Coordinated Vulnerability Disclosure

Microsoft subscribes to coordinated Vulnerability Disclosure, and I am a proponent of this process.  This is much like what I described in an earlier rant and have been professing for years.  It seems to be unpopular with some vulnerability researchers, as it does not provide a direct and immediate cash payout, or the extreme notoriety that irresponsible disclosure often provides.

Check out Microsoft’s article, and great little video that explains the whole process, or just read the excerpt below if you don’t have the time…

Under the principle of Coordinated Vulnerability Disclosure, finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product, to a national CERT or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress.

Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to protect themselves.

For more information on CVD, download the document, Coordinated Vulnerability Disclosure at Microsoft.  Once again I am pleasantly surprised to be saying, Thank You Microsoft, for sharing and caring.

Hotmail Flaw Exposes Email

Criminals have been siphoning e-mail messages from Hotmail users’ accounts for more than a week, thanks to a vulnerability in Microsoft’s website.  The flaw gave hackers a way to read and steal e-mail from Hotmail users by sending specially crafted e-mail messages to several thousand victims.

On May 12, Trend Micro found a message sent to a victim in Taiwan that looked like a Facebook notification alert, warning that someone had accessed their Facebook accounts from a new location.  Embedded within the e-mail was a script that forwarded the victim’s e-mail messages to the hacker.

For the cross-site scripting flaw to work, the victim had to be logged into Hotmail, but the script would run even if the victim simply previewed the message.  The script triggers a request that is sent to the Hotmail server to send all of the affected users email messages to a different email address.  Cross-site scripting flaws are common on the Web, but they’re rarely found in widely used websites like Windows Live Hotmail.

Trend Micro reported the issue to Microsoft immediately, and it was finally fixed on Friday.  According to Trend Micro, the attack doesn’t seem to have been widespread, affecting between 1,000 and 2,000 victims, however, Trend Micro has no way of knowing how long the flaw was there before it was uncovered.

All Businesses Are At Online Risk

Bank robbers rob banks, because that is where the money is.  Criminals rob online businesses, because that is now where the money is, along with the credit card data, the private information, and the online identities.

Money remains a major target because of its fluidity, putting banks, credit unions, and other financial institutions that move money around, right in the crosshairs, but electronic cash isn’t the only target for online criminals.  Defense contractors, developers and governmental institutions are also being targeted by criminals and terrorists looking to gain classified or sensitive information, find other vulnerabilities, and connect to other networks.  Regardless of whether money is the direct target or not, it is still the bottom line.  Hackers are looking to steal a company’s R&D because they can sell that information to a company with a smaller research budget.  The target of their attack may be intellectual property or strategic plans, but it ends up being just something you can turn into money.

So besides the financial industry, the online threat is also growing for smaller businesses and retail stores.  These had been largely ignored by online criminals, but small and medium sized businesses have become the low hanging fruit for well practiced hackers.  SMBs don’t have the budget that larger companies have, but they still have data that can be monetized.  There are more SMBs than there are large corporations, but with fewer protective and detective devices in the way, the profits can be just as, or even more, lucrative with less risk of being detected and tracked.

Microsoft Finds >427k Compromised Email Addresses

Microsoft spelled out the results of its ongoing investigation into the Rustock botnet server hardware obtained by law enforcement in a status report submitted Monday to a federal judge.  Operation b107 was the codename for the takedown of the huge Rustock botnet, responsible for sending as many as 30 billion spam messages a day.  The takedown was backed by international warrants to seize command-and-control (C&C) servers.

Custom-written software for assembly of spam emails and text files containing thousands of email addresses and username/password combinations for spam-dissemination were found. One text file alone contained over 427,000 email addresses.

Along with the email addresses, forensics experts also uncovered evidence that the criminals used stolen credit cards to purchase hosting and email services.  Payments for the hosting of some of Rustock’s C&C servers were traced to a specific Webmoney account, and after asking the Russian online payment service for help, the owner of that account was identified in a city 14 miles northwest of Moscow.  The status report cautioned that this person might not be the actual purchaser of the C&C hosting services, and is continuing to investigate.

18 of the 20 drives obtained had been used as “Tor nodes” to provide the attackers with anonymous access to the Internet, and to the hijacked Windows PCs that made up the Rustock botnet.  Tor relies on routing and encrypting traffic through a network of machines maintained by volunteers in numerous countries to hide the actual connections.  Tor is used by activists in nations where governments monitor or restrict web communication, and by hackers to thwart identification efforts.

If you believe your computer may be infected by Rustock or other type of malware, Microsoft encourages you to visit for free information and resources to clean your computer.