Thursday :: Dec 2, 2004

Phishing Phor A Virtual Pearl Harbor


by pessimist

Have I ever told you about how much I detest Windows? NO? I now have another reason to abhor Windows - a large part of our nation's security is being entrusted to it:


Air Force turns to Microsoft for network security

The U.S. Air Force is drafting Microsoft to help simplify its networks and software contracts, a move that could improve its computer security and deliver savings of $100 million.

And how much did the loss of the World Trade Center cost us? With a defense system that wasn't then nearly so Windows reliant? Especially when the news regularly has items like this?

Flaw opens crack in Windows servers

The vulnerability is in Windows Internet Name Service, or WINS, a network infrastructure component of server products such as Windows NT 4.0 Server, Windows 2000 Server and Windows Server 2003, Microsoft said Tuesday. The company has issued a temporary work-around for the problem while it works on an update to fix the vulnerability.

The problem, first made public last Friday by security software maker Immunity, is being defined by Microsoft as a "a remote buffer overflow" flaw that could enable an attacker to run malicious software on vulnerable servers.

Would you trust YOUR fly-by-wire armed Predators to Bill Gates' New World Order-Friendly terrorist-hackable crappy operating system? Or our airliners?

As a technology person, deeply embedded in Wintel through years of experience, this frightens me greatly. We hear tell constantly about how Windows vulnerabilities emerge, and then Microsoft has to rush to create yet another patch and put it out on the Internet - where the code is accessible to the very people who exploit weaknesses as well as to the rest of us - and then we have to hope that the patch gets installed in a timely manner. All of us who deal with large IT organizations know how likely this prospect is!

I'm sure we would also quickly hear about how secure the Pentagon's computer equipment is, but as this article points out, there ain't no such animal:


New browser sniffs out phishy sites

Phishing scams have become more sophisticated and common, ... a new kind of Web advertisement that has been evading pop-up blocking software.

The ads, called "floating" or "overlay" ads, move around on the screen and are immune to the pop-up controls increasingly common in browsers and browser toolbars. "We've seen a lot of these adverts recently," Deepnet CEO Yurong Lin said. "It's the new trend in advertising because the pop-up blockers are so popular."

Pop-up blockers generally work by detecting and foiling a Web script command to open a new window. But floating ads rely on a more involved scripting object that keeps the pixels moving in an existing window.

Critics have noted that some phishing schemes work on legitimate sites through code sneaked onto Web surfers' computers.

So here we are, with an airline industry full of aircraft which can be adapted for use by the Global Hawk technology. Such talk was bandied about after 9/11 in an attempt to prevent the future use of airliners as guided missiles. Should Osama have violated the precepts of Sun Tzu's Art of War and attempted to use the same plan a second time (fighting the last war?), this might have been an effective counter-measure.

But no terrorist would ever be so predictable. The nature of terror is to be UNpredictable, as the fear of the unknown then becomes a most-potent weapon in its own right. Look at how air travel alone has been affected. Hours are spent while 'security' guards grope the most comely females awaiting to board in their search for Saddam's missing WMD.

This all is as ridiculous as it is inconvenient, and very expensive in terms of time and money. Meanwhile, the industry plays into Osama's hand with announcements like this:

AIRBUS A330 WIDE-BODIED MEDIUM/LONG RANGE TWIN ENGINE AIRLINER, EUROPE

The aircraft's fly-by-wire system is configured around three primary and two secondary flight control computers (FCPC and FCSC), which all operate continuously. The Flight Management and Guidance and Envelope Computers control the aircraft at every phase of the aircraft's flight. The system has the same flight envelope limit protection as the A320, (stall and excess speed protection and protection against manoeuvres exceeding the aerodynamic and structural limits of the aircraft) but maintains the protection for a longer period of time than that of the A320.

Airbus has developed the Future Air Navigation System, (FANS-A) which integrates a Smith's digital control and display system and a Honeywell flight management system. The FANS-A system is fitted on new build A330 and A340 aircraft and can be retrofitted on existing A330/340 aircraft.

Hey! How's about a flight to Washington, DC!

There is no doubt that Muslim terrorists have to have connections deep within the high technology sector. Many of the high tech jobs that have been outsourced have gone to regions where Islamic extremist fundamentalism thrives - Pakistan, for instance. It wouldn't be that much of a stretch to believe that a deep-cover terrorist (we had them during the Cold War, after all) is involved with the operating system software of either the flight controllers, or the navigation software, or both.

Blue Skies of Death

This also isn't such a stretch. Remember when a new version of Windows was released and there were already millions of bootleg copies being sold all over China? It's still happening! And the source code itself is vulnerable to theft. It only takes a few minutes with a high-speed link to send multi-megabytes of compressed source code files to almost anywhere in the world, so thefts of this sort would be impossible to prevent, and great dangers are enabled by continuing to use such compromised technology for the most vital of our defenses.

Take note of this with your 'What if?' function enabled:

US Says 3rd Drone Crashes After Afghanistan Mission

An Air Force RQ-1 Predator drone crashed on Monday while returning from a routine flight in support of the U.S. campaign against terror in Afghanistan, bringing to three the number of unmanned aircraft known to have crashed in the conflict, the Central Command said.

The latest crash, like the earlier ones, was not the result of enemy fire, said the Tampa, Florida-based command, which is running the war in Afghanistan. It said the cause of the crash was under investigation and the aircraft would be recovered.

On Dec. 30, a higher-flying experimental drone called Global Hawk crashed outside Afghanistan because of a `maintenance-related malfunction' unrelated to combat, the Pentagon said.

Another Predator crashed in the Central Command theater of operations shortly after the United States launched its campaign, spurred by the Sept. 11 hijacked airliner attacks in New York and Washington. More than 3,000 people were killed.

Suppose that hackers worked out how to cripple the command and control communications of these drones with their zombies and a cell-phone Internet connection.

This report shows a narrowness of thought when it comes to the definition of combat. OK, there aren't depleted uranium rounds being fired, but who's to say that the 'bullet' isn't able to 'byte'?

Certainly not these folks:

Security and analysis center wages silent war (Page 3)[PDF]

Here's some transcriptions to pique your interest [with my comments]:

* Companies spend $250,000 A DAY to combat attacks on their systems. These attacks hare often conducted by hijacked computers known as 'zombies' to conduct these attacks.

* "We have over 200 servers connected to the Internet, so a hacker could probe our system from anywhere."

* When an attack is DETECTED [what happens until detection occurs, hmmmm?] employees launch software scans to detect vulnerabilities [something the hacker certainly has already done!], check that the servers have the latest security PATCHES [locking the barn after the horse is out] , and then ensure that needed corrective actioins are accomplished.

* They recently as of press time dealt with a 16-hour attack from Iraq.

Are we feeling secure yet? I didn't think so. The industry certainly isn't very secure, as this comment indicates:

The disclosure of the WINS flaw revived an ongoing debate over how much time security companies should give software makers to patch a vulnerability before they make the flaw public. The Microsoft representative said the company was "concerned that the vulnerability was disclosed irresponsibly" by Immunity and that tools designed to exploit the problem have been made publicly available as a result.

"Microsoft believes the presence of exploit code for vulnerabilities that have not been addressed by an update puts customers at risk from attack by criminals," the Microsoft representative said.

Or terrorists, more likely.


Trust Us!

"The consolidation will result in standard configurations for all Microsoft desktop and server software," the Air Force said in the statement. "The standard configurations will enforce rigorous security profiles and will be updated online with security patches and software updates."

Microsoft representatives confirmed that the company will work with the Air Force to define security configurations for the agency's desktop and servers. The representatives also said the deal includes an agencywide help desk service contract.

Microsoft's responsibilities also will include implementing an Air Force-wide compliance policy, automating the patching and tracking of software applications, and building a unified help desk, according to a public contract announcement.

The Air Force expects to test all potential applications by mid-December to find out whether the software can be part of the agency's new network. The agency's security initiative is scheduled to be completed by October 2005, the Air Force stated in a contract announcement late last month.

There is no such thing as a totally secure defense, but one should recognize when one is aiding and abetting ones enemies by continuing to use software that is easily hacked and has been seriously compromised. The thought that it is possible for a hacker to gain undetected access to critical computer systems for even a short period of time should be of great concern. And should this computer be involved with, say, the flight coordination of the FAA control towers, for example - systems so old that Windows wasn't even a Gates pipe dream yet - imagine the terror possibilities of having several planes colliding at 35,000 feet, or being re-vectored into incorrect descent paths and crashing into neighborhoods which generally surround urban airports. This could be accomplished without having to buy either box cutters or passage.

It could get worse. You might be using Windows yourself, zombie!


Copyrighted source material contained in this article is presented under the provisions of Fair Use.

FAIR USE NOTICE

This article contains copyrighted material, the use of which has not always been specifically authorized by the copyright owner. I am making such material available in my efforts to advance understanding of democracy, economic, environmental, human rights, political, scientific, and social justice issues, among others. I believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material in this article is distributed without profit for research and educational purposes.

pessimist :: 8:21 AM :: Comments (9) :: Digg It!