It’s been another quiet week on the security front. There’s
been plenty of news, but very few immediate threats. At the top of the list, IM
threats are on the rise, the first potential risk for Windows Vista has
surfaced, and the dramatic fallout from the Cisco vulnerability controversy at
Black Hat rages on. So it’s a good time for the company picnic—Cisco users just
need to change their passwords before passing the potato salad!
There’s been no scarcity of security news in the last week. However,
fortunately for all of us in the security industry, no really major threats have
emerged that we need to address right this minute.
Security vendor Akonix has published its latest
report on instant messaging threats in 2005. The report shows a four-fold increase in
instant messaging and peer-to-peer threats for the second quarter of 2005.
So, if your company is one that has turned a blind eye toward this sort of
activity, the time has come to crack down hard. Even if your organization has a
solid, unhackable IM program, remember that most users don’t know how to
properly define which files are acceptable for someone to upload and which ones
must remain private.
Given that IM and P2P code is almost laughably vulnerable, I
recommend prohibiting any of your users from downloading or installing any IM or P2P client software without
your prior approval. Remember: People often use these apps to illegally
download copyrighted material, and your company can be liable for having such
files on its networks. IM can certainly be useful in a business context, but
it’s important to keep it under strict control.
According to Akonix’s report,
the top five IM and P2P security threats target AIM (Oscarbot), MSN (Kelvir,
Bropia, and Microsoft
Security Bulletin MS05-022), and Yahoo (a phishing attack). But that
doesn’t mean you can get complacent if you don’t use one of these IM
applications. Akonix reported more than 20 new IM/P2P threats since August 1,
and all but one target IRC. While Akonix has rated all but one as low-risk, new
threats are coming fast and furious—easily matching the occurrence of new virus
and Trojan attacks that target e-mail.
Looking ahead, one of our biggest worries will likely be
next year’s scheduled release of the next generation of Microsoft Windows,
recently christened Windows Vista. Antivirus company F-Secure has reported that
published examples have surfaced of the first known proof-of-concept
malware code for the forthcoming Microsoft OS (formerly code-named
Longhorn), which likely won’t see a release until the end of 2006.
It turns out that Microsoft intended Vista to include a
brand-spanking-new command-line shell code-named Monad (MSH). Monad will reportedly
replace the old CMD interface in current Windows versions, which always seemed
purposely designed to make it difficult for non-experts to use. (And that’s not
a complaint—I don’t want users I have to support fooling around with the
command-line tools any more than I want them trying to edit the registry on
But there’s no cause for worry just yet. Although Monad is
available for testing, it’s not even shipping with the beta versions of Vista
or Windows Server 2003 R2, an update to Windows Server due later this year. Few
systems actually have it installed, and any that do are under the care of testers
and developers, all of whom should be smart enough not to connect such systems
to the Internet or an internal network.
For more information, check out the original report in the August 4 edition of F-Secure’s blog.
Researchers have dubbed the actual malware code Danom.A through Danom.E.
If Monad actually ships with Windows Vista in late 2006—which
insider rumors say is becoming increasingly doubtful—it should prove a bonanza
for script kiddies everywhere. The first few pieces of malware code are
remarkably simple and easy to construct. However, it should be easy enough to
simply delete the new command if versions do include it, which neatly eliminates
the problem. (Editor’s note: Microsoft announced late last week that it no longer plans to
include Monad in Windows Vista.)
As a follow-up to last week’s news about Michael Lynn’s
now-infamous presentation of vulnerabilities in Cisco’s IOS, hackers are
racing to find a way to exploit the router
flaws. Cisco alerted customers about a breach of its Web
site last week. This company has denied that the breach was possible due to
any vulnerability in Cisco software.
So far, no reports have surfaced of any successful attacks
on Cisco routers using the methods described in Lynn’s presentation. However,
underground rumors abound that there are quite a few people in the hacker
community who aren’t happy with Cisco. The patch for the vulnerability is
available, so anyone who uses Cisco routers connected to the Web—and that’s millions of users—should take steps to get
the appropriate update ASAP. (For an insider’s view of the Cisco controversy,
check out Jennifer Granick’s blog—Michael
I can confirm the rise of IM threats from my own experience.
The only malware I’ve consistently
cleaned from my systems lately has been trying to contact IM sites.
I wasn’t exactly thrilled to learn that Microsoft plans to
make the command line “friendlier” to use. That will only tempt more
users to tinker with it. Learning that the first known exploited hole in Vista
came in the new command-line tool doesn’t surprise me much.
As for Microsoft’s scripting tools, I’ve never been able to
get Word macros or other scripts to do exactly what I wanted them to do, so I
never use them. But at least they offer new security holes to keep all of us
busy. While I’ve previously written about obscure command-line tools that I do
use, I’m always leery of giving out too much information because most users
don’t have the skills to safely work with these tools anyway.
Even as a staunch defender of the First Amendment, I have a
lot of sympathy for Cisco. What would you do if you had millions of vulnerable
systems out there and learned that someone was about to tell the world’s top
hackers about a big hole in the code? Even free speech has its limitations; although
I’m not certain I want Cisco in charge of making the determination. And,
despite loud cries of foul from the hacker community, I’m not even sure how the
First Amendment would apply to a private company attempting to keep
intellectual property secret.
Miss a column?
Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.
Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.