This week's security events include a vulnerability in the multicast filter of an unpatched Solaris 10 system, Trojans targeting the ARDAgent flaw in Mac OS X, hacks of the London Tube's Oyster Card, and an IT manager who got 63 months for causing massive data loss at his former employer.
- Critical vulnerability in Solaris 10 multicast filter
A critical vulnerability has been discovered by Tobias Klein in the IP kernel module in Solaris 10. This could be exploited by a local unprivileged user who could potentially use this flaw to either deny service or possibly even perform a code injection.
The IP kernel module of Solaris 10 can panic when sent a crafted IOCTL request by a local unprivileged user due to a data typing mismatch in
ip_multi.c. A user-supplied unsigned integer gets assigned to a signed integer variable, potentially resulting in a negative value. This leads to a check being bypassed and ultimately an out of bounds write that corrupts kernel memory.
The vulnerability affects Solaris 10 without patch 137111-01 and OpenSolaris based upon builds snv_13 through snv_91, across SPARC and x86 platform builds. Solaris 8 and 9 are not affected. There is no workaround for this issue.
You can read more about the Sun Solaris SIOCSIPMSFILTER Kernel Integer overflow.
- Trojans targeting Mac OS X ARDAgent flaw surfaces
Hot on the heels of a report last week about a serious vulnerability in the Apple Remote Desktop Agent (ARDAgent) comes news of a hacker forum devoted specifically to the development of Trojans to exploit it. MacShadows.com moved quickly to shut down the user forum, though not before the Washington Post managed to link up with one of the authors who worked on one such trojan called the "Applescript Trojan horse template."
"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail to the Post.
It doesn't take a rocket scientist to know that Andrew is deeply unhappy with Apple's policy not to talk on topics relating to security vulnerabilities.
Where the Applescript Trojan horse template is concerned: some of the available functions include keylogging, the ability to create screenshots and images from an installed camera, access via a VNC server and even a Web front-end to maintain the trojan. Infected computers are easily located from self-updated dynamic DNS entries.
- Londen Tube's Oyster Cards hacked
Dutch security researchers successfully cloned the Oyster card used on the London Underground, getting away with a days' worth of free rides. With more than 17 million such cards in circulation, the Transport for London was quick to offer assurances that "the most anyone could gain from a rogue card is one day's travel."
The Oyster Card hack was possible as it features the same Mifare chip that we reported as compromised some months ago. It transpired that University researcher Bart Jacobs and his team used an ordinary laptop to clone an access card. First however, they retrieved the cryptographic key from one of the Underground's card readers. They then brushed up against unsuspecting passengers with their own portable reader that masquerades as a legitimate one to wirelessly download data from their victim's cards.
Jacobs says the same technique can clone smartcards that provide access to secure buildings. "An employee can be cloned by bumping into that person with a portable card reader," he told the Times. "The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures."
- IT Manager who cleaned-up data systems of former employer gets 63 months
After being given an unfavorable job evaluation after about a year on the job, Jon Paul Oson bitterly resigned from his position as technical services manager at the Council of Community Clinics in San Diego. The Council of Community Clinics is a nonprofit organization which serves 17 regiona health clinics in Southern California, providing a variety of services.
This was not the end however, for Oson was intent to do serious damage via a revenge plan which he meticulously planned.
On December 23, Oson logged onto servers belonging to his former employer and disabled the program that automatically backed up medical records for thousands of low-income patients. Six days later, he logged on again, and in the span of 43 minutes, methodically deleted the files containing patients' appointment data, medical charts and other information.
Obviously technically-skilled, Oson also covered his tracks well. When his home was raided half a year later by FBI agents, all but one of his PCs has been wiped clean. What was the evidence that led to him being convicted then?
It just so happened that in the weeks leading up to the data meltdown, an intruder had cased the network by logging in from at least three different machines. One was a computer named "TEMP3" that was equipped to work with an HP 2100 LaserJet printer. A second PC happened to contain drivers for the HP 2100 and a LaserJet 4M.... Even more incriminating, the nickname of this second PC was "kuku" and one of the printers it was configured to work with was named "mike2003 HP Laserjet 4M." That just happened to match the name of Oson's son and the network name of the printer sitting by his workstation.
This story reminds me of a recent survey by Cyber-Ark that I came across in which a staggering 9% of privileged passwords never get changed. As such, administrators who know the passwords are given indefinite access -- even long after they've left the organization.