Risky Business #159 -- Skimmers pay massive bribes downunder
Fri, 07/16/2010 - 16:46
On this week's show we take a fresh look at the insider threat in light of the news, here in Australia, that criminal syndicates are paying up to $40,000 to bribe service station attendants into helping them skim cards.
If the bad guys are willing to pay $40k for someone that low on the food chain, what will they pay to get at someone in your organisation?
To find out we'll be joined by Gartner research director, AusCERT co-founder and former Commonwealth Bank security big-wig Rob McMillan.
Also this week we chat with Kaspersky's Vitaly Kamlyuk in the sponsor interview.
Mon, 07/19/2010 - 11:58
#2
Why this could be nasty for Enterprises
So, we can assume this is going to get used quite extensively to target the desktop market, but if you want to explain why this could be bad for the Enterprise consider this common scenario.
System admin is logged into a server and has to go fix something in someones network home directory (quotas, restoring a file etc etc). Now if a malicous Shortcut and malware has been copied to the users home directory without triggering AV, then the sys admin may have just infected their server. Now sys admins would never be logged in with Domain admin privs while doing this would they?
Unless I am not reading the current known info regarding the bug correctly, this is a realistic situation. Maybe we can ween sys admins off their mice by requiring them to use the CLI as a mitigation :)
Fri, 07/23/2010 - 10:05
#3
.lnk bug
This is sounding really bad. I'm hearing that this can now be delivered via Web Site, Office Document and Email. Pat, are you covering this in any depth any time soon?
Fri, 07/23/2010 - 10:50
#4
Yeah, but I don't have any
Yeah, but I don't have any information on this being exploitable that way... I don't think that's right. Got a link?
Fri, 07/23/2010 - 15:23
#5
.lnk bug
Ok, so web page exploit requires webdav?
http://www.us-cert.gov/current/#microsoft_windows_lnk_vulnerability
This vulnerability can also be exploited remotely through a malicious website, or through a malicious file or WebDAV share.
Fri, 07/23/2010 - 16:09
#6
Yeah I did spot that in the
Yeah I did spot that in the end... but I figure if you're running WebDAV you can probably be owned about 600 other ways as well. :)
It's mostly of concern because it can spread via shares or USB keys. Maybe someone will turn it into Conficker 2?
Some more details have percolated out about the Windows .lnk bug we discussed in the news. Looks like its a .lnk that points to a .dll, and the dll's init code gets executed during load to get it's icon resource. Its a feature!
Microsoft has an advisory:
http://www.microsoft.com/technet/security/advisory/2286198.mspx
and proof of concept code turned up on exploit db:
http://www.exploit-db.com/exploits/14403/