web Filtering: Where, How and Why Network Security It’s About Time FBI at Centre Stage of Code Red
7 9 11 14
E-commerce: The Dark Side Fish, CHIPs and Worms
15
Managing Network Security Bootable CDs
17
Events
20
8/16/01
11:52 AM
Page 1
ISSN 1353-4858 August 2001
Incorporating E-Commerce, Internet and Telecommunications Security
Dario Forte offers some advice about securing networks against Internet abuse 9 Winn Schwartau explains his theoretical model for Time Based Security 11 Wayne Madsen fills us in on the political machinations surrounding Code Red
14
Editor: Chloë Palmer International Editoral Advisory Board: Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected] Subscription Price for one year: (12 issues) US$691/1360NLG including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2001 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Science Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: www.compseconline.com
Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report
Browser attacks “can wipe out almost anything” The 4th generation of attacks has arrived. And it is, “so significant that it can wipe out almost everything,” according to security expert David Duke of Cryptic Software. And the most debilitating new attack is one which, “infects people by the pure process of browsing a Web page”. The consequence of this innocent activity could be having your machine wiped out. Duke explained that by using the “Internet transport method you can load whatever you like, and you are just as at risk from browsing a website.” Duke told Network Security that researchers at his R&D Labs are able to track new threats as they occur and that they have recently discovered a number of nasty and sophisticated new methods of attack. One such exploit that Duke has discovered uses active code — such as ActiveX, (something which 60-80% people have enabled by default) — that is embedded in the Web page. To guard against this, Duke recommends disabling active code. However, this may be impractical as Flash and other popular site design features require it in order to run properly. A better, if less secure,
method is to switch active code tolerance to 'prompt mode' and only allow the execution of code when visiting trusted sites. The Internet's development, a sign of which is the adoption of more sophisticated design tools such as Flash, has caused the nature of practical threats to change. But a bigger factor, says Duke, is that the “thinking of the people has changed”. It is not just script kiddies downloading hackneyed tools any more — the people who are writing exploits are technical and, “have no morals”. The advent of a new breed of laterally thinking hackers means that, in Duke's experience, “most people are only protected against 20% of the risk.” The general methodology has changed too. It has become more sinister. Black hats “used to make tools to hide themselves, now they are making attack tools to target security tools and make them fall over.” If Duke is right, the scope for new and bigger threats has grown and the generation of script kiddies will be superseded by an educated menace.
Contents
Hacking News Browser attacks "can wipe out almost everything" Encryption expert released on bail
1 2
Virus News Code Red — hype or horror? SirCam stampedes mail servers PDF no longer quite so Peachy
2 3 3
Wireless News WEP: ready in 15 minutes
4
Technology News AI used to catch pirates on Net Port cloaking saves zombies
4 4
Reports PoizonB0x Vandalizes Security Sites 5 California Energy Network Under Attack 5 Watching Hackers In the Honeynet 6
Features Yet Another Paradigm! Web Filtering: Where, How and Why Network Security It’s About Time FBI at Centre Stage of Code Red
7 9 11 14
E-commerce: The Dark Side Fish, CHIPs and Worms
15
Managing Network Security Bootable CDs
17
Events
20