[ISN] BITS Gives Bad Guys an Inroad

From: InfoSec News (alerts@private)
Date: Wed May 23 2007 - 22:59:02 PDT


Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

VeriSign's Extended Validation SSL Certificates
   http://list.windowsitpro.com/t?ctl=573F3:57B62BBB09A69279661DBC84E7D40DD5

Identity-based Security with UTM 
   http://list.windowsitpro.com/t?ctl=573FD:57B62BBB09A69279661DBC84E7D40DD5

Your First Look at FAN Technology
   http://list.windowsitpro.com/t?ctl=573EC:57B62BBB09A69279661DBC84E7D40DD5


=== CONTENTS ===================================================

IN FOCUS: BITS Gives Bad Guys an Inroad

NEWS AND FEATURES
   - Microsoft Redesigns Security Bulletins and Advanced Notifications
   - Verizon Expands Security Offerings Via CyberTrust Acquisition
   - Enterprise Wireless Routers Buyers Guide
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: Time to Upgrade Samba and PHP
   - FAQ: Check a Folder for a File Type 
   - From the Forum: Network Access for Services
   - Product Evaluations from the Real World
   - Share Your Security Tips

PRODUCTS
   - Finding Malicious Content in Email Message Bodies

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: VeriSign ==========================================

VeriSign's Extended Validation SSL Certificates
   Increase customer confidence at transaction time with the latest 
breakthrough in online security - Extended Validation (EV) SSL 
Certificates from VeriSign. Extended Validation triggers the address 
bar to turn green when a visitor is using Microsoft Internet Explorer 7 
and viewing a site with EV SSL Certificates. This green bar lets 
customers know that the site they are on is highly authenticated and 
secure. 
   In a recent VeriSign study, 77% of the respondents indicated that 
they would be hesitant about shopping at, would check into problems 
with, or would abandon a site that once showed EV and no longer did. 
Learn more about Extended Validation by reading the technical white 
paper: Maximizing Site Visitor Trust Using Extended Validation SSL. 
   http://list.windowsitpro.com/t?ctl=573F3:57B62BBB09A69279661DBC84E7D40DD5


=== IN FOCUS: BITS Gives Bad Guys an Inroad =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Malware developers have been using Microsoft's Background Intelligent 
Transfer Service (BITS) to download software to Windows systems for 
quite some time. Using BITS is logical because it's designed to 
download files and is a standard part of all supported Windows OSs. 
BITS takes advantage of unused bandwidth to help optimize network 
usage, which makes its activity less noticeable to a user. 

One problem in defending against this misuse is that BITS is used by 
Windows Update, Microsoft Systems Management Server (SMS), Microsoft 
Messenger, and other tools, so it's typically trusted by firewalls to 
move traffic in and out of the network. Another problem in preventing 
malware developers from using BITS is that when a malicious application 
downloads files with it, the traffic is seen as coming from BITS and 
not the application itself. 

Firewall leak testers have long known about the potential danger of 
BITS and have openly discussed the matter for over a year. At least one 
program, bits_tester.exe (at the first URL below), is available that 
works with Microsoft's bitsadmin.exe tool (in the Windows XP SP2 
Support Tools at the second URL below) to demonstrate how BITS can 
easily download files from Web servers. 
   http://list.windowsitpro.com/t?ctl=573FA:57B62BBB09A69279661DBC84E7D40DD5
   http://list.windowsitpro.com/t?ctl=573E4:57B62BBB09A69279661DBC84E7D40DD5

According to Guillaume Kaddouch of the Firewall Leak Tester Web site, 
the only way to currently control BITS activity is to limit the ability 
of svchost.exe (on XP and later Windows versions) or services.exe (on 
Windows 2000) to communicate over the network. So for example, if you 
want to better guarantee that BITS will be used only for file transfers 
on your network or between your network and Microsoft's software update 
sites, then you need to implement a deny-all policy for svchost.exe or 
services.exe and make specific exceptions for hosts that you want to 
receive content from through BITS. Keep in mind that because Microsoft 
also makes a BITS API available for developers to use, you might need 
to make exceptions for other legitimate desktop applications that use 
BITS to download their updates or other content. 

The danger of malware misusing BITS isn't limited to software 
downloads. BITS can also become a significant source of information 
leakage because it can upload files too, although doing so requires 
that BITS upload to a Microsoft IIS server with BITS extensions 
installed. Here again, a deny-all policy can help. 

Elia Florio brought the BITS problem to light again this month in a 
post on the Symantec Security Response blog (at the URL below) in which 
Florio suggested that Microsoft could improve the security of BITS. 
"It's not easy to check what BITS should download and not download," he 
wrote. "Probably the BITS interface should be designed to be accessible 
only with a higher level of privilege, or ... BITS should be restricted 
to only [download content from] trusted URLs."
   http://list.windowsitpro.com/t?ctl=573E5:57B62BBB09A69279661DBC84E7D40DD5

Microsoft hasn't said much about the issue of BITS being misused or 
whether the company intends to add any layers of security for it. While 
we're all waiting to find out, you do need to protect your systems in 
case your other security solutions fail to detect malware that might 
misuse BITS. I did a bit of checking to put together a list of URLs for 
sites that BITS might use to download files and updates from Microsoft. 
The list below is probably not complete, but you can use it to start 
building firewall rules. Keep in mind that you might need to add the
usual HTTP or HTTPS prefix to the server addresses below, depending on
your firewall rule requirements. I've noted the two addresses that
require HTTPS access; the others require regular HTTP access. 

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.windowsupdate.microsoft.com (HTTPS required)
*.windowsupdate.com
update.microsoft.com
*.update.microsoft.com
*.update.microsoft.com (HTTPS required)
download.windowsupdate.com
*.download.windowsupdate.com
download.microsoft.com
wustat.windows.com
ntservicepack.microsoft.com

If your rule mechanism allows for it, you could simplify the matter by 
allowing BITS to access *.windowsupdate.com, *.microsoft.com, and 
*.windows.com over both HTTP and HTTPS. 


=== SPONSOR: Cyberoam ==========================================

Identity-based Security with UTM 
   Identity-based UTM is a third generation security solution, offering 
the complete set of security features over a single platform. Its user 
identity-based security offers protection against blended threats that 
target the individual user as well as insider threats.
   http://list.windowsitpro.com/t?ctl=573FD:57B62BBB09A69279661DBC84E7D40DD5


=== SECURITY NEWS AND FEATURES =================================

Microsoft Redesigns Security Bulletins and Advanced Notifications
   Advanced notifications will provide more information, and security 
bulletins will have decision-making information at the top.
   http://list.windowsitpro.com/t?ctl=573F4:57B62BBB09A69279661DBC84E7D40DD5

Verizon Expands Security Offerings Via CyberTrust Acquisition
   Verizon Business announced that it will acquire CyberTrust, a 
privately held security services provider. Terms of the deal were not 
disclosed, however the two companies expect the transaction to be 
completed sometime in the next 60 to 90 days.
   http://list.windowsitpro.com/t?ctl=573F5:57B62BBB09A69279661DBC84E7D40DD5

Enterprise Wireless Routers
   Selecting the hardware and configuration for your company's wireless 
network is a complicated and daunting task. The most important criteria 
for purchasing an enterprise wireless router are network standards and 
speed, security, and dependability. Learn more in our Buyer's Guide. 
   http://list.windowsitpro.com/t?ctl=573F6:57B62BBB09A69279661DBC84E7D40DD5

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=573EE:57B62BBB09A69279661DBC84E7D40DD5


=== SPONSOR: Brocade ===========================================

Your First Look at FAN Technology
   Gain control over the growing amount of file data in your 
enterprise. Learn how File Area Networks (FANs) can help you centralize 
file consolidation, migration, replication, and failover. Download this 
eBook and start streamlining your file management projects today! 
   http://list.windowsitpro.com/t?ctl=573EC:57B62BBB09A69279661DBC84E7D40DD5


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Time to Upgrade Samba and PHP 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=573FC:57B62BBB09A69279661DBC84E7D40DD5

If you're using Samba for Linux and Windows interoperability or PHP to 
drive applications on your Web servers or desktops, you should upgrade 
those tools soon. The new releases of both Samba and PHP contain fixes 
for several security problems and new features. Learn more at 
   http://list.windowsitpro.com/t?ctl=573EB:57B62BBB09A69279661DBC84E7D40DD5

FAQ: Check a Folder for a File Type
   by John Savill, http://list.windowsitpro.com/t?ctl=573F9:57B62BBB09A69279661DBC84E7D40DD5 

Q: How can I quickly check whether a folder contains a certain type of 
file?

Find the answer at
   http://list.windowsitpro.com/t?ctl=573F7:57B62BBB09A69279661DBC84E7D40DD5

FROM THE FORUM: Network Access for Services
   A forum participant has a server that runs a particular service. 
Because the service has a GUI, the participant wonders if he needs to 
grant that service the right to interact with the desktop. The service 
also needs network access, but the participant is having trouble 
granting that access. He gets an "access denied" error when the service 
attempts network access. Join the discussion at
   http://list.windowsitpro.com/t?ctl=573E6:57B62BBB09A69279661DBC84E7D40DD5

PRODUCT EVALUATIONS FROM THE REAL WORLD
   Share your product experience with your peers. Have you discovered a 
great product that saves you time and money? Do you use something you 
wouldn't wish on anyone? Tell the world! If we publish your opinion, 
we'll send you a Best Buy gift card! Send information about a product 
you use and whether it helps or hinders you to 
whatshot@private

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Finding Malicious Content in Email Message Bodies
   Avinti announced iSolation Server 4.0 with Blended Threat 
Protection, which blocks attacks that use active content and URLs 
embedded in email messages. Avinti has extended its behavior 
observation technology so that in addition to looking at attachments 
for viruses, iSolation Server can search the body of a message for 
active content such as malicious Java, JavaScript, or ActiveX code and 
URLs that link the user to Web sites that download malware in the 
background. Administrators can choose to block the malicious content or 
issue a warning. iSolation Server 4.0 with Blended Threat Protection 
will be available in June. For more information, visit
   http://list.windowsitpro.com/t?ctl=57401:57B62BBB09A69279661DBC84E7D40DD5


=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit
   http://list.windowsitpro.com/t?ctl=573F8:57B62BBB09A69279661DBC84E7D40DD5

Protect your users and your network from email-borne threats. This free 
eBook gives you the knowledge required to understand the real threat 
that email-borne attacks pose and how to address those attacks in a way 
that reduces risk while ensuring users aren't impacted. 
   http://list.windowsitpro.com/t?ctl=573ED:57B62BBB09A69279661DBC84E7D40DD5

Do you want to create a fast, user-friendly, reliable, secure, and 
scalable backup strategy for your small-to-midsized business? Download 
this free white paper today and learn how you can break away from tape 
and move to disk-based data protection. 
   http://list.windowsitpro.com/t?ctl=573EA:57B62BBB09A69279661DBC84E7D40DD5

Did you know that 75% of corporate intellectual property resides in 
email? The challenges facing this vital business application range from 
spam to the costly impact of downtime and the need for effective, 
centralized email storage systems. Join us for a free on-demand Web 
seminar and learn the key features of a holistic approach to managing 
email security, availability, and control.
   http://list.windowsitpro.com/t?ctl=573E9:57B62BBB09A69279661DBC84E7D40DD5 0521e&r

Discover the New Releases with Microsoft and Industry Experts at IT Pro 
Connections--Amsterdam
   IT Pro Connections offers the deepest and most relevant education 
for Microsoft IT professionals, especially in this time of important 
new products and technologies. Now is the time for you to quickly come 
up to speed. Get prepared for the newest technologies and products 
through the real-world experience of our expert presenters. "Insider" 
details help you make sense of new technologies, apply them to your 
environment, and master them faster and more effectively.
   Immerse yourself in the latest Microsoft technologies: Windows 
PowerShell, Exchange Server 2007, Windows Vista, Windows Server 
"Longhorn," Sharepoint Server and Communications Server, System Center 
Family (Operations Manager and Configuration Manager), Windows XP, 
Forefront, and more--with experts from Microsoft and world-renowned 
subject matter experts!
   19-20 June 2007
   Post-Conference Workshops 21 June 2007
   Amsterdam, The Netherlands
   Amsterdam RAI
   http://list.windowsitpro.com/t?ctl=573E7:57B62BBB09A69279661DBC84E7D40DD5
   http://list.windowsitpro.com/t?ctl=573FF:57B62BBB09A69279661DBC84E7D40DD5


=== FEATURED WHITE PAPER =======================================

You have heard that Windows Vista is the most secure platform that 
Microsoft has ever produced, but when considering migration, security 
is of the utmost importance. Download this free white paper now and 
find out the implications of migrating to Vista in terms of messaging 
and Web security. Plus, you'll get a summary of the key issues you need 
to consider. 
   http://list.windowsitpro.com/t?ctl=573E8:57B62BBB09A69279661DBC84E7D40DD5


=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 
   http://list.windowsitpro.com/t?ctl=573F0:57B62BBB09A69279661DBC84E7D40DD5

Introducing a Unique Exchange and Outlook Resource 
   Exchange & Outlook Pro VIP is an online information center that 
delivers new articles every week on messaging topics such as 
administration, migration, security, and performance. Subscribers also 
receive tips, cautionary advice, direct access to our editors, and a 
host of other benefits! Order now at an exclusive charter rate and save 
up to $50! 
   http://list.windowsitpro.com/t?ctl=573EF:57B62BBB09A69279661DBC84E7D40DD5


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 
below).
   http://list.windowsitpro.com/t?ctl=573FB:57B62BBB09A69279661DBC84E7D40DD5
   http://list.windowsitpro.com/t?ctl=57400:57B62BBB09A69279661DBC84E7D40DD5

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=573F2:57B62BBB09A69279661DBC84E7D40DD5

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=573FE:57B62BBB09A69279661DBC84E7D40DD5
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at
   http://list.windowsitpro.com/t?ctl=573F1:57B62BBB09A69279661DBC84E7D40DD5

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 23 2007 - 23:18:38 PDT