Security Stallions Blog "Musings of all things infosec…"

31Aug/09Off

Daily Digs – 08.31.2009

It's Monday and, unfortunately, that means August 2009 is almost behind us.  That means, for many, back to school and the end of summer.  If only I was that lucky!  It's this time of year that the cool air and soon-to-be-colorful trees remind me of those days gone by of college campus life.  Enjoy it while you can you youngins!  On to the digs...

Uh oh!  Microsoft and the Linux kernel today faced exploit code being posted to milw0rm.  Although the Microsoft vuln is, obviously, getting much more attention do your due diligence to check both out.  The Microsoft exploit affects IIS5.0/6.0 and is a remote overflow while the Linux sploit code is the local NULL pointer dereference we've seen talked about more recently.  Get 'em while they're hot!
[Linux Kernel sock_sendpage()]
[Microsoft 5.0/6.0 FTPd Remote Root]

ThreatChaos is claiming Cisco better be watching their back due to a new integrated platform 3COM has just unveiled.  Basically the claim is that routing platforms are, and have been, a commodity for years now and that integrating security functionality (not sure how firewall functionality is "new" here since all of the features listed are, and have been in high-end firewall platforms for a considerable time now) will be the new defacto standard.
[Watch out Cisco]

MacPorts, today, get's a significant point release.  1.8.0 is out on the table now with disk images out for Snow Leopard if you've done a clean install over the weekend (I did).
[MacPorts 1.8.0 Released]

The TrendLabs Malware Blog has a good rundown of info around the trojan that's targeting Skype users.  The trojan hooks the send and receive APIs so that the voice conversations can be saved before any encryption is applied.  Trend says the trojan looks to be rather tame now with regards to the fact that it's not actively sending data out today, but that doesn't mean it won't in the future either.
[Trojan Targets Skype Users]

Now I'm not a big fan of SolarWinds utilities to begin with.  Sure, over the years I've used some of their utilities but when it takes multiple megs of proprietary code to install a TFTP server one has to wonder what's really packed in there.  The products themselves are rather underwhelming and there's far better free alternatives available.  But, if you'd like to mess with that coworker that is all about SolarWinds tools tell him/her to spin up the TFTP server for you to DoS.  The PoC code is there in the links as well.
[SolarWinds TFTP Server DoS]

Saint 7.1.1 was released today with some handy new features and vulnerability checks.  Check out the Security Database Tools site for the rundown.
[Saint 7.1.1 Released]

Could that medical imaging procedure you just had pose a serious risk to your long-term health?  CNET has published that 2% of all cancers could be attributed to radiation during CT scans alone.  Scary stuff.  So should more disclosure be required to help patients make a more informed decision?
[Medical-Imaging Procedures Always Worth the Risk]

The SSA is supposedly testing Microsofts HealthVault (their online health record service).  It's one thing for a particular hospital or clinic to do this, because then I can avoid them at all costs.  The SSA on the other hand, not very avoidable.  Who's making these decisions?
[SSA Testing Microsoft HealthVault]

When in doubt, reformat.  An interesting and, rather non-technical and unscientific, reasoning behind the motto.  Interesting for the perspective alone from a typical end user.  I got the chills when reading the part about IE 6.
[When in Doubt, Reformat]

So is the Conficker worm sitting dormant until an opportune time?  John Markoff has a slightly FUDish piece up that describes the "rogue software" as a ghost ship.  Maybe it was written by the Chinese government to see how far it could infect machines deep within the confines of the Pentagon?  But maybe our own government is behind it...  What do YOU think?
[Conficker Waiting to Strike]

And that's all for the commentary tonight boys and girls.  Here's some links that are news noteworthy as well!
-windexh8er

[Best Definition Ever]
[Security Solution for Craigslist]
[St. Luke Worker Accused of Stealing CC]
[Bill Tones Down Power to Shut Web]
[Trend Launches New Security Tracking Tool]

Tagged as: , , , , , , , , , No Comments
27Aug/09Off

Daily Digs – 08.27.2009

It's Thursday and so, so very close to the weekend!  That's the good news.  The bad?  I was surprised nobody picked up on the easter egg that was in yesterday's digs.  We'll do one again soon, so keep an eye out.  On to the short list for today (and it is a short list, as there wasn't a whole lot that was genuinely interesting).

Some juicy Skype trojan sourcecode is available for download.  Yes, you read that right, it's like it's being featured as your run of the mill download over on Megapanzer.  My favorite part?  The author says "If you don't like this...  well I can't help you".  Awesomesauce.
[Skype Trojan Sourcecode Available for Download]

I'm not the biggest fan of the "Insecurity Complex" blog over on CNET, but I'll give this one to Elinor.  Probably because I'm a fan of Dino and Charlie, but the article shed a little bit of extra light on both these hacker extraordinaires.
[Researchers Who Hack the Mac]

Get stuck on the Brucon wifi puzzle?  Didier Stevens to the rescue with a fabulous, and illustrated, run down of one way to solve.
[The Brucon Wifi Puzzle]

C'mon Greg - Apple's not completely ignorant.  The stance that "Apple doesn't want to tarnish the reputation..." because there's been little fanfare around the new malware detection in Snow Leopard is a slight stretch in my mind.  In the end it's a good thing and if Apple wanted to spin it they could just come out and say that it's there because a vast majority of platforms are now running virtualization or could potentially benefit in Boot Camp scenarios from it.  Rant rant rant that Apple is lackadaisical on the security front and then the only thing industry "experts" have to say is that it's hidden to avoid defeat?  You be the judge, but I'll take it for $29 and a slice of pie.
[Apples Secret Security Update]

DLP, aren't thou just like NAC - great in theory but el suck in reality?  Short answer: yes.  DLP is not "prevention" in any sense and for Symantec to market the product like that is just sheer bull shit.  DLP is signature based just like failing A/V of today with some lightly bake heuristics baked in to say that they can detect anomalies.  Long story short is that DLP is only useful (today) in situations where legit employees accidentally try to disseminate data or don't understand the problem with it.  But at the end of the day if I want to get it out the door big yellow's software surely won't stop me.  I'm more interested in how Symantec even lets blog posts like that get posted - Jonathan did a good job of throwing his company under the bus by explaining how Symantec "buys" security which screams "we-can't-develop-it-ourself".
[Could DLP Have Prevented the Goldman Sachs Issue]

Well boys and girls that's the short list for today.  Check back this weekend for the first redux in a while!
-windexh8er

Filed under: Daily Digs 2 Comments
26Aug/09Off

Daily Digs – 08.26.2009

When you miss two days of links they start to pile up in the, well, pile-o-links!  Lots of good info in the security space for this week so we'll get right to it.

First up is all about ignorance.  It seems, as reported by Larry Walsh, that security VARs do well when their customers are willing to take the look-the-other-way approach when it comes to security.  Not surprisingly when events do happen it gives the particular VAR called in an opportunity to upsell services.
[Survey Shows Ignorance Works in Security VARs' Favor]

Quine, who now runs the Security Twits group, got some XSS fixed in SimpleID's login page.
[Simple ID XSS vuln -- FIXED]

A new (as of yesterday) proof of concept for hijacking lightweight Cisco APs has been dubbed "skyjacking".  There's only a few thousand words that sound cool in front of "jacking", so hurry to get your exploit registered so you too can "jack" something!
[Cisco WLANs at Risk of Skyjacking]

Why Jon Green is trying to breath life into NAC is beyond me.  It's been beaten to a pulp as tech centric NAC vendors are fading left and right, but then again it's just a new elevator pitch for Aruba's wireless spread.  If you're interested in his pitch you can read it over on SC.
[Wi-Fi + NAC = BFF]

Maybe I'm not understanding this correctly but all the buzz around "cracking GSM" doesn't really have me worried.  Maybe the encryption schemes are the same but GSM != UMTS and all 3G phones generally have UMTS air interfaces today (iPhone, etc).  So, yes, theoretically you can eavesdrop on an iPhone users call, but only when operating using GSM.  Since GSM uses time division multiplexing it's not really all that astonishing that this can be done trivially today where as UMTS of most all carriers in the US use frequency division for multiplexing.  But, if you'd like to proclaim the sky is falling continue on soldier.
[iPhone Eavesdropping Coming Soon]

I have waaaaaaaaaaaaay too much knowledge of the FWSM.  In fact I know that the FWSM itself is actually missing a chip from production called "Titan" (used for handling multicast traffic which subsequently has to be offloaded to the Sup because it's missing creating a lot of overhead in certain conditions).  So I was giddy when I saw this article about the FWSM being prone to a DoS from specially crafted ICMP no less!  During my year long stint in getting far too cozy with FWSMs in large production environments we had found two similar bugs.  Let's just say I'm not a fan.
[Cisco Warns of FWSM Flaw]

All the cloudtards had much to say today with the announcement of Amazon's latest and greatest edition to it's line up.  Get ready for it: VPC boys and girls!  Yes, Amazon took their existing AWS architecture, segmented a few boxes, stuck an IPsec VPN in front of it and rebranded this amazing new service!  It's a whole new chapter in cloud services I tell you -- or wait, I've been able to offer that same service to my home network for the past ten years.  So if you wanted to stay connected to your shiny new VPC all year long you'd have to pay over $400 alone just in VPN connection fees.  Sounds like a profitable business model to me considering they probably run a few thousand terminations on one concentrator and split out the traffic on the back into L2 trunks or L3 VRFs.
[Amazon Introduces VPC (and cloud fanatics wet themselves)]

Mr. Peterson has had some interesting posts lately and I was intrigued by the title of his latest: Chuck E. Cheese's Authorization Protocol.  Bet Wireshark doesn't have a parser for that!
[Chuck E. Cheese's Authorization Protocol]

That's it for today, we'll leave you with the grab-bag-o-links!  First to comment gets a $10 Starbucks gift card, has to be within 24 hours of this post (which posted around 11:05pm Central).  Make sure to leave a valid email address!

[Majority of Charges Dropped Against Rogue Admin]
[Testing SNMPv3]
[John Cran's BSides Video]
[Study on the Analysis of Netbot and Design of Detection Framework]
[Ranum vs Nickerson on Penetration Testing]

Tagged as: , , , , , , , , , , , , , No Comments
24Aug/09Off

Daily Digs – 08.24.2009

It's Monday evening and time for another round of Daily Digs.  We'll be back to our regularly scheduled Weekend Redux this weekend.  Today I spent the afternoon at the Twin Cities OWASP mini-con and while it was generally pretty good only one of the three speakers were really that good and that was Pravir Chandra discussing OpenSAMM.  I would highly recommend checking it out.  That aside we're on to the digs...

The NYT Bits blog has some interesting insight into Clampi and real-time keystroke logging.  There's been considerably more press on Clampi as of late but this article has some interesting tidbits and if you're not in the know it's a good place to start.
[How Hackers Snatch Real-Time Security ID Numbers]

Registration for the GNU Hackers Meeting November 11-13 in Sweden was announced recently.  Brian Gough posted the info to the GNU forum.
[Registration Open for GNU Hackers Meeting]

Apple is shipping the next release of the OS X series this coming Friday (28th).  Although the linked article doesn't mention it  ZFS has all but disappeared from the documentation on Apple's site.
[Apple to Ship OS X Snow Leopard August 28th]

Need high quality random numbers?  Then you need the Simtec Entropy Key.  Product marketing aside understanding why and how the key can help is always good information to have under your belt.
[Simtec Entropy Key]

Cisco today released an active security advisory around BGP (specifically related to update functions).  Not surprising though as Cisco has recently been pushing advisories that are quite similar in nature.  I think you'll see more targeted attacks focusing on XR as it starts to finally gain more mainstream acceptance.  The modularity in XR allows easier updates, but that doesn't mean lots-o (broken) legacy code didn't get carried over.
[Cisco IOS XR Software Border Gateway Protocol Vulnerabilities]

Jim Manico has a post up today about when it's a good time/place to use OWASPs AntiSamy.
[When to use OWASP AntiSamy]

Stoned Bootkit got some updates today with new code release along with some extra documentation.
[File System Drivers]

Failures can often times be funny, so this list of failures in terrorism has a few good laughs.  My favorite line: "The bomb explodes, disintegrating Ahmed and showering his partner Sa'ad with retard bits".  While not exactly PC, it's some good reading.
[The 5 Most Embarrassing Failures in Terrorism]

That's it for tonight boys and girls, we'll leave you with a grab bag of other good links.
[Teenage Hackers: Making a Better World]
[Updated Groklaw: Apple vs. Pystar]
[Exactly Why Data Breaches Happen]
[Microsoft, Google and VMware Redefine the OS]
[Windows Incident Response: Virtualization]
[Pirate Bay Down After ISP Cuts Connection]
[Mass Infection Turns Websites Into Exploit Launch Pads]
[SubSeven is Back]
[Google to be Used to Control Botnets]
[Sony Debuts HD Security Cameras]
[Canada Takes Lead Role in Facebook Privacy Issues]

Tagged as: , , , , , , , , , , , , , , , No Comments
19Aug/09Off

Daily Digs – 08.19.2009

Good Wednesday-evening everyone!  We're over the hump on on our way to the weekend so let's get right to the digs...

First up is a little bit of interesting research from our friends over in Redmond on de-anonymizing the Internet.  The paper is all about a newly dubbed system called HostTracker.  The basis of this particular system is to "...track bindings between hosts and IP addresses by leveraging application-level data with unreliable IDs."  But, before I muddle the topic anymore head on over to check out the PDF.
[De-Anonymizing the Internet Using Unreliable IDs]

Everyone's heard of the IronKey but today there was some buzz around some new functionality and that's with specific regard to malware protection on the new product.  The new functionality is by a company called Tresys and called FiST (File Sanitization Tool).
[Malware Protection on USBs from IronKey]

The SANS network forensics puzzle is still on like Donkey Kong!  Submissions need to be in by September 10th, so get a move on.
[Network Forensics Puzzle Contest]

Network World today is telling us that managed security services are all the rage.  Yeah, just like blink-tastic security boxes.  And firewalls.  The real question is what managed security services don't suck?  Hit the link for some statistics you, could very well have, lived without.
[Managed Security Services All the Rage]

Well thankfully you don't need to give up your SSN to get a room from Radisson or you might be in more hurt than you already are.  News out today that Radisson is disclosing a breach and to "review your account statements and credit report".  Thanks Captain Obvious!
[Radisson Hotels Suffer Data Breach]

Gunnar Peterson, representing the 6-1-2, has a fabulous story of - firewalls!  OK, not really, but read the article, it's been the most entertaining thing so far for me today.
[There Are No Firewalls]

Symantec identify your site as "dirty"?  They've got the worst-of for the summer of 2009 up and CNET has an article all about it.
[Dirtiest Websites of Summer]

There seems to be an inadvertent feature in version 3.0 of iPhone and iPod Touch software - the fact that deleted emails can be recovered!  Although reports say it's been fixed in 3.1 beta be wary of anything you think you may have deleted.
[iPhone Bug Keeps Deleted E-mails on Tap]

Rich and Co. over at Securosis have some new details up about the root cause of the Heartland breach.  Although the recommendations are high level it's obvious there are many who are struggling to even implement the bare minimum.
[New Details, and Lessons, on Heartland Breach]

Indictments indictments everywhere!  8 more were charged today for obtaining $22 million dollars worth of wireless devices from AT&T and T-Mobile without payment.  Ummm, say what?  Quite the little scam to abuse the dealer network systems.
[8 Indicted in $22m Fraud Against AT&T Wireless, T-Mobile]

Oh yay, a couple of cloud standardization efforts were made public this week.  If I had to shoot from the hip I'd say the OpenGroup initiative will probably be the end winner as it was entirely odd to see mention of "RESTful" in the first sentence of the A6 draft.  Honestly, I think more effort went into a coining descriptor and buzzwords than anything else (and even that doesn't make total sense to me - call me slow).  But anyway, CNET has the run down.
[Two Cloud Standardization Efforts Made Public]

We'll leave you tonight with some information around a very common tool most of us use on a daily basis.  Considering most people run a stock configuration digging through this rundown of 20 (quick) best practices might serve you well.
[Top 20 OpenSSH Server Best Practices]

That'll do it for tonight folks!  Take care and feel free to comment if you find the digs at all useful.
-windexh8er

Tagged as: , , , , , , , , , , No Comments
18Aug/09Off

Daily Digs – 08.18.2009

Good evening ladies and gents to a belated round of digs.  Apologies for the lack of a weekend and Monday post, but travels and an unexpected difficulty made posting rather hard.  We're back to our weekly schedule with the exception that the screencast is being pushed back to next week and there may not be a weekend redux.  We'll see how things pan out, but stay tuned regardless!

So what do you get when you cross rookie "cyber crime" law enforcement and some stolen passwords?  Well, everyone seems to have had something to say about it today as law enforcement blew any chance of using underground leads they already had access to.  Check out the nice write up over at the SpywareGuide blog.
[Law Enforcement Altered r00t-y0u]

The Windows Incident Response site has some got a write up around all sorts of tools you should have in your box with regards to forensically collecting information on images.  NetworkMiner is mentioned at the very end and is something that I had, at one time, meant to check out but never got around to.
[Windows Incident Response - Tools and Links]

Only 130 million card numbers?  Really, that's all Sevgec and crew came up with?  Sure you caught the sarcasm but if not, and this trend continues, we're in for the fire storm sure to follow as consumers start to demand better protection in the cardholder space.
[Three Men Charged in 130 Million Credit Card Theft]

Need a good definition to describe insecure cookie handling to, possibly, misguided web devs?  Cenzic has your answer over on their blog.
[Insecure Cookie Handling]

The US-CERT has some useful resources and the weekly security bulletin is definitely one of them.  If you've never checked it out I'd recommend starting now.  Although this of specific interest this is just one of the large volume of feeds we scour for daily insights.
[US-CERT Weekly Bulletins]

Windows 7 -- can it be the saving grace to the flop better known as Vista?  I think surely Microsoft has a decent chance with this revision of their, once, flagship product.  Problem is that the OS is still too big for it's britches and legacy support will be the bane of it's security problems well into the next 5 years.  XP mode is definitely going to be one of the most difficult areas of 7 to swallow because, in essence, one will now have to maintain security patches of two operating systems moving forward and as we all know most people have problems just dealing with one.
[Windows 7's Achilles' Heel]

SANS has an interesting article up entitled "Surviving a Third Party Onsite Audit".  I'm sorry but this is just wrong coming from SANS.  Generally they have their head on straight and are a good resource for information but "surviving" an audit is not something people should be focused on.  The real focus should be doing security the right way every day, not just when one knows the auditor will be knocking on the front door.  I see it time and time again in clients wherein everyone is always in scramble mode and then, if all goes well, it's a celebratory "win".  That is, until next time when you scramble to put in that extra new box with blinky lights that's the saving-grace for today.  Do it right and do it right everyday and if you can't do that then fall back to "the audit survival guide".  At that point, however, you really need to question the abilities and resources you have to do due diligence.
[Surviving a Third Party Audit]

Can you pick a 5-pin in 87 seconds?  I'm guessing not - unless your name is Jos Weyers.  Check this video out of him at LockCon.
[87 Seconds... Jos Weyers!]

Oh Facebook -- you're the favored platform of phishers and skiddies alike!  One more reason to avoid social network platforms, especially those that all of your super security conscious friends from high-school running Windows ME are on.
[Facebook Phishers Cast Multiple Lines]

Today must be a day of definitions because if you've ever really wanted to know what ESAPI was, without digging into it, you've just hit the jackpot.  Although this one's been out for a few weeks it just made its way across my feeds and is definitely a worthy read if you're interested in what it is and some show and tell of how you can help justify implementing it.
[What is ESAPI?]

That's all for tonight's digs folks!  Although I have a ton left in the queue it's about that time to post.  Check out some of the left overs in the grab bag below.

-windexh8er

Tonights grab bag lineup as follows:
[IEEE Connections Program]
[Visualizing IDS Output]
[Routing Redundancy: How much is enough?]
[Personal Responsibility in PCI]
[Useful Security]
[Federated ID, OpenID and OAuth Primer]
[FTC Issues Health Breach Notification Rule]
[Hyperjacking]
[DNS Blacklist Unveiled]

Tagged as: , , , , , , , , , , , , , , , , , , No Comments
13Aug/09Off

Daily Digs – 08.13.2009

Ohhh we were so close to a Friday the 13th.  Some of the stories for today may have been better served by that date / day combination.  I suppose it felt like it for Robert Carr (CEO of Heartland) though as Mogull laid the open-letter-smackdown fo' sho'.  All in all it's been an interesting day with some great news so let's get to the digs!

First up is an interesting analogy of cracks to Microsoft.  The "dorky tale" can be had over at EvilFingers and is, well, lighthearted in nature.
[Patching the Patches]

It seems to me as if Firewire is always ripe with authentication bypass flaws.  Help Net Security has a paper that you can download to read all about it.  What OS are we talking about here?  None other than the shiny new Windows 7.
[Firewire Based Physical Security Attacks]

There's not a whole lot to say about this one because Rich Mogull said most of it already.  If you haven't already read the open letter to Robert Carr you'll want to.
[An Open Letter to Robert Carr]

From the are-you-completely-stupid-bin we pull out the misunderstandings of non-technical government officials.  This time, however, the stupid policies being pushed aren't originating out of DC!  Belgium wants to keep all email traffic for two years.  Supposedly this will help in some way, shape, or form to combat criminal activity.  Because, there's not fabulous free encryption out there or anything.
[Belgium Would Like to Track Your Email for Two Years?]

I'm jealous.  Joel Esler was raving about the SourceFire Exploit Development class today.  He makes the comment about those typical classes where 80% of the content is rather trivial and the other 20% you could have figured out anyway and how this class is not that type.  Again, I'm jealous and might actually take this class later this year if I can swing the time off in December.  Thanks Joel!
[SourceFire's Exploit Development Class]

Think you know enough about ERP, dB, gain, etc. with regards to 802.11 antennas?  Well, then you probably haven't a clue on the changes in 802.11n antennas.  There's a great article on SearchNetworking today with links to a few other antenna references.
[Understanding 802.11n Wireless Antennas]

Your organization still running IE6?  That's too bad, maybe you should inject some code into the front page of their site displaying your disgrace for the browser that just won't die (but kills machines).
[IE 6 No More!]

Oh, joy -- pretty much every Linux kernel running on the planet is broken, and can allow remote exploitability.  Yes, pretty much every kernel since early 2001.  This will be a great exploit for time to come!
[Bug Exposes 8 Years of Linux Kernel]

We leave you this week with some great key size explanation by Luther Martin of Voltage.  If I could sum it up as well as his post was written I'd do just that, but it's easier for you to read his explanation.
[Comparing Key Sizes]

Have a great weekend everyone!  We'll be in touch with some of the things we talked about earlier in the week.

--windexh8er

Tagged as: , , , , , , , No Comments
12Aug/09Off

Daily Digs – 08.12.2009

Good evening!  Wednesday, the kernel, of my week - oh how I'm glad you've almost come to a close.  The race for the weekend is all downhill from here.  We've got lots of great commentary and links to share today so on to the digs.

Generally I'd like to stay away from vendors advertising new, must-have, fabulous, can't-live-without technology - but BreakingPoint posted something that just looks too damn cool.  "Write and simulate your own network strikes" they say!  So as not to break out into a commercial for them I'll just lead you to the link.  I can't say I've ever had a chance to drive any BreakingPoint gear (I'll definitely take one for a test drive if they want to send me something though) so please don't take this as an actual advocation.
[Write and Simulate Your Own Network Strikes]

Gartner has a fun little graphic up with regards to the hype cycle of emerging technologies.  While it's interesting to look at that's about all it's good for in my book.  Really, if an analyst at Gartner could predict the peak appropriately they wouldn't need to work at Gartner.  Then we get to the crux of the "inflated expectations with", hold your breath, e-book readers and cloud computing.  There are more little nuggets of thought-provoking humor (microblogging on the edge of the trough of disillusionment) scattered in the colorful roller-coaster-of-a-graphic so check it out.
[Twitter Backlash Foretold]

UC Berkeley today disclosed they they may have disclosed roughly 493 SSN and other PII to a hacker.  That gets me thinking -- are the bigger schools just better at realizing they've been breached, or are they just the bigger target?
[Hackers Strike UC Berkeley]

So I had a great laugh this morning with this one and then also learned an interesting tidbit of information from a coworker.  At the surface of the story most news outlets are running the piece that Judge Leonard Davis of the U.S. District Court for the Eastern District of Texas issued a permanent injunction against Microsoft that prohibits them from selling or importing Word that, basically, has any XML functionality.  That's what the mainstream press is running.  What I learned was that Smith County in Texas has it's own story of shady shenanigans and now I have some "Murder She Wrote" style literature for my enjoyment this weekend.  That's because in 1985 a book called "Smith County Justice" was published by a man named David Ellsworth.  Let's just say that you can't get the book in print anymore because local authorities used pressure of sorts to have the book pulled from publishing and all unsold copies burned.  Dum dum dum.  Anyway, I'll leave it to you to solve the mystery of Smith County.  Check out the links to get started!
[Judge Orders Microsoft to Stop Selling Word]
[Wikileaks - Smith County Justice]

Branden Williams informed me (well not directly) that MasterCard has finally gotten around to clarifying their previously ambiguous L1 and L2 merchant fine machine.  MasterCard yells "All hail QSA!" while Heartland banters "QSA - thou are heretic!".  Well, at this point I might as well post both links with this banter.  Is it a full moon out tonight?
[MasterCard Clarifies Their Position]
[Heartland CEO on Data Breach]

Phish bombs away!  Want to pwn your own Safari 4 "Top Sites"?  Be prepared to get your electronica groove on with this screencast SecureThoughts has provided us with today.  On to the show ladies and gents!
[Hijacking Safari 4 Top Sites with Phish Bombs]

Diebold is up to their same old same old, quietly patching "secure" vote counting software.  If you like this story and are interested in more information on voting fraud and corruption I'd highly recommend watching "Uncounted - The New Math of American Elections".  A coworker of mine helped produce and contribute research to the documentary and it's presented very well.  After talking to him I learned that they actually had to chop out a few key segments because initial reactions were too strong from the public.  Anyway, get your vote fraud news on.

[Diebold Quietly Patches Security Flaw in Vote Counting Software]
[Uncounted - The New Math of American Elections]

The mobile-phone attacks are coming, the mobile-phone attacks are coming!  I didn't see this one on Gartner's hype cycle so it must be true.  C'mon anyone who hasn't seen this one coming since the release of the iPhone is living in a fantasy world where BeOS is making a comeback.  Ahh, the good old days of BeOS.  All in all it's a good discussion to be having now.  We're hitting the critical mass where it's becoming glaringly obvious why and where the monarchy approval system (i.e. Apple's App Store) fails, but at the same time why it's positioned well for sanity checks and balances of a completely open system that could easily be circumvented for the general populous.
[Android Security Chief: Mobile-Phone Attacks Coming]

From the you-may-not-have-known bin we pull out some Nmap goodness I learned from the fabulous VOIPSA blog.  Nmap has a rather extensive set of fingerprints for VoIP devices!  OK, so you already knew that fingerprinting was a big part of why you use Nmap in the first place, right?  Well it struck me, while I was perusing the list, that I could (will) help by adding a few that I have access to that aren't in that list already.  Truth be told is that I felt like I haven't contributed anything back to the Nmap project recently and I really should.
[Something Old, Something New: Nmap's VoIP Fingerprinting]

Wow there are lots of great links today!  Unfortunately I'm already >20 minutes past due because of a busy evening.  We'll leave you with a list in the grab bag tonight.  If you find the daily digs useful, humorous or flat out lame feel free to let us know in the comments!  Take care ya'll...

-windexh8er

[Dear Palm: Please Stop Tracking Me and My Pre Use]
[Typhoon Knocks Out Asia Telecom Cable]
[2Wire Routers Unauthorized Access]
[Energy Companies Say NERC Standards Inadequate]
[Technical Debt]

Tagged as: , , , , , , , , , , , , , , , No Comments
11Aug/09Off

Daily Digs – 08.11.2009

Well boys and girls it's only Tuesday.  Yes Twitter, once again, is under siege, the Pirate Bay is having issues and Microsoft dropped a bombshell full of updates.  Welcome to the daily digs...

The first article isn't exactly security focused.  It is, in a way, because from my viewpoint network stability is a direct component to security.  If information isn't accessible then it's no good, right?  Sometimes.  Either way, Lawrence Roberts (of ARPANET fame) has stepped back from today's slow, expensive routing platforms and decided to fix the brokenness, not from a bandwidth perspective, but flow.  Now at first glance I thought his whole concept was CEF repackaged, but it's not.  Just goes to show how much of the same crap Cisco can feed customers and get away with it year over year.  Monolithic kernel: check, repackaged software that Cisco has no core competency in: check.  It's good to see outside-the-box-thinkers like Hoff go over to players like Cisco, but at the end of the day he'll just get washed, dried and pressed into Cisco's typical mold.  Anyway, on to the original story at hand:
[A Radical New Router]

Mu Dynamics today posted some vulnerabilities in Asterisk to their Labs site.  Looks to be a case of the parsing blues (as Asterisk has had problems with this in the past).  Glad to be running "PBX In A Flash - PIAF" these days as I can grab the latest Asterisk upgrades and compile with a few simple commands.
[Asterisk Bug Disclosed by Mu Dynamics]

In light of the fun WordPress bugs today eWeek was running an article about common PHP coding mistakes and what you can do about them.  Personally I think the OWASP ESAPI toolkits are a better reference (where's Rails OWASP?), but to each their own.  You can always learn something from another perspective, right?
[Common PHP Security Mistakes and What You Can Do About Them]
[OWASP ESAPI]

Wired was one of the first outlets to be seen running the story about the sentencing of the hacker with Aspergers sentenced to 55 months.  The original sentence would have been only slightly longer, but because because of the disease it was said that Mr. Berkovich was more susceptible to recruitment.  The actual hack was relatively impressive because of it's simplicity and reliability.
[Hacker with Asperger's Gets 55 Months]

The "insider threat", all too common right?  What about "insider risk"?  Dennis Kuntz over at the Security Catalyst ran a nice clip this afternoon talking about the separation of defining insider threat and risk.  Maybe it's time to start looking at it again (or for the first time).
[Insider Threat or Risk?]

Not a day goes by that we can't get around something new, clever, lame or exciting directly tied to PCI.  That's why I feel morally obligated to tell you that 1.2.1 is now official.  Yeah, sure, it's not really any real defining changes but more-so fixes.  Go check out Branden Williams rundown of what's new.
[PCI DSS Goes 1.2.1]

Gunnar Peterson sets up the story about why a simple DTD can DoS your XML parser.  Old security bugs never die, says Gunnar, until you kill them.
[Behold the Power of Fuzzing]

Oh Forrester, you get paid to come up with this stuff?  Forrester says all sec pros should drop what they're doing and focus on ways to secure the cloud because everyone knows the cloud is everything.  I'd honestly have to say that Rob Whiteley isn't too in touch with the real world these days.  Try hitting up your neighborhood Fortune 50 and see, actually, how much of their infrastructure is tied to SaaS, PaaS or IaaS.
[Data Has Become Too Distributed to Secure Says Magic 8-Ball Forrester]

That's all for the commentary we have today folks.  Check back tomorrow for more!  I'll leave you with today's grab bag...

-windexh8er

[Are you secure, or are you safe?]
[Adobe Flash Cookies Pose Vexing Privacy Questions]
[More Companies Monitoring E-Mail]
[Dasient Launches Web Anti-Malware Lite]
[Pirate Bay Sinks Under Electrical Storm]

Tagged as: , , , , , , , , , , , , , , No Comments
10Aug/09Off

Daily Digs – 08.10.2009

Monday, bloody Monday.  At least we're in the clear!  Some interesting news as of today so with no further announcements let's dig right in.

Our first link is for a tool distributed, for free, from Sophos: Anti-Rootkit software.  It's recently been updated to support 64-bit versions of Windows and the upcoming Windows 7 (which, let's hope, brings the majority of Windows users into the 64-bit world).  No black-tie release event for this version, but at least Sophos is still putting it out there for "free".
[Sophos Anti-Rootkit Updated]

If you're in the Minneapolis / St. Paul area and you're in, well, pretty much any field you've probably heard horror-stories stories of United Health Group.  If we haven't had enough reasons to hate on UHG they're giving us a new one apparently!  Let's see here - they're not only selling the marketing data but also mapping risk ratings for health and life insurance purposes.  Way to go UHG!  You get my swift-kick-in-the-ass award for today.  If you can, do business elsewhere, UHG seems to treat their employees badly on top of the shady business practices.
[Your Prescription Data Has Been Sold For Profit]

Next up is some new functionality that will probably find it's way into Metasploit.  Max's Remote-Exploit blog has all the details on 'psnuffle' including a screencast of the functionality.  Jam out to the techno beats while you watch the module in action!
[Psnuffle Password Sniffer]

I'm all about the Verizon Business Data-Breach Report.  That being said I think big vendors / carriers generally have over-hyped and under-performing security services in general.  Hopefully the security service doesn't share any of the service provisioning speeds that generally are, shall we say, not break-neck?  Anyway, if you're into hiring a big firm to do your due diligence for you Verizon can offer it on a silver-platter with a bill to match I'm sure.
[Verizon Business to Offer Risk-Based Security Service]

I happened to post this one earlier in the day and it got quite a bit more attention than I had expected.  The RedTeam blog has some Gimp pwnage fun that shows you how to embed some sneaky PHP in a GIF.  That and @hdmoore pointed out to me some extra fun to go along with the 'sploit. Double whammy!
[0wning with Gimp]

All your base are belong to...  Committers?  Sure.  Or just go patch Subversion if you haven't already!
[Holes Closed in Subversion]

One of the more prominent elite when it comes to OS X hacking: Dino Dai Zovi has posted to his blog a new article all about, you guessed it, rootkits!  This goes with his recent Black Hat talk and includes the preso, paper and code.
[Advanced OS X Rootkits]

So you want to speak at RSA in 2010?  Well, you better get in gear because the call for proposals is quickly coming to a close.
[RSA Call for Speaking Proposals Due August 14th]

SANS has a rockstar intro up to memory forensics today.  The write up includes looking at Mantech MDD and Volatility (which we've linked previously).  If you're just getting your feet wet in forensics this quick run through definitely won't hurt!
[Memory Forensics: A Practical Example]

I asked myself a couple weeks ago this very question: "Why in the **** is the .NET Framework Extension installed in Firefox?" and now I have a fabulous answer.  Wladimir Palant, of Adblock Plus fame, has a very thorough write up with linkage to other articles in the press.  If you use Adblock, you'll want to read this.  Microsoft up to their shady shenanigans - again.
[The Return of .NET Framework Assistant]

Tsk tsk, reinventing the wheel is BAD.  Especially when dealing with crypto.  And doing crypto in JS!  Don't believe me?  Well, you don't have to take my word for it, but how about going back to the link to Nate Lawson's "Crypto Strikes Back!" Google Tech Talk and you'll understand why.  The devs themselves even say it's only a "base level of security" (uhhh, there's no auth), so why not just save yourself the trouble and avoid it?
[jCryption 1.0 Released]

Fortinet is, apparently, going for the gold.  And in this case "gold" being public shares.  El Reg has a story up regarding the rare happening.
[Fortinet IPO]

Put this link out in mainstream C-Level inboxes and you'll have all kinds of heads rolling on Tuesday afternoon.  SANS has a post up about the consideration of renewing your A/V solution.  If you're not a complete security n00b you probably already knew that A/V is a waste of CPU cycles and whitelisting, not signature based blacklisting, is the only way to really go forward in today's shikata ga nai world.  Duh.
[Don't Renew that Antivirus Contract]

Looks like DHS is in the tubes these days.  Obama has another catastrophic fail on his hands with the latest being Mischel Kwon putting in her resignation to (shocker) go work in the, much higher paying, private sector.  Maybe if I tweet The Prez he'll mention me on Facebook and we can talk about it over Skype later.  Or how about this: maybe stop trying so hard with the communications outlets and focus on doing and not talking for a few months.  Because, we all know, Cash for Clunkers is really helping out!
[Mischel Kwon Resigns]

We end todays string of ranty-posts with the exclusive in-depth that Tom's Hardware has posted of Charlie Miller on the iPhone SMS exploit.  Check it out, I was slightly tickled when I saw reference on the first page to AT commands.  GO GO GADGET MODEM!
[Exclusive Interview with Charlie Miller]

We commented all the good articles today so, don't hold your breath, no grab bag for today!

-windexh8er

Tagged as: , , , , , , , , , , , , , , No Comments
   Older Entries »

Tags

Adobe announcement Apple AV Black Hat breach Cheerleader Cisco Cloud Craigslist DDoS DEFCON DHS encryption exploit Facebook forensics google Heartland IDS ie6 Intel iPhone IPv6 linux Lockpick Malware MasterCard Microsoft news OpenDNSSEC pci PIN Pirate Bay Pwnies skimmer Social Engineering SSL tools Tor Twitter Volatility wikileaks X.509 ZF05

 

August 2009
M T W T F S S
« Jul   Sep »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Random Musings

Previous Next

» Leave A Reply!



Twitter: windexh8er