|
[networknewsletters]
||
[Date Prev]
[02-2007 Date Index]
[Date Next]
||
[Thread Prev]
[02-2007 Thread Index]
[Thread Next]
[ECP] In Focus: Is the "Drive-by Pharming" Attack Misnamed?
- From: Educational CyberPlayGround <admin@xxxxxxxxxxxxxxx>
- To: NetworkNewsletters@xxxxxxxxxxxxx
- Date: Thu, 22 Feb 2007 11:20:45 -0500
¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤,¸¸,ø¤º
Please link to the Educational CyberPlayGround
http://www.edu-cyberpg.com
Add your K12 SCHOOL OR SCHOOL DISTRICT URL
http://www.edu-cyberpg.com/schools/
Please Share and Add Your Song
http://www.edu-cyberpg.com/ncfr/
Educational CyberPlayGround Network Newsletters Mailing List ©1994
¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤,¸¸,ø¤º
=== CONTENTS ===================================================
IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed?
NEWS AND FEATURES
- Master AACS Key Found
- 12 Microsoft Security Bulletins for February 2007
- Checking Audit Logs for Tampering
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Schneier on DRM
- FAQ: Administrative Templates for Windows Vista
- From the Forum: Chroot/Jail Implementation for Windows
- Share Your Security Tips
PRODUCTS
- IP Storage Appliances Add Encryption
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
=== IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed? ======
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Any wireless Access Point (AP) that uses a default password is
vulnerable to manipulation by anyone that can gain some form of
connectivity to it. If the wireless AP's management interface is Web-
based, it can be mimicked, and therein resides a problem waiting to
happen.
If an intruder can craft a special Web page that mimics the
functionality of an AP management interface, that Web page could take
any action against an AP that's allowed by the management interface. So
what's to stop an attacker from developing a Web page that, when
viewed, changes any of the available AP settings? Not much, apparently.
Symantec researchers recently blogged about this very scenario, and
they point out how an attacker might use this attack method to change
DNS settings, which could lead to phishing scams. In the blog article,
they wrote, "The attackers create a Web page that includes malicious
JavaScript code. When the Web page is viewed, this code, running in the
context of your Web browser, uses a technique known as 'Cross Site
Request Forgery' and logs into your local home broadband router.... One
simple, but devastating, change is to the user's DNS server settings."
Symantec chose to call this attack "drive-by pharming," and that
bothers me. I saw several headlines about this attack type on the
Internet before I read the Symantec blog, and I thought, "Oh great,
another way to get in your car, drive around, find unprotected APs, and
steal people's information." But this attack has absolutely nothing in
common with war-driving. So Symantec introduced confusion with the
attack name, and some media reports spread the confusion further.
Symantec would do well to stop confusing us about security problems
with its use of misleading attack-type names. In the case of "drive-by
pharming," the attack has nothing to do with being in close proximity
to an AP (as is the case with war-driving) and is related to "pharming"
only in that attackers could use the management interface vector to
manipulate DNS to point to the DNS servers of their choice, which in
turn could resolve certain host names to IPs that point to pharming
sites.
The ability to attack someone's DNS settings could be exploited in a
variety of ways, none of which Symantec bothered to mention. For
example, an attack could install botnet software or other malware, spy
on Web usage habits, intercept email, or intercept sensitive files for
corporate espionage; the list goes on and on. It seems to me that
misnaming attacks is itself a security problem because it misinforms
people who might not have the time to delve deeper into the nuts and
bolts behind a given title. I think Symantec should consider patching
its naming methods. What do you think? Send me an email with your
thoughts on this issue.
If you're interested in the Symantec report, you can read it at:
http://list.windowsitpro.com/t?ctl=4B3C5:57B62BBB09A6927915328BC315BA14AA
=== SECURITY NEWS AND FEATURES =================================
Master AACS Key Found
The Advanced Access Content System (AACS) protection used in HD DVD
and Blu-Ray DVD disk systems sustained another attack--this one more
devastating than the last.
http://list.windowsitpro.com/t?ctl=4B3D5:57B62BBB09A6927915328BC315BA14AA
12 Microsoft Security Bulletins for February 2007
Microsoft released 12 security updates for February, rating 6 of
them as critical, including a critical update for the company's malware
protection engine. The engine is used by several Microsoft products,
including Windows Defender--a core component of Windows Vista.
http://list.windowsitpro.com/t?ctl=4B3D4:57B62BBB09A6927915328BC315BA14AA
Checking Audit Logs for Tampering
Many administrators wonder if there is anything built into Windows
that can verify that the Security event log hasn't been tampered with
in some way. Randy Franklin Smith gives you the answer and explains how
to look for signs of tampering.
http://list.windowsitpro.com/t?ctl=4B3D0:57B62BBB09A6927915328BC315BA14AA
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=4B3CB:57B62BBB09A6927915328BC315BA14AA
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: Schneier on DRM
by Mark Joseph Edwards,
http://list.windowsitpro.com/t?ctl=4B3D9:57B62BBB09A6927915328BC315BA14AA
You've probably heard of Bruce Schneier. Have you heard what he has to
say about DRM? Learn more about my opinion on DRM and get a link to
what Schneier says in this blog article on our Web site.
http://list.windowsitpro.com/t?ctl=4B3D1:57B62BBB09A6927915328BC315BA14AA
FAQ: Administrative Templates for Windows Vista
by John Savill,
http://list.windowsitpro.com/t?ctl=4B3D7:57B62BBB09A6927915328BC315BA14AA
Q: Where are the Windows Vista administrative template (i.e., ADMX)
files stored?
Find the answer at
http://list.windowsitpro.com/t?ctl=4B3D2:57B62BBB09A6927915328BC315BA14AA
FROM THE FORUM: Chroot/Jail Implementation for Windows
A forum participant writes that he's aware of WinQuota's WinJail
Desktop software, which implements a type of sandbox/chroot/jail
environment similar to the one found on UNIX and Linux systems. He
wonders if other similar tools are available for Windows and whether
such an approach is useful. Join the conversation at the URL below.
http://list.windowsitpro.com/t?ctl=4B3C6:57B62BBB09A6927915328BC315BA14AA
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@xxxxxxxxxxxxxxxxxxx If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ===================================================
by Renee Munshi, products@xxxxxxxxxxxxxxxx
IP Storage Appliances Add Encryption
Siafu Software announced that hardware data encryption is now
standard on all Siafu Swarm IP SAN appliances. Siafu Swarm appliances
are available in 1U, 2U, 3U, and 6U configurations, can store from 1TB
to 7.5TB, use iSCSI, and feature RAID 51/61 active/active failover
technology. Siafu Swarm IP encrypted SAN solutions are available
starting at $8,995. For more information, go to
http://list.windowsitpro.com/t?ctl=4B3DE:57B62BBB09A6927915328BC315BA14AA
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@xxxxxxxxxxxxxxxx and get a Best Buy gift certificate.
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
Educational CyberPlayGround Network Newsletters Mailing List
Subscribe - Unsubscribe - Set Preferences
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
Copyright statements to be included when reproducing
annotations from the
Educational CyberPlayGround Network Newsletter
The single phrase below is the copyright notice to be used when
reproducing any portion of this report, in any format:
EDUCATIONAL CYBERPLAYGROUND
http://www.edu-cyberpg.com
Network Newsletters copyright
Email Prefrences - Subscribe - Unsubscribe - Digest
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
Advertise Network Newsletters Guidelines
http://www.edu-cyberpg.com/Community/Subguidelines.html
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
|
|
