|
|
Subscribe / Log in / New account

Security

Community help as an attack vector

A recent IT-Director article discussed some of the reasons why small businesses (in the author's opinion) might not want to make the jump to free software. One of them was the following:

Technical support will involve participating in internet forums, asking people of unknown capability for help with any problems and trusting that what comes back is a real fix, not some means of a malicious person gaining access to the user's system. This haphazard way of supporting IT is unattractive, especially for smaller businesses with limited in-house expertise.

The article goes on to say that businesses respond to this problem by purchasing support from distributors. Paid support plans are a fine alternative in many situations, but people who have spent much time performing system administration have usually learned that, often, answers from the net can be quicker and more clueful than those from the paid providers. So the idea that community support could be used as a way to attack a system is disconcerting.

At first, it also seems rather unlikely. One wonders where this concern came from, given that there may not be a single case of a system having been compromised by way of "help" provided through a community forum. As a business sizes up the threats to its systems, malicious advice from the net should probably appear fairly low on the list.

That said, this possibility may be worth a little thought. The phishing problem shows that there is no shortage of people out there with an interest in social engineering attacks. Provision of bogus advice would not scale in the way mass phishing attacks do, but it might also fall on more fertile ground. A system administrator with a broken system, disgruntled users, and a pointy-haired boss breathing down his or her neck might be inclined to follow seemingly helpful advice from the net without thinking about it much first. In a world where software installation instructions begin with "turn off your antivirus software," any of a number of ill-advised suggestions might seem entirely reasonable.

So, sooner or later, some joker will probably attempt this sort of attack. For those who are especially concerned about this possibility, here's a few possible defenses:

  • When asking for help on the net, consider using a non-work email address. Requests from admin@big-defense-contractor.com may be more likely to attract suspicious replies. It can only help to keep potential attackers from knowing where the relevant systems are located.

  • Be highly suspicious of any replies which are not copied back to the list where the question was originally asked. Hostile advice posted to a public list will likely be spotted quickly, but there is no public review of private mail.

  • Make a point of understanding any suggested remedies before trying them.

The above is all entirely obvious stuff, but it should be sufficient to defend against most social engineering attacks disguised as responses to requests for help. As is the case in many areas of security, a bit of common sense goes a long way.

Comments (14 posted)

New vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Alerts:
Slackware SSA:2006-129-01 apache 2006-05-10
SuSE SUSE-SR:2006:004 resmgr, php, ethereal, apache2 2006-02-24
Fedora-Legacy FLSA:175406 Apache 2006-02-18
Gentoo 200602-03 apache 2006-02-06
Fedora FEDORA-2006-052 httpd 2006-01-20
Red Hat RHSA-2006:0158-01 httpd 2006-01-17
Ubuntu USN-241-1 apache2, apache 2006-01-12
Trustix TSLSA-2005-0074 apache libc-client 2005-12-23
Mandriva MDKSA-2006:007 apache2 2006-01-05
Red Hat RHSA-2006:0159-01 httpd 2006-01-05
OpenPKG OpenPKG-SA-2005.029 apache 2005-12-14

Comments (none posted)

courier: unauthorized access

Package(s):courier CVE #(s):CVE-2005-3532
Created:December 8, 2005 Updated:December 14, 2005
Description: The Courier mail server's courier-authdaemon can grant access to deactivated accounts, allowing for unauthorized access to information.
Alerts:
Ubuntu USN-226-1 courier 2005-12-09
Debian DSA-917-1 courier 2005-12-08

Comments (none posted)

curl: buffer overflow

Package(s):curl CVE #(s):CVE-2005-4077
Created:December 8, 2005 Updated:March 27, 2006
Description: The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access.
Alerts:
Gentoo 200603-25 openoffice-bin 2006-03-27
Debian DSA-919-2 curl 2006-03-10
Trustix TSLSA-2005-0072 cups curl 2005-12-16
Red Hat RHSA-2005:875-01 curl 2005-12-20
Gentoo 200512-09 curl 2005-12-16
Ubuntu USN-228-1 curl 2005-12-12
Fedora FEDORA-2005-1137 curl 2005-12-12
Fedora FEDORA-2005-1136 curl 2005-12-12
Debian DSA-919-1 curl 2005-12-12
OpenPKG OpenPKG-SA-2005.028 curl 2005-12-10
Mandriva MDKSA-2005:224 curl 2005-12-08
Fedora FEDORA-2005-1129 curl 2005-12-08
Fedora FEDORA-2005-1130 curl 2005-12-08

Comments (none posted)

ethereal: buffer overflow

Package(s):ethereal CVE #(s):CVE-2005-3651
Created:December 13, 2005 Updated:January 4, 2006
Description: A buffer overflow has been discovered in ethereal, a commonly used network traffic analyzer that causes a denial of service and may potentially allow the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:002 ethereal 2006-01-03
Mandriva MDKSA-2005:227 ethereal 2005-12-14
Gentoo 200512-06 ethereal 2005-12-14
Debian DSA-920-1 ethereal 2005-12-13

Comments (none posted)

kernel: key rebinding

Package(s):kernel CVE #(s):CVE-2005-3257
Created:December 14, 2005 Updated:January 4, 2006
Description: Linux kernels through 2.6.14 allow any user to rebind console keys; this opening can be exploited to inject commands when other users are logged in.
Alerts:
Ubuntu USN-231-1 linux-source-2.6.8.1/-2.6.10/-2.6.12 2005-12-22
Fedora FEDORA-2005-1138 kernel 2005-12-13

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2005-4079 CVE-2005-3665
Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
Alerts:
Debian DSA-1207-2 phpmyadmin 2006-11-19
Debian DSA-1207-1 phpmyadmin 2006-11-09
SuSE SUSE-SA:2006:004 phpMyAdmin 2006-01-26
Gentoo 200512-03 phpmyadmin 2005-12-11

Comments (none posted)

poppler: arbitrary code execution

Package(s):poppler CVE #(s):CVE-2005-3191 CAN-2005-3193
Created:December 8, 2005 Updated:January 16, 2006
Description: The poppler PDF rendering library has a heap overflow vulnerability that can be exploited by viewing specially crafted PDF files. An attacker can cause a crash or the execution of arbitrary code. This vulnerability is related to a similar vulnerability with xpdf.
Alerts:
Fedora FEDORA-2005-037 kdegraphics 2006-01-16
Red Hat RHSA-2005:878-01 CUPS 2005-12-20
Red Hat RHSA-2005:868-01 kdegraphics 2005-12-20
Fedora FEDORA-2005-1171 poppler 2005-12-19
Fedora FEDORA-2005-1132 poppler 2005-12-08

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds