Wired has an interesting write-up of the methods used by an Austrian civil liberties group to protest and monitor the use of surveillance cameras in public spaces:

Members of the organization worked out a way to intercept the camera images with an inexpensive, 1-GHz satellite receiver. The signal could then be descrambled using hardware designed to enhance copy-protected video as it’s transferred from DVD to VHS tape.

[…]

And, just for fun, the group created an anonymous surveillance system that uses face-recognition software to place a black stripe over the eyes of people whose images are recorded.

So you can check the data to see if you’ve been watched. Obviously this compromises the deterence-by-obscurity of surveillance systems, but that’s not what they’re best for anyway. In fact, although I’m a big fan of using technology for detective controls I try to always warn against trying to use cameras as a deterrent/preventive control. In other words the ability of a camera to put fear into the heart of the enemy is really a function of social engineering and has little/nothing to do with the actual (core) capabilities of surveillance systems, and moreover it can end up defeating the very purpose of the cameras — to create a space reasonably free of fear.

Oh, and if any camera vendors are reading, PLEASE stop using unique URLs for network access. I admit I had not choice but to compromise on some things in my last purchase (what’s up with the lack of native support for SSH/HTTPS?) but I would never buy a system that used a fingerprint in the URL (e.g. axis-cgi/). Talk about a reality check for those who think network video recorder obscurity is effective…

At the end of the day I finally recieved a notice from US-CERT (http://www.us-cert.gov/cas/techalerts/TA05-362A.html)

Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear.

US-CERT is tracking this issue as VU#181038. This reference number corresponds to CVE entry CVE-2005-4560.

Got that? This is VU#181038, filed under CVE-2005-4560 and available online as TA05-362A. Roger that.

Anyway, they supported the recommendations by F-secure and Sunbelt:

• Do not access Windows Metafiles from untrusted sources
• Block access to Windows Metafiles at network perimeters
• Reset the program association for Windows Metafiles

I had a brief discussion today with some admins and told them I disagree with the latter recommendation. No one seemed to object, perhaps because it would be such a royal pain to implement thoroughly and it might not even be effective, but who knows at this point. So we’ve rolled out the top two (plus HTTP and SMTP filtering) and are observing traffic.

I posted some of the same info over on Bruce’s blog…

Latest report is that the exploit installs if you even download or index an infected WMF file. In other words if you use Google Desktop, which automagically touches your media files, then your system will be trojaned faster than you can say “how convenient”. No known patches are available.

F-secure, as usual, is ahead of the game with a new signature that detects the three variations already in the wild. They also have a pointer to Sunbelt who has a link to BugTraq.

Sparse information so far, but the early responders seem pretty concerned and recommending that WMF be filtered and/or all traffic be blocked to the following sites:

Crackz.ws
unionseek.com
www.tfcco.com
Iframeurl.biz
beehappyy.biz

This seems far more serious than a Saudi teen winning a secular talent competition, so let’s hope someone higher-up issues the appropriate fatwa and/or is able to shutdown or block traffic at the carrier level.