Sep 30 2011

Security 101: Vulnerabilities, Part 1

Welcome back to Security 101.

The topic of today’s blog is vulnerabilities. In our frequent McAfee Labs Threat Advisories you see the term vulnerability in almost every item. “A vulnerability has been found…” or “A vulnerability in some versions of…” are commonplace. What is a vulnerability?

A vulnerability is a program bug that under certain circumstances makes the program behave incorrectly. Vulnerabilities are certain types of bugs that allow other people (usually attackers) to take advantage of them to abuse the program.

A useful analogy is to compare a system with a building. The operating system (OS) is the structure, giving support and foundation to the system, and the applications are the building’s rooms or the rooms contents. In this analogy, the users are the inhabitants of the building.

Each room in a building has a door, the communications channel between an application and the OS. Some even have windows, which allow programs to communicate with the exterior or the environment, as Internet browsers or email clients.

A vulnerability is a flaw in the structure of the room—a door or window that shouldn’t exist, or a hole in the wall. This flaw could allow strangers to infiltrate the building, or to leave packages that could damage the building. That is why, for a system to be secure, the number of vulnerabilities must as few as possible because they are the entrance points for intruders and malware.

Not all vulnerabilities are equal. There are different kinds, with different effects, but all of them fall in one of two categories: local or remote. A local vulnerability is one that requires the intruder to have physical access to the machine, to the hardware itself, either with his or her own credentials or with stolen ones. For our analogy, this intruder must be an inhabitant of the building or must impersonate one.

A remote vulnerability, on the other hand, does not require the intruder to be present. It is enough for an attacker to send to the system a malicious file, a package with a very nasty surprise. This is why a remote vulnerability is always more dangerous than a local one.

We also classify vulnerabilities by risk level: high, medium, or low risk. Risk depends a lot on the criteria used by each person; at McAfee we define risks to make it clear to our customers what they should expect. Today we will look at only high-risk vulnerabilities; next time we will examine medium- and low-risk flaws.

High-Risk Vulnerabilities:

  • Remote Code Execution (RCE): The most risky vulnerability, RCE, when fully exploited, allows an attacker to take full control of the vulnerable system. It would be like putting a robot inside the flawed room that could do anything the attacker wanted, even affect other rooms or the structure itself. Some of the most dangerous malware needs this kind of vulnerability to work, because the flaw allows the malware to run without alerting the users. If a security patch covers this, it usually means the risk is great. It’s best to heed the warning.
  • Denial of Service (DoS): Another high-risk vulnerability, a DoS can freeze or crash the vulnerable program, or even the hardware itself in the worst cases. In this case the room’s door and windows are completely blocked, isolating the room from the building or the exterior. If the flaw is in the building itself, then the whole structure is cut off. Attacks by the Anonymous Group were examples of exploited DoS vulnerabilities. It is not difficult to imagine the chaos if the structure under attack is a router, server, or any other network infrastructure. A DoS vulnerability can vary in seriousness; it depends on which room is blocked. A closet could be less important than a bathroom or a meeting room.

 

To see examples of these vulnerabilities, take a look at our McAfee Security Awareness Community, where we post all of our Threat Advisories.

Next: Part 2: Medium- and Low-Risk Vulnerabilities

Sep 30 2011

Google’s Picasa and Yahoo! Groups used to spread spam

Spammers are turning to Google and Yahoo! to help them spread their wares. Shouldn’t Google and Yahoo! follow industry best practices of confirming your interest before sending you email?

Sep 30 2011

Supreme Court Docket: Surveillance, Profanity and Thought Patents

The Supreme Court’s 2011-2012 term begins Oct. 3 with arguments on the docket concerning everything from television profanity to warrantless GPS surveillance.

Cases we are tracking also surround whether Congress may place public-domain works into copyright and whether “thought” can be patented.

The justices hear about six dozen cases annually, and four dozen have been chosen so far. A number of crucial cases from the appellate courts are vying to be added.

The Justice Department, for instance, is asking the nine justices to review the constitutionality of a law making it a crime to lie about being a decorated military veteran. And artists want the high court to decide whether they should get “performance” royalties when a consumer purchases a digital download from iTunes. Those two petitions are pending.

Here is a summary of important cases that have been granted a hearing by the Supreme Court:

An abandoned FBI vehicle-tracking device/Wired.com

United States v. Jones
Oral Argument Nov. 8

At the Obama administration’s urging, the Supreme Court will decide whether the government, without a court warrant, may affix GPS devices on suspects’ vehicles to track their every move. The Justice Department told the court that “a person has no reasonable expectation of privacy in his movements from one place to another.” The administration is demanding that the justices undo a lower court decision that reversed the conviction and life sentence of a cocaine dealer whose vehicle was tracked via GPS for a month without a court warrant.

The issue is arguably one of the biggest Fourth Amendment cases in a decade — one weighing the collision of privacy, technology and the Constitution.

In 2001, the justices said thermal-imaging devices used to detect marijuana-growing operations inside a house amounted to a search requiring a court warrant.

The justices accepted the government’s petition to clear conflicting lower-court rulings on when warrants are required for GPS tracking. The administration, in its petition to the justices, said the U.S. Court of Appeals for the District of Columbia Circuit was “wrong” in August when it reversed the drug dealer’s conviction, which was based on warrants to search and find drugs in the locations where defendant Antoine Jones had traveled.

The government told the justices that GPS devices have become a common tool in crime fighting. An officer shooting a dart can affix them to moving vehicles, and recently, a student in California found a tracking device attached to the underside of his car, which the FBI later demanded back.

Three other circuit courts of appeal have already said the authorities do not need a warrant for GPS vehicle tracking.

Igor Stravinsky/Wikimedia Commons

Golan v. Holder
Oral Argument Oct. 5

The top court has agreed to rule on a petition by a group of orchestra conductors, educators, performers, publishers and film archivists about whether Congress may take works out of the public domain and grant them copyright status. A federal appeals panel, reversing a lower court, ruled against the group, which has relied on artistic works in the public domain for their livelihoods. The 10th U.S. Circuit Court of Appeals set aside arguments that their First Amendment rights were breached because they could no longer exploit those works without paying royalties.

For a variety of reasons, the works at issue, which are foreign and were produced decades ago, became part of the public domain in the United States but were still copyrighted overseas. In 1994, Congress adopted legislation to move the works back into copyright, so U.S. policy would comport with an international copyright treaty known as the Berne Convention.

Some of the works at issue include:
*H.G. Wells’ Things to Come
*Fritz Lang’s Metropolis
*The musical compositions of Igor Fydorovich Stravinsky

The government argued in the long-running case that Congress adopted what was known as “Section 514″ for its “indisputable compliance” with the convention and to remedy “historic inequities of foreign authors who lost or never obtained copyrights in the United States.”

“In other words, the United States needed to impose the same burden on American reliance parties that it sought to impose on foreign reliance parties. Thus, the benefit that the government sought to provide to American authors is congruent with the burden that Section 514 imposes on reliance parties. The burdens on speech are therefore directly focused to the harms that the government sought to alleviate,” the appeals court wrote.

Eric Schwartz, an intellectual property attorney with Mitchell Silberberg & Knupp in Washington, D.C., said the case boils down to whether Congress has the power under the Copyright Act to do what it did, and whether it was consistent with the First Amendment rights of the plaintiffs.

“I think the answer is ‘yes’ to both questions,” said Schwartz, former acting general counsel for the U.S. Copyright Office, who helped draft the congressional legislation.

Anthony Falzone, executive director of the Fair Use Project at Stanford University and a plaintiff’s lawyer in the case, urged the justices to take the case.

“The point of copyright protection is to encourage people to create things that will ultimately belong to the public. While the scope and duration of copyright protection has changed over time, one aspect of the copyright system has remained consistent: once a work is placed in the public domain, it belongs to the public, and remains the property of the public — free for anyone to use for any purpose,” he wrote.

Photo: Leo Reynolds/Flickr

Federal Communications Commission v. Fox Television Stations
Oral argument not scheduled

The justices have agreed to hear the government’s appeal of a lower court ruling invalidating the Federal Communication Commission’s broadcast decency rules. The 2nd U.S. Circuit Court of Appeals ruled last year that the regulations were “unconstitutionally vague” and produced a “chilling effect” on First Amendment speech.

The facts concern FCC rulings that “fleeting expletives” uttered during the 2002 and 2003 Billboard Music Awards were indecent. First Cher then Nicole Richie cursed during the shows aired on Fox. In the other dispute, the FCC said ABC violated decency standards when the network aired a brief nude shot of Charlotte Ross’ buttocks in NYPD Blue.

The FCC’s decency regulations are not enforced between 10 p.m. and 6 a.m., and only affect broadcast networks, not cable or internet programming.

The broadcasters claim the rules, which the government announced in 2004 would be strictly enforced, are so broad and vague that it’s unclear what is allowed, a position the government said was ridiculous. The appeals court in the Fox issue ruled that the FCC’s policy was unconstitutionally vague because “broadcasters are left to guess whether an expletive will be deemed ‘integral’ to a program or whether the FCC will consider a particular broadcast a ‘bona fide news interview.’”

In the ABC case, in which the FCC fined its affiliates $27,500 each, the appeals court said there was no “significant distinction” between the ABC and Fox cases, despite the ABC case dealing with scripted nudity. That’s because the appellate court said the FCC rules were “impermissibly vague.”

The government on appeal argues that “the court of appeals never asked what should have been the dispositive question: Whether Fox and ABC had fair notice that the expletives and nudity in the broadcasts under review could violate the commission’s indecency standards.”

Dennis Wharton, a vice president for the National Association of Broadcasters, said the government should not regulate broadcasters’ content.

“Responsible programming decisions by network and local station executives, coupled with program-blocking technologies like the V-chip and proper guidance of children by parents and caregivers, are far preferable to government regulation of program content,” Wharton said in a statement.

Photo: RambergMediaImages/Flickr

Mayo Collaborative Services v. Prometheus Laboratories
Oral argument Dec. 7

A highly nuanced and technical dispute between Mayo and Prometheus begs the question of whether “thought” is patentable. The issue surrounds a Prometheus patent concerning, in part, doctors’ subjective observations on how patients react to synthetic drug dosages to treat auto-immune diseases.

Prometheus holds patents to methods that assist doctors in figuring out — through observation and testing — the effective dosage of synthetic drugs to administer. The method includes performing drug tests with a Prometheus-patented kit.

Prometheus sued Mayo, arguing its use of the kits was patent infringement. The U.S. Federal Circuit Court of Appeals sided with Prometheus, saying the patents were valid because they outlined methods of altering a patient’s body chemistry with specific drugs.

Mayo claims that the patents, ultimately, are an observation of naturally occurring phenomenon — the body’s reaction to dosing levels.

Mayo told the Supreme Court that the patents at issue should be nullified. “The Prometheus patents claim a monopoly over consideration of a naturally occurring correlation between metabolites of a drug and the toxicity or efficacy of that drug,” the clinic said.

Steven Shapiro, the legal director for the American Civil Liberties Union, said Mayo should prevail.

“What they’re claiming a patent on is how you think about whether or not a drug is working. You can’t patent thought,” he said.

The government weighed in, too, arguing “provisions of the Patent Act permit the nuanced, fact-intensive distinction necessary to separate patentable from un-patentable inventions.”

Continue reading “Supreme Court Docket: Surveillance, Profanity and Thought Patents” »

Sep 29 2011

Windows 8 anti-virus has a long way to go

When testing the included unmanaged anti-virus in Windows 8 I ran across an odd quirk. It doesn’t detect EICAR properly. I present my results and what to expect in this article.