Attackers Exploit Unpatched Explorer Flaw (in animated cursors!!!)

In an article titled "Betrayed" by in the current (March 26 07) issue of the New Yorker, author George Packer writes this about the Green Zone in Baghdad: "The deeper the Americans dug themselves into the bunker, the harder they worked to create a sense of normalcy ... The more chaotic Iraq became, the more the Americans resorted to bureaucratic gestures of control. The fact that it took five signatures to get Adobe Acrobat installed on a computer was strangely comforting."

And sometimes the bunker mentality precedes the bunkers.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IMO, HA and a smart home ought to be helpful in smart risk assessment and effective risk reduction, and real-time loss mitigation (think sprinklers and their cyber equivalents) -- not feeding paranoia.

What are the real threats and needed protection that pertain to HA in general and net-connected devices in particular in the context of comp.home.automation ?

And specifically, what are 'best practices' with respect to net connectivity for home automation controllers?

... Marc Marc_F_Hult

With more and more emphasis on HA, alarm and even HT systems being "internet enabled" security issues are going to require careful consideration. It appears that the cursor exploit is being considered as rather serious among security experts. It's unfortunate that not one poster here has indicated an interest (or perhaps a willingness) to engage in discussions about how to secure the HA to internet interface as best as possible. Perhaps we need to sort that sociological issue out before any technological or educational interaction can proceed.

In the meantime, I'll ring that paranoia buzzer one more time and quote some of a recent Infoworld article on the .ANI exploit. I find it interesting because the speed and seriousness of the exploit this late in the lifecycle of the affected OS's really suprised me. If the information leads even one person to patch their system where they might not have otherwise, then it was worth the effort:

Microsoft Issues Emergency Windows Patch By Robert McMillan, IDG News Service April 03, 2007

With attackers finding more ways to exploit a critical flaw in its Windows operating system, Microsoft has published an emergency software patch . . . security experts are most concerned about a bug in the way Windows processes .ani Animated Cursor files. Online criminals have been exploiting this bug since late last week. . . . Microsoft was forced to release the early update a week ahead of schedule because attacks had become too widespread, said Ken Dunham, director of malicious code intelligence with iDefense. "We have more than 400 different URLs identified and related to attacks, and multiple e-mails have been sent out that direct people back there," he said. "We have proof that organized groups are now launching attacks."

-- Bobby G.

I don't know if I can add anything useful to the conversation but I have a few points that may be of interest. I know a number of engineers who refuse to secure their home systems. One recent revealed that his home PC was so full of spyware that it failed to boot. He went to a local electronics retailer for advice on how to fix the problem (cha-ching, sale made). Another has a wireless system where he only uses WEP because it's 'good enough' (WEP can be cracked in about a minute). In the lab, at work, a vendor failed to inform us that their tool actually ran Embedded Windows and we had a nice case of spyware that kept re-infecting the lab servers. What a nightmare to find that one, and to get fixed! Modern printers (as well as other Internet ready appliances) are now running embedded Windows, how do you go about finding out and getting that fixed. Two years ago it was demonstrated that a Cisco router could be infected, used to run remote code and turned into a zombie machine. I'm also pretty sure there are various Linux embedded devices that have their fair share of problems. These complexities are enough to drive the engineering staff to drink. The average user can't even begin to comprehend what this all means or how to properly deal with it. Remember they pretty much want plug-n-play.

If you're concerned with securing the access to the HA env. from outside the home this isn't too difficult. You've got VPN or ssh tunnels that can easily solve those kinds of problems. With the appropriate home route/firewall that can easily be established.

The main problem with security is that it generally an after thought. Users only care about it when it interferes with the usage of the system (either by making it difficult to use or by fixing it after the fact). Vendors are more concerned with getting the system usable so they can get it out the door (they can always fix it later).

Right now I'm can only take comfort in know that my system is more secure than that of my neighbors' systems. It's like when riding a bicycle by a loose dog. You don't have to be the fastest rider just don't be the slowest rider.

I think that's why so many new PCs are sold. I know of several cases where machines were so infested with spyware and such that they ran at 1/10 normal speed when they ran at all. Their owners just went out and bought new machines, hoping that newer was somehow safer, but it really never was. Lots of people balk at the attention to detail securing a PC requires and conceptually, I suppose you never really can secure a machine that has to talk to the outside world. That's why I found the animated cursor exploit so troubling. Who would have thunk it?

Half of the readers here have likely just lost you! (-: Virtual Private Networks and ssh are not the stuff that Suzie Q. Homeowner, trying to monitor her babysitter via a cellphone hookup. is going to master. There's a good writeup here:

Agree, and that "rush to ship" often spells trouble for the end user. Vendors are notorious for having stuff default to the least secure mode. Also, security is a pain. At one place I worked at, we had to reset at least a motherboard a month when the user forgot the BIOS password. Security adds a lot of overhead.

Or the one that smells like bacon. (-: If you're the standing up nail, like Steve Gibson was,

all the security in the world couldn't prevent him from being victimized by a massive DOS attack. That's what botnets excel at. Not being able to reach your own PC's is not as bad as someone hacking in, but it's no picnic, either.

But back to the main question. Even with VPN and firewalls, something like the cursor exploit seems to me like getting carjacked. If you open up all the secure connections and then click on a site that uses the exploit, you'll have turned control over to the bad guys. They don't need to break in, they just need to trick you into letting them in.

-- Bobby G.