Security

Security News Roundup: Long-running Internet porn pop-up case finally comes to an end

This week's security events include news of a security update for the popular Trillian instant messenger; the release for version 5.2.7 of PHP, which greatly improves stability and security; a vulnerability in WireShark 1.0.4 that could result in a DoS attack; and the closure of a long-running court case against a teacher over Internet porn pop-ups.

Security update for Trillian instant messenger

Three vulnerabilities in the multi-instant messenger (IM) client Trillian have been identified.  According to the Zero Day Initiative (ZDI), the three flaws are related to the processing and generation of XML data - of which two are specific to the AIM plugin.

Various problems could result from the trio of bugs, including buffer overflows as well as memory corruption.  Trillian is a relatively popular multi-IM client, and the vulnerabilities could result in unauthenticated users can execute arbitrary code.

You can read about them at ZDI here, here, and here.

Version 5.2.7 of PHP for improved stability and security; new update to WordPress released

Version 5.2.7 of the extremely popular Web-based programming language has been released late in the week.  This new version focuses on improving the stability of the PHP 5.2.x branch, and has been described as the most stable version in the 5.2.x development branch.  Indeed, it comes packed with over 170 bug fixes in total, according to the release announcement.

All users should upgrade to this latest version, and can see the full changelog here.

In other news, a new version of PHP-based WordPress blog engine was also released.  Version 2.6.5 fixes an XSS exploit found in the wp-includes/feed.php and wp-includes/version.php files.  The problem affects only IP-based virtual servers on Apache 2.x.  Another three small fixes are also contained in WordPress 2.6.5.

You can read the announcement for WordPress 2.6.5 here.  Alternatively, you can visit the download page for the latest version of WordPress here.

Vulnerability in WireShare 1.0.4 could lead to DoS attack

A vulnerability has been discovered in WireShark 1.0.4.  The flaw is found in a function processing the SMTP dissector, where can be exploited as simply as sending a large SMTP content to port 25.  According to the disclosure, the result is that WireShark will enter into a large loop, unable to do anything else.

The vulnerability has already been fixed in the SVN repository, though it could also affect prior versions.

Long-running Internet porn pop-up case finally comes to an end

Four long years in the running, the case against former Connecticut schoolteacher Julie Amero finally closed a couple of weeks ago when she accepted a plea agreement.  Amero will pay a US$100 charge as well as have her teaching credentials revoked in return for State prosecutors dropping four felony charges against her.

The story was bizarre enough, and started in October 2004 when Amero was assigned to a seventh-grade class in a school in Norwich.

According to Times Online:

She [Amero] returned from the lavatory to find two students viewing a hairstyle site.  Shortly afterwards, she says, pornographic advertisements flooded the screen. She says she tried to click them off, but they kept popping up, and the barrage lasted all day. She tried to stop the students looking at the screen, but several saw sexually explicit photographs. It was school policy not to turn off computers.

Amero was consequently arrested two days later.  A computer crimes police officer, Mark Lounsbury did admit that the software he used to analyze the computer is not able to distinguish between redirects from malicious software from deliberate clicks.  Indeed, the school also admitted that the computer had no firewall as it did not pay the bill.

On the failure to check for failure of spyware, Alex Eckelberry, the president of a Florida software company said:

"That is a blunder akin to not checking for fingerprints at the crime scene.  When a pop-up occurs on a computer, it will get shown as a visited website."

Amero initially faced up to 40 years in prison for endangering minors, and she was initially convicted of the felony charges in January 2007.  However, the presiding judge set aside that verdict some months later, in effect giving Amero a new trial.

Her supporters are adamant that Amero was an innocent victim of a spyware program, and that she panicked when the pornography started appearing.  Others also showered their sympathies that her life has been destroyed by factors outside her control.

As IT professionals, do you have anything to say about this case?

Do you have any comments or feedback on the security news roundup this week?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

26 comments
cjshelby
cjshelby

I was once sitting next to a computer-illiterate co-worker of mine and told him to just "bookmark" a page. Well he typed "bookmark.com" in the browser............ and all hell broke loose! Porn site after porn site started popping up, just name your "flavor". He exclaimed "what did you tell me to do!" as I looked over. I calmly reached across and hit the power button to stop the onslaught. Now this was about 10 years ago, but believe me it's possible for these things to happen on an unprotected network. How probable in this case? I suppose it depends on the vigilance of the folks administering the network. But if I am to accept the story as complete and accurate (which I have some doubts about) then the teacher should have never even been arrested, let alone charged and convicted. My doubts lie with the news reporting media, and I have seen first-hand how they can skew, misconstrue and omit facts.

dsimp
dsimp

It is sad and wrong that this lady was hung out to dry when the whole system at the school must surely have been in the same position. No firwall and a network of pc's in a school and her pc was only one? You must be kidding.

NickNielsen
NickNielsen

1. By the school district policies that not only forbade turning the computer off, but provided no training to substitute teachers. 2. By the complaisance in IT that allowed the firewall to lapse. 3. By an incompetent "computer forensics" analysis 4. By an over-zealous prosecutor using the conjunction of children and pornography to make a headline case over what should have been a trivial matter. Anybody involved in the prosecution of this case should be ashamed of their conduct and punished for their incompetence.

paulmah
paulmah

This week's security events include news of a security update for the popular Trillian instant messenger, the release for version 5.2.7 of PHP which greatly improves stability and security, a vulnerability in WireShark 1.0.4 that could result in a DoS attack, and the closure of a long-running court case against a teacher over Internet porn pop-ups.

andy.holroyd
andy.holroyd

I worked as a legal assistant at a US law firm for a time. This was at a time when the internet was just starting to become used as a research tool. As a legal assistant, I had to do a lot of research on client projects and obtaining background information on industries. During the course of this, some innocuous search terms and relevant links would pass through to porn sites. This was at a time before filtering was widespread and you could basically go anywhere on the net at work. A scandal erupted when a lawyer was found to have been looking at porn and a policy was hastily drafted which everyone was expected to sign - I refused. The reason was that I could find myself on a porn site unintentionally, and end up losing my job because it would show in the history, and the explanation of how I came to be there would be unlikely to be heard. The net is full of porn and unrestricted and unprotected computers will, given time, inevitably take you there. The alternative is my wife's school, where net and network access is so heavily restricted that the computers are virtually unuseable. The fact that this woman could be hung out to dry for this seems to be slightly unreasonable to say the least. Does the question of intent not arise anywhere ?

saghaulor
saghaulor

True enough, without a firewall, the entire network is susceptible to the same attacks. But, what's to say that her computer didn't receive more use than others, increasing the chances that something bad would happen. Perhaps on that particular day they were allowed just enough lack of supervision to download something naughty. But just because the network is homogeneous in the fact that it is prone to the same vital security flaw, do not think for one second that the network is homogeneous in every way. But, I give you credit, there may very well be more to the story than is written.

ken
ken

The person saying that she doesn't deserve tgeach since she is not willing to "fight" for her position is totally out of touch with the real world. She would likely risk bankruptcy if she were hire an attorney out of her own pocket to fight beuracracy that have plenty of money and lawyers at their disposal - with no personal cost to them. As far as exceptions to the rule, this person has obviously never been involved with a school system that can be hyper legalistic with what most would consider minor rules.

blair
blair

Given Amreica's normally litagacious society I am amazed that she has not sued the school for the first three points raised by Rick. Maybe there is more to the story than meets the eye

mbmendoza71
mbmendoza71

2 simple things would have saved her, 1) Turn off the monitor, 2) remove the DVI or VGA Cable. Or she could have just turned off the machine, I think in a situation like that the school would had understood. Nuff said.

bblackmoor
bblackmoor

This is a gross injustice. She has had her life and livelihood severely disrupted, if not destroyed, for nothing more than being the only adult in a room with an infected computer. And it is worth pointing out that despite the utterly twisted quasi-religious American cultural attitudes toward nudity, not a single child was harmed. Not a single one.

ninja67555
ninja67555

1. so what if it is scool policy not to turn off computers.....there are always exceptions......some people are so bureaucratic that they throw away common sense just to follow the rules to the letter. its like refusing to use a powder fire extinguisher on a fire because it is policy to keep the place clean. 2. why could she not have simply turned off the monitor or put a coat over it. 3. she obviously had a crap lawyer. 4. if she is ready to give up her teaching credentials without a fight, then she doesn't deserve to hold a position of responsibility.

HAL 9000
HAL 9000

She did Intend to go to the Toilet. She did intend to leave the class Unsupervised while she was away from the class room. She did intend to leave at the very least her computer running weather though her personal preference or School Policy there is Intent there. Though if it was School Policy to not have children Supervised in class rooms at all times and not to turn off computers then if anyone is to be blamed here it should be the School who had the Intent not to provide a Safe Environment for the children at all times while they where responsible for their welfare and in this case it was the teacher who was doublly the victim of Inadequate Standards by the School Administration and the Open Nature of the Internet. If anything she should have been considered as an Accessory to this incident occurring not the Motivator of it though. Col

ninja67555
ninja67555

if we have been given an accurate description of the facts, then any sane person would agree that she was in the right. and at the risk of having her reputation tainted forever just because an overzealous prosecutor has poor judgement, the reasons for fighting the case far outweigh the RISK of bankruptcy. And there are plenty good lawyers out there prepared to take a pro-bono case such as this. She needs to reject a plea bargain and appeal with a new lawyer if it goes against her. She needs guts and a brain.

NickNielsen
NickNielsen

The "forensic analysis" was conducted by local law enforcement.

jerie
jerie

IIRC, she was an older substitute teacher with little to no computer experience, so she probably had no idea that the monitor was not the computer, and/or had no idea that the monitor had an off button. And if she had turned anything off, she would have been in trouble with the school for disobeying direct instructions. Some of the commenters here have obviously never worked in a bureaucracy or have had to find a lawyer to take on a bureaucracy, it isn't easy when you become the scapegoat.

trevor
trevor

Whether she is a moron or not is not the issue we ALL make mistakes and we are not all not provided with the skills to manage this sort of situation. The school put its head in the sand and deflected the real responsibility (who resigned from the school) Her Lawyer needs to go back to school ( Probably knows little about IT security)and the forensic/security "Expert ??" what a joke he is, he needs schooling too. The police want to get their priorities right - maybe some schooling would help them. She should fight but we all know that the Big Guys with the money, power and Liars - sorry I meant lawyers. Will beat you down in most cases. Schooling helps us all and potentially we may have lost a great teacher at the expense of some political machinations by people with no Integrity

ninja67555
ninja67555

....The issue is important enough to me that I did contribute to her defense fund. Really.... we have no proof of that so why even say it. ....Put up or shut up, pinhead. (That's my gratuitous insult, just for you!) very mature of you BTW when i called her a moron, i was not trying to flame anybody, but you insult is an obvious flame, but i'm smiling to myself right now, so tough luck buddy.

NickNielsen
NickNielsen

[i]so you seem to think that if someone posts an opinion then that topic is of such seriousness that the person with the opinion should pay thousands in legal fees out of their own pocket for a stranger[/i] The title of your first post in this discussion: [i]she's a moron for many different reasons[/i] From the post that started this exchange: [i]She needs guts and a brain.[/i] You felt strongly enough at some point that name-calling and derogatory remarks were appropriate. [i]ok, since you posted an opinion therefore this topic is of utmost importance TO YOU So by your rationale, you should pay her legal fees. so are you going to get your check book out ? no i didn't think so. [/i] The issue is important enough to me that I did contribute to her defense fund. http://tinyurl.com/7dzp2v Put up or shut up, pinhead. (That's [u]my[/u] gratuitous insult, just for you!) end of line_

ninja67555
ninja67555

i post on many different forums some trivial topics and some serious ones so you seem to think that if someone posts an opinion then that topic is of such seriousness that the person with the opinion should pay thousands in legal fees out of their own pocket for a stranger ok, since you posted an opinion therefore this topic is of utmost importance TO YOU So by your rationale, you should pay her legal fees. so are you going to get your check book out ? no i didn't think so.

NickNielsen
NickNielsen

If it's not important to you, then why did you post what you did?

ninja67555
ninja67555

....If it's so important to you that she continue to fight this case, you pay for the lawyer. it is not in the least bit important to me what an idiotic thing to say....who pays the legal fees of strangers ? a rich philanthropist maybe, my job title rules me out of that category anyway whatever you would do for a loser like her, she would just f%*c it up anyway.

HAL 9000
HAL 9000

But after sticking it out for 4 years she is more than likely feed up with attempting to find even a modicum of Common Sense in fighting with the Bureaucracy. I know after 6 months of disputing a 3 month Power Bill that is more than a 12 month bill I?m sorry that I ever started this. When you are facing what can only be described as constant lies being told directly to your face with conviction and the constant demeaning way that you are treated by these people she has much more than likely had a [b]Gut Full[/b] and wants it to end. I know after 6 months I?m feed up with their actions and it?s not an important issue in the scheme of things. I don?t think I could stomach 4 years of stupidity let alone want to continue the fight to get back to where I was before this started. Col

NickNielsen
NickNielsen

[i]...the reasons for fighting the case far outweigh the RISK of bankruptcy.[/i] In her mind, she obviously doesn't see it that way and, after four years, probably just wants to get it over with. For this, she get gratuitously insults? If it's so important to you that she continue to fight this case, [u]you[/u] pay for the lawyer.

bblackmoor
bblackmoor

To "alanhayes": In the USA, legal costs can easily destroy the life of an innocent person. As my mother used to say, you can't get blood out of a turnip, but you can sure ruin the turnip trying. Most individuals in the USA could not afford to find justice in our legal system. Unless a well-funded organization like the EFF or the IJ takes up your cause, you're screwed: period.

iansavell
iansavell

If we were all jailed or barred from our jobs every time we panicked or make an error from lack of experience the workplaces would be empty and the jails full. Julie Amero was just an ordinary woman who experienced what a lot of us have experienced. The responsibility lies with the school and the adware perpetrators, not Julie. I contributed to her fighting fund and was disppointed she wasn't completely cleared. Everyone should support Julie and any others who suffer in similar circumstances.