[ISN] Is the "Drive-by Pharming" Attack Misnamed?

From: InfoSec News (alerts@private)
Date: Wed Feb 21 2007 - 23:10:06 PST

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Ontrack Data Recovery: Data loss prevention tips

Free White Paper: Address the Insider Threat 

Hosted Security: A solution for small and medium-sized businesses

=== CONTENTS ===================================================

IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed?

   - Master AACS Key Found
   - 12 Microsoft Security Bulletins for February 2007
   - Checking Audit Logs for Tampering
   - Recent Security Vulnerabilities

   - Security Matters Blog: Schneier on DRM
   - FAQ: Administrative Templates for Windows Vista
   - From the Forum: Chroot/Jail Implementation for Windows 
   - Share Your Security Tips

   - IP Storage Appliances Add Encryption
   - Wanted: Your Reviews of Products 




=== SPONSOR: Ontrack Data Recovery =============================

Ontrack Data Recovery: Data loss prevention tips

Snow storms, extreme heat, hurricanes... they all have the potential to 
interrupt your business and damage your data storage systems. While 
your business might never be directly impacted by a natural disaster, 
data loss can strike companies anytime and anywhere.

Be prepared by learning how to prevent data loss and what to do when 
data loss affects your business. 

Ontrack Data Recovery, the world leader in data recovery services and 
software, is pleased to offer a FREE e-newsletter that addresses data 
loss prevention and response. 

Recent topics discussed in Ontrack's Data Recovery News include: 
- Seven things to avoid when your drive crashes 
- Data recovery options for flash media
- Do-it-yourself data recovery software products

Sign up for the FREE Ontrack Data Recovery Newsletter today: 

=== IN FOCUS: Is the "Drive-by Pharming" Attack Misnamed? ======
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Any wireless Access Point (AP) that uses a default password is 
vulnerable to manipulation by anyone that can gain some form of 
connectivity to it. If the wireless AP's management interface is Web-
based, it can be mimicked, and therein resides a problem waiting to 

If an intruder can craft a special Web page that mimics the 
functionality of an AP management interface, that Web page could take 
any action against an AP that's allowed by the management interface. So 
what's to stop an attacker from developing a Web page that, when 
viewed, changes any of the available AP settings? Not much, apparently. 

Symantec researchers recently blogged about this very scenario, and 
they point out how an attacker might use this attack method to change 
DNS settings, which could lead to phishing scams. In the blog article, 
they wrote, "The attackers create a Web page that includes malicious 
JavaScript code. When the Web page is viewed, this code, running in the 
context of your Web browser, uses a technique known as 'Cross Site 
Request Forgery' and logs into your local home broadband router.... One 
simple, but devastating, change is to the user's DNS server settings."

Symantec chose to call this attack "drive-by pharming," and that 
bothers me. I saw several headlines about this attack type on the 
Internet before I read the Symantec blog, and I thought, "Oh great, 
another way to get in your car, drive around, find unprotected APs, and 
steal people's information." But this attack has absolutely nothing in 
common with war-driving. So Symantec introduced confusion with the 
attack name, and some media reports spread the confusion further. 

Symantec would do well to stop confusing us about security problems 
with its use of misleading attack-type names. In the case of "drive-by 
pharming," the attack has nothing to do with being in close proximity 
to an AP (as is the case with war-driving) and is related to "pharming" 
only in that attackers could use the management interface vector to 
manipulate DNS to point to the DNS servers of their choice, which in 
turn could resolve certain host names to IPs that point to pharming 

The ability to attack someone's DNS settings could be exploited in a 
variety of ways, none of which Symantec bothered to mention. For 
example, an attack could install botnet software or other malware, spy 
on Web usage habits, intercept email, or intercept sensitive files for 
corporate espionage; the list goes on and on. It seems to me that 
misnaming attacks is itself a security problem because it misinforms 
people who might not have the time to delve deeper into the nuts and 
bolts behind a given title. I think Symantec should consider patching 
its naming methods. What do you think? Send me an email with your 
thoughts on this issue. 

If you're interested in the Symantec report, you can read it at:

=== SPONSOR: NetIQ =============================================

Free White Paper: Address the Insider Threat 
   Learn how to develop a comprehensive management system that 
virtually eliminates the risk of an insider threat. Co-authored by 
NetIQ and Dr. Eric Cole, this informative white paper identifies the 
key business processes that must be secured and ready to build a 
solution to contain the insider threat.

=== SECURITY NEWS AND FEATURES =================================

Master AACS Key Found
   The Advanced Access Content System (AACS) protection used in HD DVD 
and Blu-Ray DVD disk systems sustained another attack--this one more 
devastating than the last. 

12 Microsoft Security Bulletins for February 2007
   Microsoft released 12 security updates for February, rating 6 of 
them as critical, including a critical update for the company's malware 
protection engine. The engine is used by several Microsoft products, 
including Windows Defender--a core component of Windows Vista. 

Checking Audit Logs for Tampering
   Many administrators wonder if there is anything built into Windows 
that can verify that the Security event log hasn't been tampered with 
in some way. Randy Franklin Smith gives you the answer and explains how 
to look for signs of tampering. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: St. Bernard Software ==============================

Hosted Security: A solution for small and medium-sized businesses
   Is effective security out of reach for your small or medium-sized 
business? Imagine having a team of IT experts who only focus on 
security as part of your staff. Download this free must-have white 
paper today and find out how you can eliminate your company's security 

=== GIVE AND TAKE ==============================================

   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4B3D9:57B62BBB09A6927915328BC315BA14AA

You've probably heard of Bruce Schneier. Have you heard what he has to 
say about DRM? Learn more about my opinion on DRM and get a link to 
what Schneier says in this blog article on our Web site. 

FAQ: Administrative Templates for Windows Vista
   by John Savill, http://list.windowsitpro.com/t?ctl=4B3D7:57B62BBB09A6927915328BC315BA14AA 

Q: Where are the Windows Vista administrative template (i.e., ADMX) 
files stored?

Find the answer at

FROM THE FORUM: Chroot/Jail Implementation for Windows
   A forum participant writes that he's aware of WinQuota's WinJail 
Desktop software, which implements a type of sandbox/chroot/jail 
environment similar to the one found on UNIX and Linux systems. He 
wonders if other similar tools are available for Windows and whether 
such an approach is useful. Join the conversation at the URL below.

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

IP Storage Appliances Add Encryption
   Siafu Software announced that hardware data encryption is now 
standard on all Siafu Swarm IP SAN appliances. Siafu Swarm appliances 
are available in 1U, 2U, 3U, and 6U configurations, can store from 1TB 
to 7.5TB, use iSCSI, and feature RAID 51/61 active/active failover 
technology. Siafu Swarm IP encrypted SAN solutions are available 
starting at $8,995. For more information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Deploy Exchange Server 2007 Without a Hitch! 
   This one-day technical training event teaches you how to preempt 
pitfalls and avoid corrupting your infrastructure. You'll learn how to 
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of 
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register 

Get Ready for the Windows Server Longhorn Roadshow! 
   Seize control of your Windows infrastructure with Microsoft's 
biggest server release since Windows 2003. Get a live, under-the-hood 
look at Longhorn virtualization, deployment, Web services, and 
breakthroughs in core reliability. This one-day event is filled with 
demonstrations and in-depth discussions designed for IT pros who want a 
deep understanding of Windows Server Longhorn.   

Tired of outdated and incomplete data modeling solutions? Build or re-
engineer your business applications quickly, cost-effectively, and 
consistently with Sybase PowerDesigner 12. Download this free white 
paper today and learn how you can easily transfer your ERwin skills and 
start taking advantage of all of PowerDesigner's features. 

=== FEATURED WHITE PAPER =======================================

Prevent installation and execution of unauthorized software on the 
computers on your network. Download this free white paper today for a 
comparison of different techniques for detecting and preventing 
unauthorized code. Protect against emerging risks today! 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting April nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4B3DC:57B62BBB09A6927915328BC315BA14AA
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Wed Feb 21 2007 - 23:25:45 PST