[AusNOG] AusCERT Week in Review - Week Ending 08/06/2007 (AUSCERT#20073F686)

Fri Jun 8 15:43:44 EST 2007

AusCERT Week in Review
08 June 2007

Dear AusCERT member,

While AusCERT has an operational focus we are also involved in a number of
strategic engagements.  Our aim is to deliver sound and accurate policy advice
to decision makers based on our operational perspective.  One of these
strategic engagements is the auDA 2007 Names Policy Panel of which I am
currently the AusCERT representative.

The Panel has been asked to review a number of auDA policies and from a number
of meetings held during the year a issues paper has been released which raises
three key issues ie:

1.  Should .au be opened up to direct registrations (eg. domainname.au)? If
yes, should there be any policy rules, and if so what rules?

2.  Should the policy rules for asn.au, com.au, id.au, net.au and org.au be
changed? If yes, what changes should be made?

3.  Should registrants be allowed to sell their .au domain names?

A copy of the issues paper is currently available on the auDA web site and the
closing date for submissions is Friday 15 June.

http://www.auda.org.au/2007npp/2007npp-index/

While issues 1 and 3 are largely business issues and little to do with
security, issue 2 has an inclusion that I have specifically requested which
relates to malicious/illegal domains ie:

7.14 The Panel has identified a gap in the current policy rules relating to
illegal or malicious use of a domain name, and puts forward the following
suggestion for change:

The policy rules should include a clear process and authority for the deletion
of a domain name for illegal or malicious use. Such uses would include, but are
not limited to, disseminating spam, hosting a phishing site, malware hosting
and distribution, capturing stolen personal information and access credentials,
hosting child pornography, and recruiting individuals to launder or transfer
stolen funds.

While AusCERT will itself be making a formal submission to auDA relating to
7.14 I wanted to alert you to this particular issue.  Already I have received
an informal response from one domain name registrar objecting to the policy
stating for example that unless liability can be waived for a take down then
there will be little incentive for the domain name registrars to act.

To some extent one concern with the policy is correct in that I did not 
specify
that this policy would only relate to domains registered specifically for
fraudulent activity and not existing and legitimate domains that have been
compromised without the knowledge or understanding of the domain name owner.  I
will clarify this in the AusCERT submission and at the next meeting of the
Panel.

I also agree that registrars should not be asked to decide what is illegal or
legal but at the same time it is equally unrealistic to expect that a court and
the existing legal processes will be of any use.  However, at this stage I
would prefer to concentrate on the principle and deal with the "how" as an
implementation issue.

I have already suggested to the Panel that one approach might be to parallel
the 'safeharbour' provisions that currently exist for ISPs flowing from the
FTA with the US and relate to copyright infringements - ie copyright material
illegally hosted.  The 'safeharbour' provisions basically provide protection
for the ISP (limit liability) provided that the ISP acts in good faith and
according to a agreed process.  I believe that this is an approach than could
work in Australia for both ISPs and Domain Name registrars with changes to the
appropriate Commonwealth legislation to deal with malicious and illegal sites.

I do expect that the problem of having illegal or malicious material hosted on
domain names will continue to increase and will continue to make it more
difficult for organisations like LEAs, regulators and CERTs to respond. 
Unfortunately the current trend is that the majority of the malicious sites are
hosted on compromised domains but we still see specific domains registered for
attacks and as such the policy change at 7.14 is definitely worth pursuing.  I
would also like to see the same approach taken with ISPs.

Based on the above it would be useful for any concerned members with comments
or suggestions to respond to auDA re the issues paper.  Consider how you would
react if a domain is registered that is very similar to your online domain,
which is either stealing your customers info or distributing malware to people
under your name.  I presume you would like there to be some way to address this
type of issue?"

Thanks,
Graham 

Graham Ingram
General Manager, AusCERT

AusCERT in the Media:
- - ----------------------------  

Do aliens and God affect your security budget?
ZDNet.com.au, Australia 
Jun 4, 2007
http://www.zdnet.com.au/blogs/securifythis/soa/Do-aliens-and-God-affect-your-se
curity-budget-/0,139033343,339278200,00.htm

Papers, Articles and other documents:
- - -------------------------------------

Alerts, Advisories and Updates:
- - -------------------------------
Title: AA-2007.0041 -- [Win][UNIX/Linux] -- Patches for Lotus Domino Web
Server correct denial of service vulnerability 
Date:  08 June 2007
URL:   http://www.auscert.org.au/7682

Title: AU-2007.0017 -- AusCERT Update - [Win][UNIX/Linux] - PHP 5.2.3 still
vulnerable to chunk_split heap overflow vulnerability 
Date:  06 June 2007
URL:   http://www.auscert.org.au/7677

Title: AL-2007.0072 -- [Win][Netware][UNIX/Linux] -- CA multiple products -
critical vulnerabilities in anti-virus scan engine 
Date:  06 June 2007
URL:   http://www.auscert.org.au/7674

Title: AA-2007.0039 -- [Win][UNIX/Linux] -- PHP 5.2.3 release fixes several
vulnerabilities 
Date:  06 June 2007
URL:   http://www.auscert.org.au/7669

Title: AA-2007.0040 -- [Netware] -- Novell NetWare FTP Server access control
vulnerability 
Date:  05 June 2007
URL:   http://www.auscert.org.au/7670

Title: AA-2007.0038 -- [Win][Linux][OSX] -- Novell GroupWise clients
authentication vulnerability 
Date:  05 June 2007
URL:   http://www.auscert.org.au/7668

Title: AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment
vulnerability allows remote compromise 
Date:  04 June 2007
URL:   http://www.auscert.org.au/7664

Title: AA-2007.0037 -- [Win] -- Microsoft IIS 5.x authentication bypass
vulnerability 
Date:  04 June 2007
URL:   http://www.auscert.org.au/7663

External Security Bulletins:
- - ----------------------------
Title: ESB-2007.0389 -- [Linux][Debian] -- New iceape packages fix several
vulnerabilities 
Date:  08 June 2007
OS:    Debian GNU/Linux 
URL:   http://www.auscert.org.au/7681

Title: ESB-2007.0388 -- [Debian] -- New ipsec-tools packages fix denial of
service 
Date:  08 June 2007
OS:    Debian GNU/Linux 
URL:   http://www.auscert.org.au/7680

Title: ESB-2007.0387 -- [Linux][RedHat] -- Moderate: fetchmail security update
Date:  08 June 2007
OS:    Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
OpenBSD, FreeBSD, Other Linux Variants, Red Hat Linux, Mac OS X, HP-UX,
AIX 
URL:   http://www.auscert.org.au/7679

Title: ESB-2007.0386 -- [Solaris] -- Solaris Management Console (SMC) - two
vulnerabilities allow privilege escalation 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7678

Title: ESB-2007.0385 -- [Win] -- Symantec Ghost Solution Suite denial of
service vulnerabilities 
Date:  06 June 2007
OS:    Windows 2003, Windows 2000, Windows XP, Windows Vista 
URL:   http://www.auscert.org.au/7676

Title: ESB-2007.0384 -- [Win] -- Symantec AntiVirus and Client Security
products - vulnerabilities in Reporting Server component 
Date:  06 June 2007
OS:    Windows 2003, Windows 2000 
URL:   http://www.auscert.org.au/7675

Title: ESB-2007.0383 -- [HP-UX] -- HP-UX running CIFS Server (Samba), Remote
Arbitrary Code Execution 
Date:  06 June 2007
OS:    HP-UX 
URL:   http://www.auscert.org.au/7673

Title: ESB-2007.0382 -- [Solaris] -- Security Vulnerability in How
xscreensaver Interacts With GNOME Assistive Technology May Allow
Arbitrary Command Execution 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7672

Title: ESB-2007.0381 -- [Win] -- Microsoft Internet Explorer cross-domain
vulnerability 
Date:  06 June 2007
OS:    Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows Vista,
Windows ME 
URL:   http://www.auscert.org.au/7671

Title: ESB-2007.0380 -- [Win][UNIX/Linux] -- Symantec Storage Foundation
Solution Suites: Veritas Volume Replicator, Denial of Service 
Date:  05 June 2007
OS:    Solaris, Debian GNU/Linux, Windows 2003, Windows 2000, Other Linux
Variants, Red Hat Linux, HP-UX, AIX 
URL:   http://www.auscert.org.au/7667

Title: ESB-2007.0379 -- [UNIX/Linux][RedHat] -- Moderate: mutt security update
Date:  05 June 2007
OS:    Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
OpenBSD, FreeBSD, Other Linux Variants, Red Hat Linux, Mac OS X, HP-UX,
AIX 
URL:   http://www.auscert.org.au/7666

Title: ESB-2007.0378 -- [Win] -- Symantec Storage Foundation for Windows
Volume Manager: Authentication Bypass and Potential Code Execution 
Date:  05 June 2007
OS:    Windows 2003, Windows 2000 
URL:   http://www.auscert.org.au/7665

Title: ESB-2007.0367 -- [Solaris] -- A Security Vulnerability in the
in.iked(1M) Service May Lead To a Denial of Service (DoS) 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7650

Title: ESB-2007.0366 -- [Solaris] -- A Security Vulnerability in the Solaris
10 inetd(1M) Service May Lead to a Denial of Service (DoS) Condition 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7649

Title: ESB-2007.0348 -- [Solaris] -- Security Vulnerability With snmpd(1M)
When Processing Certain AgentX Subagent Requests 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7624

Title: ESB-2007.0347 -- [Solaris] -- Security Vulnerability in NFS Client
Module May Lead to a Denial of Service Condition 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7623

Title: ESB-2007.0321 -- [Debian] -- New samba packages fix multiple
vulnerabilities 
Date:  07 June 2007
OS:    Debian GNU/Linux 
URL:   http://www.auscert.org.au/7592

Title: ESB-2007.0214 -- [Win][UNIX/Linux] -- IBM Tivoli Provisioning Manager
for OS Deployment Multiple Vulnerabilities 
Date:  07 June 2007
OS:    Mac OS X, Red Hat Linux, Other Linux Variants, FreeBSD, Windows 2000,
Windows 2003, Debian GNU/Linux, Solaris 
URL:   http://www.auscert.org.au/7445

Title: ESB-2007.0183 -- [Win][UNIX/Linux] -- Sun Java System Web Server May
Allow A User with Revoked Client Certificate to Access Server Instance
Under Certain Conditions 
Date:  07 June 2007
OS:    AIX, HP-UX, Red Hat Linux, Other Linux Variants, FreeBSD, Windows 2000,
OpenBSD, Windows 2003, Other BSD Variants, Debian GNU/Linux, Solaris 
URL:   http://www.auscert.org.au/7405

Title: ESB-2007.0103 -- [Solaris] -- Multiple Integer Overflow Vulnerabilities
in the X Font Server (xfs(1)) and the X Render and DBE Extensions 
Date:  07 June 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7294

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert at auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================