The Glider

The good people at Websense have a new writeup on Wordpress blog attacks that have been occurring this week. Read the blog entry here.
-Kyle Haugsness (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Version 3.4.0 of Metasploit was released today and it appears to contain some very nice features. Included now is some functionality for brute forcing credentials for daemons requiring authentication and many other new capabilities. Full information here:http://blog.metasploit.com/2010/05/metasploit-framework-340-released.html
-Kyle Haugsness (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Electronic Frontier Foundation (EFF)has published a paper on browsers being tracked by it's unique fingerprint. It turns out our browsers are more unique than we would like to think they are so it is possible for websites to track users around using the unique fingerprint. While it may not be possible to know the exact user's identity, tracking from one web location to another is definitely a possibility. User agent sting, system fonts, screen resolutions and much more of the computer attributes all contributes to the unique fingerprint of computer + browser combination. For those of you really concerned about your privacy, maybe it's time to randomize the timezone settings, fonts and screen resolution frequently (joking). Disabling Javascript and active contents help with this a little bit but you need to decide whether privacy is worth losing the ability to view the active content.
Full paper can be found at https://panopticlick.eff.org/browser-uniqueness.pdf
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft released a security advisory [1] with details about a so far unpatched vulnerability in the canonical display driver. All system with the Aero theme enabled are vulnerable.
Theoretically, code execution is possible, but according to Microsoft unlikely. However, the vulnerability would allow a DoS attack by crashing the system. The quick fix for the problem is to turn off aero.
[1] http://www.microsoft.com/technet/security/advisory/2028859.mspx

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft.
Judging by the traffic on this topic in the WoW forums it would appear these are not isolated reports.
The detailed version of the alert is:
Severity = High

Activity = Auto-Protect has detected Infostealer

Date Time = 15/05/2010 (various times from 9:00 to now)

Status = Blocked

Recomended Action = Resolved no action



Risk Catagory = Virus

Definitions Version 2010.05.14.048

Severity = High

Component = Auto-Protect

Status = Blocked

File Name = c:userspublicworld of warcraftscan.dll.new
What I find interesting in this case is not that we have another anti-virus false positive, but that Symantec is listing scan.dll.new as an InfoStealer and that it appears this false positive has happened on past World of Warcraft patches/updates that created a file called scan.dll.new. What exactly are they triggering on? Is this an old signature from a previous issue?
Ihave been interested for a while in the accuracy of Anti-Virus products in the modern computing world. The Anti-Virus paradigm we have used since the 80's is seriously flawed, and in my opinion is slowly unraveling. The rash of false positives in recent months is just one symptom of that.
I have been watching with great interest the attempts to develop a new paradigm that fits better in the modern computing reality. Most of these are attempts at more heuristic or behavior based products that rely less on signatures. It seems to me that since these attempts require a little more fuzzy approach to anti-virus won't these sorts of false positives likely become more common, not less?
Are we getting to the point where software providers are going to have to start testing their updates against common anti-virus products before release?
As usual Iam interested in your opinions. You can submit them either via our comment mechanism at the bottom of this diary, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot org

P.S. If any anti-virus companies have any documentation on futuristic anti-malware research directions that they can let me read Iwould be fascinated to have it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

William wrote in to let us know that the changelog to upcoming release to MySQL, version 5.1.47, has been released, and it appears this release fixes several critical vulnerabilities and probably should be applied as quickly as is reasonable. What is interesting is that although a relatively detailed changelog is available which describes in some detail the vulnerabilities being addressed, which could be interesting to attackers, Icould not find any information on when the 5.1.47 release would be available.
If anyone can provide a pointer to this release information, please pass it on to us.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

New Scientist has an article online titled New cars vulnerable to malicious attacks. The article states that 2 researchers have used the a socket under the dashboard to plug a laptop into. Using the laptop they were able to control various controls on the car. As the article states it would be difficult to use this method. I think the driver would notice a laptop connected to their dashboard. However, imagine the possibilities if some device plugged into the socket allowed wireless control of the control systems. Again probably still difficult to do but things thought to be impossible are cracked everyday.As an owner of one of these new vehicles with all the computer controlled gadgets it is a scary thought for me.Hopefully, the automakers will solve this potential security problem before someone does successfully take advantage of it and use it for malicious purposes. Imagine an out of control freight train or 18 wheeler heading straight at you because some terrorist or other knot head overrides the computer control system.
In these days of high tech gadgets with computer control of everything from cell phones to automobiles to 18 wheelers to Train Engines, it is time for everyone to take Computer/Data Security seriously.
www.newscientist.com/article/dn18901-modern-cars-vulnerable-to-malicious-hacks.html
Thanks to our reader Adam for bringing this to our attention.

Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

It appears that Google, Inc has had a lapse in judgment for the last 4 years and has been scooping up snippets of personal data from open WiFi networks. Google has acknowledged that they have indeed done the captures. Google has issued a public apology and state that none of the information has made it to their search engines or other services. According to the article:
Google characterized its collection of snippets from e-mails and Web surfing done on public Wi-Fi networks as a mistake, and said it has taken steps to avoid a recurrence. About 600 gigabytes of data was taken off of the Wi-Fi networks in more than 30 countries, including the U.S. Google plans to delete it all as soon as it gains clearance from government authorities.
finance.yahoo.com/news/Google-grabs-personal-info-apf-2162289993.html
It looks like Google, Inc has some explaining to do.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The FBI and their partner organizations have issued a warning to consumers in the US that a new phone scam has appeared. This scam is basically a telephone denial of service attack that is being used to distract the receiver of the calls from a much more important problem. The article states:
The scheme is known as telephony denial-ofservice (TDOS) and according to several telecommunications companies working with the FBI, there has been a recent surge of these attacks in the past few weeks. The perpetrators are suspected of using automated dialing programs and multiple accounts to overwhelm the land and cell phone lines of their victims with thousands of calls.
When the calls are answered, the victim may hear anything from dead air (nothing on the other end), an innocuous recorded message, an advertisement, or even a telephone sex menu! The calls are typically short in duration but so numerous that victims have had to have their numbers changed to make the calls stop.




The FBI has determined that these calls serve as a diversionary technique. During these TDOS attacks, online trading and other money management accounts are being accessed by the perpetrators who are transferring funds out of those accounts. The perpetrators will obtain account information of their victims in some way and then contact the financial institutions to change their victims profile information such as email addresses, telephone numbers and bank account numbers.
The purpose of the malicious phone calls is to occupy the victim phone numbers on record with the financial institutions managing the accounts so that when the institutions contact the victim to verify the changes and transactions, the institution is unable to reach the victim. Consequently, the victim has no idea what has really transpired until its too late.
You can see the full article at the NJToday website.
njtoday.net/2010/05/12/phony-phone-calls-distract-consumers-from-genuine-theft-%E2%80%94-fbi-partners-warn-public/
The article warns the receiver of any of these types of calls to be hyper vigilant and keep an eye on all of your personal finances, accounts and make sure that you take advantage of the right to your free credit report annually. All of us should take this advice to heart whether or not you are receiving these harassing calls.




Deb Hale Long Lines, LLC
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

It's been a relatively quiet day so I thought I'd mention this nice little tool that Mozilla has released:
https://www.mozilla.com/en-US/plugincheck/
It does exactly what it looks like - checks to see if your plugins are up to date and provides links to update them if they are not. It works with Firefox 3.6+, Opera 10.5, Safari 4, Chrome 4, or IE 8 and while they claim limited support for IE, it worked just fine when I tried it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.