2009/07/27
TheRegister: Remote IT support tool hijacks customer webserver
by Dan Goodin
On Thursday morning, IT consultant Paul Nash received an urgent call from a client whose Apache webserver had crashed the previous night and inexplicably wouldn't restart. Equally vexing, people who tried to visit the client's website during the 10-hour outage received a message advertising TeamViewer, a maker of widely used software for remotely managing PCs and servers.
After 90 minutes of troubleshooting, Nash traced the problem to TeamViewer, which he used to remotely administer the client's servers. It turns out the program had opened up its own webserver on the client's machine as soon as Apache went down and in the process made it impossible for the client, a large provider of business software, to restart its proper website.
"At that point, basically the webserver is hosed because if Apache tries to start up again, it sees someone else on port 80 and it falls over and dies, which is kind of antisocial behavior," Nash, who is the principal at Toronto-based Nash Networks, told The Register. Nash was able to get Apache up and running again by killing TeamViewer processes on the server, but by then, the client "had quite a bit of irate support requests stacked up."
The incident highlights a serious liability that comes from using what he otherwise regards as a great tool for remotely managing the thousands of PCs and servers entrusted to him. But what really sticks in Nash's craw, he said, is the blase attitude TeamViewer support people showed when he reported the SNAFU.
"They said they don't see what the problem is," he said.
After he escalated the complaint, Nash finally received instructions for modifying the registry of machines running TeamViewer so its webserver won't automatically start should the normal webserver go down. But this requires him to put his hands on every machine he manages, a solution that's needlessly cumbersome.
Also concerning, said Nash, is TeamViewer's lack of disclosure that its software is receiving incoming traffic sent to machines that run the software.
"They're sitting in the middle and they're in a position to snoop on all my traffic," he said, adding that he thinks that scenario is unlikely. Still, when Nash learned that TeamViewer does monitor for incoming web requests, he said it made him wonder: "What else aren't they telling us?"
TeamViewer's website claims the software has more than 15 million installations in 50 countries. Company representatives didn't immediately respond to requests for comment sent early Friday evening Germany time. We'll be sure to update this article, if they get back to us.
InfoWorld: A farewell to clouds
by William Hurley
I've really enjoyed writing for you for the past 7 months, but it's time for me to do a little less writing about cloud computing and a whole lot more working in the cloud.
Catchy, huh? Alas! This is my last InfoWorld Cloud Computing post. I've really enjoyed writing for you for the past seven months, but my mounting responsibilities mean it's time for me to bow out. I'm going to do a little less writing about cloud computing and a whole lot more working in the cloud. In fact I've just posted a "Down-to-Earth look at Cloud Computing" podcast on BMC's new Cloud Computing Community.
Never fear. Neither I nor InfoWorld's Editor in Chief Eric Knorr would leave you in a lurch. David S. Linthicum (Dave) will be taking the helm, and man does he bring a lot of insight. Dave is an internationally recognized industry expert and thought leader. He's authored or coauthored 13 books on computing, including the best-selling "Enterprise Application Integration" (Addison Wesley). He's also a well-known keynote speaker on the conference circuit and works with several cloud computing startups. The column couldn't be in better hand. Before I sign off, I'll leave you with three things I would like you to take away from my time here:
1. Keep the hope; lose the hype.
It's really easy to get caught up in all of the hype surrounding cloud computing, and just as easy to lose hope in it when you've weeded through the overwhelming amount of crap that's out there. As I've said before, continuing to market cloud computing as the next magic bullet will guarantee dissatisfaction. We need a Windex-clear definition to take this buzzword from cotton candy to New York cheesecake. Eric has raised this flag several times in his blog, going so far as to offer the industry a standard definition: "the use of commercial computing services, including software-as-a-service applications, delivered over the Internet." It's up to us to the community to make this tangible and concrete.
2. Be realistic about what you're getting into.
Once I asked readers: Does cloud computing eliminate complexity? Sure, cloud computing is a celebrated "new" technology, but we got ourselves all wrapped up in it before we understood its repercussions. Do yourself a favor and examine cloud offerings against some realistic metrics for what you and your organization consider success. And don't forget the Law of Unintended Consequences. Moving components from your internal infrastructure to the cloud probably won't reduce complexity, just brush it under the rug. "Out of sight, out of mind" sounds good until it's the foundation for your IT infrastructure.
3. Cloud computing isn't evil.
Privacy is important, but it's not the only issue. Regulatory compliance and a host of other potential challenges face companies deploying cloud technologies, but most of these will be worked out over time. Cloud computing isn't inherently good or evil; technology is technology. Its effects on your organization are a direct result of the planning and management you put into its deployment and operation.
There's my short list. Now I sign off for the last time. Thanks to Eric and InfoWorld for giving me the opportunity to participate in this community, and thanks to Dave Linthicum for stepping in to take over this column. If you're interested in following what's next for me just add me on Twitter, or drop me a line
CNet: From iPhones to smart grids at Black Hat, Defcon
by Elinor Mills
My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.
I'm talking about Defcon, which starts Thursday and runs through Sunday. The event turns part of the Las Vegas strip into a geek equivalent of "Animal House" for a three-day weekend every summer.
Started in 1993 by Jeff Moss, aka Dark Tangent, Defcon brings together some of the top security experts from around the world, along with thousands of hacker wannabes whose pranks in previous years--hacking the elevators and ATMs and cementing the toilets, to name a few-have led to bans at certain hotels.
"One good thing about the (economic) downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."
In addition to being a hacker playground and summer camp, Defcon is a semi-neutral ground where people who blur the lines of legality mingle with federal agents whose job it is to hunt them down.
Moss also heads up Defcon's big-sister conference, Black Hat, whose briefings schedule runs Wednesday and Thursday at the more upscale but no less kitschy Caesars Palace. (Black Hat training sessions started over the weekend.)
While Black Hat is more professional, with vendor tables in the lobby and respectable product presentations in meeting rooms, Defcon is a chaotic tableau of goth-attired groupies, script kiddies hunkered over laptops lining the hallways at all hours of the night and gray-haired hackers who were likely teens when they first started coming to the event.
The presentations are usually top-notch (many of them duplicates from the more expensive Black Hat show), but Defcon is known just as much for the activities going on outside of the sessions.
There's Hacker Jeopardy, Hacker Karaoke, an artwork contest, geo-caching events, a beverage cooling contraption contest, organized target shooting, a Capture the Flag penetration testing competition, lock picking workshops, a PGP Key Signing Party, DJs, a scavenger hunt, the highly popular Spot the Fed contest, a competition to find the best social engineer and a Cannonball Run car race described as "a race against time over 288 miles of road" from Redondo Beach to Las Vegas on Thursday.
Despite the recession, both events are expected to be crowded.
"We had been expecting 30 percent fewer attendees and in reality we're only going to have 10 to 15 percent fewer," Moss said. "The market went down and all of this research came up."
The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues and a new tool to send controversial news to censored countries without using proxy servers.
Unveiling a darknet
Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called "Veiled" that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded."The clients are the owners of the files and there is no single point of failure," said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. "No one in the government can go to you and say 'we need the files.'"
Interesting session titles include "Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High," "Manipulation and Abuse of the Consumer Credit Reporting Agencies," "Hacking Capitalism '09," and "'Smart' Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young)."
There's always a Meet the Fed panel with representatives from all the major defense and security-related government agencies. And well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former Director of the National Cyber Security Center in the U.S. Department of Homeland Security; Adam Savage, co-host of the "MythBusters" TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.
When hackers go public with details on exploits, vendors get nervous--companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.
"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.
Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. In 2005, a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. And in 2001, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.
Defcon averted another type of legal debacle this year--the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest.
"I'm excited the badges for Defcon will be here," Moss said gleefully. "They were held up in Chinese customs for two months. It was a complete nightmare."
