Wednesday, December 29, 2004
Days after Google acted to thwart the Santy worm, security firms warned that variants have begun to spread using both Google and other search engines.
The Santy problem originally flared up a week ago as bulletin board Web sites found their pages erased and defaced by the worm's own text. The worm spread by targeting pages that used vulnerable versions of the PHP Bulletin Board (phpBB) software, and used Google to locate those pages.
After Google took measures to prevent the worm from executing Google searches for the faulty bulletin board software, Santy variants are making the rounds using AOL and Yahoo search, according to security firms, and are still targeting Google as well.
"Perl.Santy.B is a worm written in Perl script that attempts to spread to Web servers running versions of the phpBB 2.x bulletin board software prior to 2.0.11," warned Symantec in a 26 December bulletin. "It uses AOL or Yahoo search to find potential new infection targets."
AOL, which uses Google for its underlying search technology, said it was looking into the problem and was uncertain whether Google blocks already in place would prevent misuse of AOL's search site. Yahoo, which dumped Google's search technology in February, could not be reached immediately for comment.
Several other variants are cropping up. Santy.c targets Google once again. Kaspersky Labs today renamed Santy.d and Santy.e Spyki.a and b., citing significant differences in the worms' structure from earlier Santies. The security firm also said the new worms were using the Brazilian Google for their exploits.
Security researches last week faulted Google for not responding more swiftly to the emerging Santy threat.The Santy worm and its variants affect only targeted bulletin board sites and do not pose a threat to Web surfers who visit them.
Tuesday, December 28, 2004
For Gentoo Linux, do the following (adjust where necessary):
0. Make sure you have an ATX board and a power button ;)
1. Make sure your kernel has support for ACPI (either built-in or as modules)
2. # emerge acpi acpid
3. # rc-update add acpid default
4. for kernel 2.6 (skip this step if ACPI support is compiled into the kernel):
# echo "ac" >>/etc/modules.autoload.d/kernel-2.6
# echo "button" >>/etc/modules.autoload.d/kernel-2.6
5. add parameters apm=off and acpi=on to your kernel boot line (e.g. in /boot/grub/menu.lst)
6. # reboot
The Chinese-language website of fast food giant McDonald's has been broken into twice at Christmas by a hacker protesting against its listing of Taiwan as a separate country, the Beijing Youth Daily says. The world's largest restaurant chain is expanding fast in China and currently has 600 stores in what has become its eighth-largest market.
McDonald's English-language home page features a sign saying "I'm going to McDonald's" pointing at a drop-down menu listing China and Taiwan as separate "country/market" identities.
China has considered the self-ruled island of Taiwan part of its territory since it split away from the mainland after the defeated Nationalists fled there at the end of the Chinese civil war in 1949.
On Christmas night, the McDonald's Chinese home page was turned into a black-and-white picture of a skull bearing the words "protest McDonald's official Web site listing Taiwan as a country", the newspaper said.
On top of the skull were the English words "Chinese hacker".
The site could not be opened at all early on Monday but was back to normal later in the day, China time.The site could not be opened at all early on Monday but was back to normal later in the day, China time.
Monday, December 27, 2004
As a result of link failures and restorations, router reloads, and other events, repeated route withdrawals and re-announcements may occur. This instability, often referred to as flapping, imposes a processing burden on BGP routers, as they must process the flaps by repeatedly updating the route table and propagating the changes to their peers.
RFC 2439 describes a solution, called route flap damping, or sometimes also called dampening. The algorithm described in this RFC is based on assigning a penalty to each route flap. When the penalty exceeds a configured limit, the prefix will be suppressed. Further withdrawals and re-announcements of the prefix will not be accepted, nor propagated to peers. The penalty value will decay over time, so that eventually the prefix will be accepted again.
As a result, a few flaps in a short time, or multiple flaps over a longer period, will not cause a prefix to be suppressed, but multiple flaps in a short time will cause a prefix to be temporarily suppressed. The more unstable a prefix is, the longer it will be suppressed.
The RIPE Routing workgroup has published recommendations for setting appropriate configuration parameters for route flap damping. The document recommends to start damping after 4 consecutive flaps in a row.
The proposed decay values are dependent on prefix length. For short prefixes (/21 and shorter), the maximum time a prefix is suppressed is 30 minutes, for /22 and /23, it is 45 minutes, whereas /24 and longer prefixes can be suppressed for 60 minutes. In addition, several prefixes, such as the DNS root servers, should never be suppressed. These are called golden networks in the document.
The golden networks web page also shows example configuration fragments for Cisco and Juniper routers based on the parameters recommended by the RIPE routing work group. The open source Zebra routing suite cannot be configured to do prefix length based damping. If you use Zebra, you can only configure a single damping policy.
However, not everyone is convinced that route flap damping is actually beneficial to global BGP stability. In a presentation given at the October 2002 NANOG meeting, Randy Bush, Tim Griffin and Zhuoqing Morley Mao show that even a single withdrawal/re-announcement can be observed as multiple flaps across the internet.
As a result, even minor instabilities may lead to prefixes being suppressed. Since it is hard to see whether your prefix is being suppressed by another party, these situations may be hard to debug.
A useful indicator of how 'busy' or 'loaded' your Web server is, the server load average is used to help server administrators monitor server performance and take corrective action to reduce the load.How are the average server load numbers interpreted? How do you monitor server load over time using scripts and/or software. What are the possible causes of high server load? All is revealed, along with useful resources to further your understanding of server load average.
A Chinese security group has released sample code to exploit two new unpatched flaws in Microsoft Windows.
The advisory comes in the week before Christmas, a time when many companies and home users are least prepared to deal with the problems. Security firm Symantec warned its clients of the vulnerabilities on Thursday, after the Chinese company that found the flaws published them to the Internet.
One vulnerability, in the operating system's LoadImage function, could enable an attacker to compromise a victim's PC when the computer displays a specially crafted image placed on a Web site or in an email. The other vulnerability, in the Windows Help program, likewise could affect any program that opens a Help file.
Because the flaws are in a library used by Windows programs, almost all browsers and email clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec.
"They are rather serious," Huger said. "Both can be exploited by anything that processes images or reads help files."
Because the flaws were accompanied by exploit code that shows how to take advantage of the security holes, Huger expected the exploits to be quickly incorporated into the tools of malicious Internet users.
"The fact that there is an exploit out there is very concerning," he said. "I think you will see it in phishing scams and spyware in very short order."
A mass-mailing computer virus could also quickly begin using the vulnerabilities to spread.
Microsoft could not immediately be reached for comment on the issues.