Security UPDATE--Is the "Drive-by Pharming" Attack Misnamed?--February 21, 2007

Symantec researchers blog about an attack in which a Web page mimics the functionality of an AP management interface. But what does this have to do with "drive-by"? This plus links to other security resources.

ITPro Today Contributors

February 20, 2007

9 Min Read
ITPro Today logo in a gray background | ITPro Today

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Ontrack Data Recovery: Data loss prevention tips

http://www.ontrack.com/special/0606drnewsoffer.aspx

Free White Paper: Address the Insider Threat

http://findtechinfo.com/penton/nl/250

Hosted Security: A solution for small and medium-sized businesses

http://www.windowsitpro.com/go/whitepaper/stbernard/hostedsecurity/?code=SECHot0220

=== CONTENTS ===================================================

IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed?

NEWS AND FEATURES

- Master AACS Key Found

- 12 Microsoft Security Bulletins for February 2007

- Checking Audit Logs for Tampering

- Recent Security Vulnerabilities

GIVE AND TAKE

- Security Matters Blog: Schneier on DRM

- FAQ: Administrative Templates for Windows Vista

- From the Forum: Chroot/Jail Implementation for Windows

- Share Your Security Tips

PRODUCTS

- IP Storage Appliances Add Encryption

- Wanted: Your Reviews of Products

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: Ontrack Data Recovery =============================

Ontrack Data Recovery: Data loss prevention tips

Snow storms, extreme heat, hurricanes... they all have the potential to interrupt your business and damage your data storage systems. While your business might never be directly impacted by a natural disaster, data loss can strike companies anytime and anywhere.

Be prepared by learning how to prevent data loss and what to do when data loss affects your business.

Ontrack Data Recovery, the world leader in data recovery services and software, is pleased to offer a FREE e-newsletter that addresses data loss prevention and response.

Recent topics discussed in Ontrack's Data Recovery News include:

- Seven things to avoid when your drive crashes

- Data recovery options for flash media

- Do-it-yourself data recovery software products

Sign up for the FREE Ontrack Data Recovery Newsletter today:

http://www.ontrack.com/special/0606drnewsoffer.aspx

=== IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed? ======

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Any wireless Access Point (AP) that uses a default password is vulnerable to manipulation by anyone that can gain some form of connectivity to it. If the wireless AP's management interface is Web-based, it can be mimicked, and therein resides a problem waiting to happen.

If an intruder can craft a special Web page that mimics the functionality of an AP management interface, that Web page could take any action against an AP that's allowed by the management interface. So what's to stop an attacker from developing a Web page that, when viewed, changes any of the available AP settings? Not much, apparently.

Symantec researchers recently blogged about this very scenario, and they point out how an attacker might use this attack method to change DNS settings, which could lead to phishing scams. In the blog article, they wrote, "The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as 'Cross Site Request Forgery' and logs into your local home broadband router.... One simple, but devastating, change is to the user's DNS server settings."

Symantec chose to call this attack "drive-by pharming," and that bothers me. I saw several headlines about this attack type on the Internet before I read the Symantec blog, and I thought, "Oh great, another way to get in your car, drive around, find unprotected APs, and steal people's information." But this attack has absolutely nothing in common with war-driving. So Symantec introduced confusion with the attack name, and some media reports spread the confusion further.

Symantec would do well to stop confusing us about security problems with its use of misleading attack-type names. In the case of "drive-by pharming," the attack has nothing to do with being in close proximity to an AP (as is the case with war-driving) and is related to "pharming" only in that attackers could use the management interface vector to manipulate DNS to point to the DNS servers of their choice, which in turn could resolve certain host names to IPs that point to pharming sites.

The ability to attack someone's DNS settings could be exploited in a variety of ways, none of which Symantec bothered to mention. For example, an attack could install botnet software or other malware, spy on Web usage habits, intercept email, or intercept sensitive files for corporate espionage; the list goes on and on. It seems to me that misnaming attacks is itself a security problem because it misinforms people who might not have the time to delve deeper into the nuts and bolts behind a given title. I think Symantec should consider patching its naming methods. What do you think? Send me an email with your thoughts on this issue.

If you're interested in the Symantec report, you can read it at:

http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

=== SPONSOR: NetIQ =============================================

Free White Paper: Address the Insider Threat

Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat.

http://findtechinfo.com/penton/nl/250

=== SECURITY NEWS AND FEATURES =================================

Master AACS Key Found

The Advanced Access Content System (AACS) protection used in HD DVD and Blu-Ray DVD disk systems sustained another attack--this one more devastating than the last.

http://www.windowsitpro.com/Article/ArticleID/95180

12 Microsoft Security Bulletins for February 2007

Microsoft released 12 security updates for February, rating 6 of them as critical, including a critical update for the company's malware protection engine. The engine is used by several Microsoft products, including Windows Defender--a core component of Windows Vista.

http://www.windowsitpro.com/Article/ArticleID/95183

Checking Audit Logs for Tampering

Many administrators wonder if there is anything built into Windows that can verify that the Security event log hasn't been tampered with in some way. Randy Franklin Smith gives you the answer and explains how to look for signs of tampering.

http://www.windowsitpro.com/Article/ArticleID/94142

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

=== SPONSOR: St. Bernard Software ==============================

Hosted Security: A solution for small and medium-sized businesses

Is effective security out of reach for your small or medium-sized business? Imagine having a team of IT experts who only focus on security as part of your staff. Download this free must-have white paper today and find out how you can eliminate your company's security risks.

http://www.windowsitpro.com/go/whitepaper/stbernard/hostedsecurity/?code=SECHot0220

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Schneier on DRM

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

You've probably heard of Bruce Schneier. Have you heard what he has to say about DRM? Learn more about my opinion on DRM and get a link to what Schneier says in this blog article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/95175

FAQ: Administrative Templates for Windows Vista

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Where are the Windows Vista administrative template (i.e., ADMX) files stored?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/95127

FROM THE FORUM: Chroot/Jail Implementation for Windows

A forum participant writes that he's aware of WinQuota's WinJail Desktop software, which implements a type of sandbox/chroot/jail environment similar to the one found on UNIX and Linux systems. He wonders if other similar tools are available for Windows and whether such an approach is useful. Join the conversation at the URL below.

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=84000&enterthread=y

SHARE YOUR SECURITY TIPS AND GET $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================

by Renee Munshi, [email protected]

IP Storage Appliances Add Encryption

Siafu Software announced that hardware data encryption is now standard on all Siafu Swarm IP SAN appliances. Siafu Swarm appliances are available in 1U, 2U, 3U, and 6U configurations, can store from 1TB to 7.5TB, use iSCSI, and feature RAID 51/61 active/active failover technology. Siafu Swarm IP encrypted SAN solutions are available starting at $8,995. For more information, go to

http://www.siafusoftware.com

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================

For more security-related resources, visit

http://www.windowsitpro.com/go/securityresources

Deploy Exchange Server 2007 Without a Hitch!

This one-day technical training event teaches you how to preempt pitfalls and avoid corrupting your infrastructure. You'll learn how to effectively install, manage, and secure Exchange Server 2007 in a 64-bit environment. You'll also get a peek into the integration of Outlook, SharePoint Server 2007, and Exchange Server 2007. Register today!

http://www.windowsitpro.com/roadshows/exchange2007usa/?code=epromo

Get Ready for the Windows Server Longhorn Roadshow!

Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn. http://www.windowsitpro.com/roadshows/longhorn/?code=epromo

Tired of outdated and incomplete data modeling solutions? Build or re-engineer your business applications quickly, cost-effectively, and consistently with Sybase PowerDesigner 12. Download this free white paper today and learn how you can easily transfer your ERwin skills and start taking advantage of all of PowerDesigner's features.

http://www.windowsitpro.com/go/whitepaper/sybase/erwin/?code=0219e&r

=== FEATURED WHITE PAPER =======================================

Prevent installation and execution of unauthorized software on the computers on your network. Download this free white paper today for a comparison of different techniques for detecting and preventing unauthorized code. Protect against emerging risks today!

http://www.windowsitpro.com/go/whitepapers/bit9/lockdown/?code=0219featwp

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

https://store.pentontech.com/index.cfm?s=1&promocode=eu2572us

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today:

http://www.windowsitpro.com/go/itpromonth

================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

http://www.windowsitpro.com/windowssecurity

http://www.securityprovip.com

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Read more about:

ITPro Today
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like