Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Google Web Accelerator continued; phpBB 2.0.15 released; Backdoors more popular than Viruses?; Anti-Spyware poll results; Google.com DNS glitch; SQL server 2000 SP4

Published: 2005-05-07
Last Updated: 2005-05-08 18:34:53 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Final Edition

Google Web Accelerator continued


For a Saturday, we got quite some feedback on item about the new Google's Web Accelerator.

On one end of the story we see reactions that both trust Google to do the right thing due to their "do no evil" motto, as well as comparing them to Microsoft's new retrieval system for documents in case of application crashes.

The other end of the story sends us comments of other projects involving web caches such as
- "poor man akamai" solutions such as
, a network of proxy caches.

- solutions that also check contents of ssl protected http traffic (https). This latter is obviously not appreciated from a security viewpoint. Richard pointed out what's probably the most nasty one of this category. While they don't want to be called spyware, have a look at an excerpt from their description at
http://www.marketscore.com/privacy.aspx : "Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information."

Personally I don't believe much in caches, on one side because they don't gain enough bandwidth to be worth their trouble, on the other end because of all the complications they create. Worse unless you have a slow link in the path to the destination server there's nearly no measurable gain in performance as the bottleneck usually is the browser's capability to render pages fast enough.

As for Google's cache: time will tell.

One thing is sure however: web developers and security folks will have to deal with this eventually. Expect clients to prefetch information, so don't assume the user did anything, it's all like a spider running over the pages.

phpBB 2.0.15 released


As we reported on phpBB issues, phpBB released today (yes, on a Saturday) a new release: 2.0.15 . Among the fixes are authentication fixes for the admin panel and one critical fix in the handling of bbcode.

Download from:

http://www.phpbb.com/downloads.php

Update notification:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

Considering the level of attention for phpBB, we highly recommend to upgrade or patch soon. Don't forget to update both the database and the individual files.

Backdoors more popular than Viruses?


A reader pointed out that "backdoor.hackdefender" was rather popular at . Looking at the top 10, it shows that most of the top 10 are backdoors.

Perhaps time to make a mental note that although backdoors typically don't have fast rates to spread they do seem to be widely available in the wild.

Add to that that cleaning up from a backdoor is tricky business: what else was installed/changed/... while the backdoor was installed ? Typical viruses are much more predictable and therefore easier to clean up.

As such it might be a good moment to check the risk levels of backdoors in your organization and perhaps take some more measures.

Let us know what you think about it. If you do have extra measures in addition to the typical anti-virus measures to counter the threat of backdoors, let us know which.

Anti-Spyware poll results



Reviewing the anti-spyware poll results is like reading your logs. From our community of security minded readers it's easy to see the trend towards people aware of the problem and aware of the Windows/Internet Explorer combination being targeted by spyware.
As such the results are a bit predictable but if you answered that you don't use anti-spyware and are using that combination or if you are using anti-spyware that proofs not to be working properly, try some of the suggestions the other readers left:

- HijackThis! (for advanced users)
http://www.merijn.org/
- IEspyad
https://netfiles.uiuc.edu/ehowes/www/resource.htm
- Lavasoft Ad-Aware
http://www.lavasoftusa.com/software/adaware/
- Microsoft antispyware (beta)
http://www.microsoft.com/athome/security/spyware/software/
- Spybot S&D
http://www.safer-networking.org/en/spybotsd/

This is not an endorsement, nor do we claim it's a complete overview.
Take care with HijackThis, it can destroy a windows machine if used
without the proper knowledge.

Keep in mind that if/when other browsers or OSes become popular and/or vulnerable enough, the attention of the spyware folks might shift suddenly.

A solution that works for larger organizations would be a good selling argument for the vendors.

Exploit against Firefox 1.0.3


Speaking of other browsers and being vulnerable, FrSIRT (aka K-OTik) published a 0-day exploit against FireFox 1.0.3 .

Impact: remote code execution without user interaction

Patch: none available

Workaround: disable javascript

Google.com DNS glitch


We're getting a lot of reports regarding a glitch in google's DNS information. On first looks it seems not to be hostile.


$ dig news.google.com
; <<>> DiG 9.2.3 <<>> news.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61748
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;news.google.com. IN A
;; ANSWER SECTION:
news.google.com. 900 IN CNAME news.l.google.com.
;; AUTHORITY SECTION:
l.google.com. 900 IN SOA ns1.google.com.l.google.com.
dns-admin.google.com. 1115309515 900 900 1800 900
;; Query time: 37 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 8 01:14:28 2005
;; MSG SIZE rcvd: 115

It seems the problems have been resolved in the mean time.

There was one report of a redirect during the downtime to a "sogo" search page, if you have captures of what DNS contained at those times, we'll be happy to receive them.

Microsoft SQL server 2000 SP4


Gilles from FrSIRT reported to us that Microsoft released yesterday (not the beta release).

--

Swa Frantzen
Keywords:
0 comment(s)
Diary Archives