Tag Archives: IT-security

A big “d’oh,” maybe

Posted on by

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003” If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? ๐Ÿ™‚ I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. ๐Ÿ™‚

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

Deutsche malware

Posted on by

A Nelson-esque “Ha Ha” if you thought that other EC countries might be havens where the seemingly outdated Euro-values (justice, tolerance, protection under the law, presumption of innocence, free speech) are still observed.

The government of Germany (that’s the combined former East & West Germanies. Remember East Germany? That’s the one with the Stasi and a population that was so avid for freedom 20 years ago) has approved what the Register calls a Plod-spyware law.

This handy law will give the German government the “anti-terror” powers to monitor private homes, phones and computers. Don’t you just love the TWAT? Any government in the world can now take any powers they fancy just by invoking its name.

Instead of tapping phones, they would be able to use video surveillance and even spy software to collect evidence. Physically tampering with suspects’ computers would still not be allowed, but police could send anonymous e-mails containing trojans and hope the suspects infect their own computers (from the Register story)

Wow, government spam that carries malware! Did I put enough exclamation marks there? Here are more!!!!!!!

These powers will only be used in exceptional cases, yada, yada, usw. Oh yeah?

There have been already been several recent scandals about over-the-top surveillance in Germany (Lidl, Deutsche Telecom, usw) Although, unlike the UK, at least the Germans don’t yet seem to lose personal data on a biblical scale. But, if the Lidl surveillance is any guide, they see information on the dates of surveillees’ menstruation as worth gathering

XanderG made a beautifully phrased comment on a WgyDontYou post a couple of weeks ago.

Iโ€™ve never understood how weโ€™re supposed to find a needle in a haystack, by chucking in more hay. So many of these measures simply add dead-ends and wild goose chases to an already massive monitoring system. How are we going to catch anybody with real malicious plans? (XanderG)

If a government REALLY cares about preventing terrorism, it is blatantly illogical to collect massive amounts of information on the general public. It’s well nigh inconceivable how much information is flying around in a noughts-and-ones format.

For instance, almost every person I passed in a half-hour walk was having a mobile phone conversation – including three dog-walkers and two cyclists. (Cycling, in traffic, ffs. Unselfish people, trying to cull themselves for the good of the gene pool) Pretty well every house in my low-income street has a relatively-fast broadband connection. There are enough traffic cameras and public CCTV installations in a 500 yard radius to provide a year’s 24-hour broadcast reality tv on every known channel.

Scale this level of data traffic up to the population of the UK and Germany. Unless half the population is engaged in monitoring this hurricane of electronic noise – using the most advanced pattern recognition and cryptographic algorithms known to science – anyone who is gathering this data might as well not bother.

Well not if they care about detecting real social threats anyway. It might come in very handy for finding people who are spoofing their address to get their kid into a school slightly out of their area. Or it might catch someone who hasn’t paid their car tax or is claiming invalidity benefit while working (as the threatening TV and billboard ads keep telling us).

It might not seem to make sense but I have finally figured it out, with the help of the Matrix and the Church of Scientology.

Clearly, the earth is threatened by a monstrous alien intelligence that eats human data. It can only be kept at bay by feeding it gargantuan stores of bytes. Earth rulers are doing us a favour by collecting all our data and recycling it as xenofood to stuff in the gaping maw of the evil extraterrestrial overlord Zarg. They can’t tell us the truth because there would be a global panic.

A question for the lawyers out there – Sending malware in spam may not be a crime if the German police are doing it. But would installing this malware become a crime if the recipient of a German-police email were to forward the spam to, say, a member of the German government? The government of another country? A major corporation? At what point?