When you miss two days of links they start to pile up in the, well, pile-o-links! Lots of good info in the security space for this week so we'll get right to it.
First up is all about ignorance. It seems, as reported by Larry Walsh, that security VARs do well when their customers are willing to take the look-the-other-way approach when it comes to security. Not surprisingly when events do happen it gives the particular VAR called in an opportunity to upsell services.
[Survey Shows Ignorance Works in Security VARs' Favor]
Quine, who now runs the Security Twits group, got some XSS fixed in SimpleID's login page.
[Simple ID XSS vuln -- FIXED]
A new (as of yesterday) proof of concept for hijacking lightweight Cisco APs has been dubbed "skyjacking". There's only a few thousand words that sound cool in front of "jacking", so hurry to get your exploit registered so you too can "jack" something!
[Cisco WLANs at Risk of Skyjacking]
Why Jon Green is trying to breath life into NAC is beyond me. It's been beaten to a pulp as tech centric NAC vendors are fading left and right, but then again it's just a new elevator pitch for Aruba's wireless spread. If you're interested in his pitch you can read it over on SC.
[Wi-Fi + NAC = BFF]
Maybe I'm not understanding this correctly but all the buzz around "cracking GSM" doesn't really have me worried. Maybe the encryption schemes are the same but GSM != UMTS and all 3G phones generally have UMTS air interfaces today (iPhone, etc). So, yes, theoretically you can eavesdrop on an iPhone users call, but only when operating using GSM. Since GSM uses time division multiplexing it's not really all that astonishing that this can be done trivially today where as UMTS of most all carriers in the US use frequency division for multiplexing. But, if you'd like to proclaim the sky is falling continue on soldier.
[iPhone Eavesdropping Coming Soon]
I have waaaaaaaaaaaaay too much knowledge of the FWSM. In fact I know that the FWSM itself is actually missing a chip from production called "Titan" (used for handling multicast traffic which subsequently has to be offloaded to the Sup because it's missing creating a lot of overhead in certain conditions). So I was giddy when I saw this article about the FWSM being prone to a DoS from specially crafted ICMP no less! During my year long stint in getting far too cozy with FWSMs in large production environments we had found two similar bugs. Let's just say I'm not a fan.
[Cisco Warns of FWSM Flaw]
All the cloudtards had much to say today with the announcement of Amazon's latest and greatest edition to it's line up. Get ready for it: VPC boys and girls! Yes, Amazon took their existing AWS architecture, segmented a few boxes, stuck an IPsec VPN in front of it and rebranded this amazing new service! It's a whole new chapter in cloud services I tell you -- or wait, I've been able to offer that same service to my home network for the past ten years. So if you wanted to stay connected to your shiny new VPC all year long you'd have to pay over $400 alone just in VPN connection fees. Sounds like a profitable business model to me considering they probably run a few thousand terminations on one concentrator and split out the traffic on the back into L2 trunks or L3 VRFs.
[Amazon Introduces VPC (and cloud fanatics wet themselves)]
Mr. Peterson has had some interesting posts lately and I was intrigued by the title of his latest: Chuck E. Cheese's Authorization Protocol. Bet Wireshark doesn't have a parser for that!
[Chuck E. Cheese's Authorization Protocol]
That's it for today, we'll leave you with the grab-bag-o-links! First to comment gets a $10 Starbucks gift card, has to be within 24 hours of this post (which posted around 11:05pm Central). Make sure to leave a valid email address!
[Majority of Charges Dropped Against Rogue Admin]
[Testing SNMPv3]
[John Cran's BSides Video]
[Study on the Analysis of Netbot and Design of Detection Framework]
[Ranum vs Nickerson on Penetration Testing]
It's Monday evening and time for another round of Daily Digs. We'll be back to our regularly scheduled Weekend Redux this weekend. Today I spent the afternoon at the Twin Cities OWASP mini-con and while it was generally pretty good only one of the three speakers were really that good and that was Pravir Chandra discussing OpenSAMM. I would highly recommend checking it out. That aside we're on to the digs...
The NYT Bits blog has some interesting insight into Clampi and real-time keystroke logging. There's been considerably more press on Clampi as of late but this article has some interesting tidbits and if you're not in the know it's a good place to start.
[How Hackers Snatch Real-Time Security ID Numbers]
Registration for the GNU Hackers Meeting November 11-13 in Sweden was announced recently. Brian Gough posted the info to the GNU forum.
[Registration Open for GNU Hackers Meeting]
Apple is shipping the next release of the OS X series this coming Friday (28th). Although the linked article doesn't mention it ZFS has all but disappeared from the documentation on Apple's site.
[Apple to Ship OS X Snow Leopard August 28th]
Need high quality random numbers? Then you need the Simtec Entropy Key. Product marketing aside understanding why and how the key can help is always good information to have under your belt.
[Simtec Entropy Key]
Cisco today released an active security advisory around BGP (specifically related to update functions). Not surprising though as Cisco has recently been pushing advisories that are quite similar in nature. I think you'll see more targeted attacks focusing on XR as it starts to finally gain more mainstream acceptance. The modularity in XR allows easier updates, but that doesn't mean lots-o (broken) legacy code didn't get carried over.
[Cisco IOS XR Software Border Gateway Protocol Vulnerabilities]
Jim Manico has a post up today about when it's a good time/place to use OWASPs AntiSamy.
[When to use OWASP AntiSamy]
Stoned Bootkit got some updates today with new code release along with some extra documentation.
[File System Drivers]
Failures can often times be funny, so this list of failures in terrorism has a few good laughs. My favorite line: "The bomb explodes, disintegrating Ahmed and showering his partner Sa'ad with retard bits". While not exactly PC, it's some good reading.
[The 5 Most Embarrassing Failures in Terrorism]
That's it for tonight boys and girls, we'll leave you with a grab bag of other good links.
[Teenage Hackers: Making a Better World]
[Updated Groklaw: Apple vs. Pystar]
[Exactly Why Data Breaches Happen]
[Microsoft, Google and VMware Redefine the OS]
[Windows Incident Response: Virtualization]
[Pirate Bay Down After ISP Cuts Connection]
[Mass Infection Turns Websites Into Exploit Launch Pads]
[SubSeven is Back]
[Google to be Used to Control Botnets]
[Sony Debuts HD Security Cameras]
[Canada Takes Lead Role in Facebook Privacy Issues]
Good evening Tuesday! Lots of link lovin' today - so is that a good, or bad day in security? I'll leave you to ponder as we start the digs disclosure.
First up, and near to my heart in a past life, we have news of a government contractor repaying for a failure on performance. This is definitely a rarity in this space as generally the government shells out more, not less. Check out the Washington Post article for more.
[Contractor Returns Money to Pentagon]
iPhone, Android, where's the love for Pre exploits? Step right up boys and girls, SecurityTracker has some PoC code for you!
[Palm WebOS Filtering Flaws]
So when 'show ip bgp 198.133.219.0/24' doesn't return anything from a router, oh say on any backbone router on bgp4.as Cisco's got some issues. The #1 *cough* networking company in the world, and their AS goes away? Check out the thread over on NANOG.
[BGP Debauchery]
Intel halted production on some SSDs today because of a data corruption bug that was found. Sounds like Chipzilla's been having some BIOS bugginess as of late.
[Intel Confirms Data Corruption Bug]
Need the Canadian Counter-Insurgency Operations Manual? I sure don't, but if you do -- check it out over on Wikileaks.
[Canadian Counter-Insurgency Operations Manual Leaked]
If you're all about the honeypots you'll be excited to know that the next phase of WASC's distributed open honeypot project is now underway. CGISecurity has all the goods yonder.
[Next Phase of Honeypot Project]
I have to admit there has been a time or two I'd like to SE those punk kids who spend 23.5 hours a day honing XBox skills much to my dismay. Now I have a golden opportunity as SpywareGuide is running an article on just how to get started pretending I'm a Microsoft employee.
[XBox Gamertag Exploit]
PenTestIT (really guys, give up on all the links -- great content, annoying site) has a brief blurb up about TitanEngine, the "swiss army knife for reverse engineers". So if you're into packers, PSH and all that jazz this may be of interest.
[TitanEngine via PenTestIT]
[TitanEngine via ReversingLabs - no adspam]
Preserving and understanding timelines in forensics is life or death in the context of valid data. The Windows Incident Response blog has a great post up that showcases the 'log2timeline' tool.
[More Work on Timeline Analysis]
Today, we'll leave our last comments with FISMA. A great rant by Michal Smith (aka rybolov) via The Guerilla CISO on the good and the bad of it all.
[The FISMA Challenge]
And let's not forget today's grab bag -- filled with all kinds of uncommented linky goodness!
[Security Sells]
[Shaking That False Sense of Security]
[NH Inmate had Corrections Officer's Data]
[DoS Attack Downs Gawker]
[Feds and RFID Fun]
[SSL Rebinding Screencast]
[Taitz Loses it Live on MSNBC]
Happy trails to the rest of your Tuesday!
--windexh8er
What better way to start off with some fresh content then the close of Black Hat 2009 and the start of DEFCON 17? Too bad I'm not in attendance, that's all I have to say about it.
First up to bat is the OpenDNSSEC project. At a high level, and to quote the site, "OpenDNSSEC takes in unsigned zones, adds the signatures and other records for DNSSEC and passes it on to the authoritative name servers for that zone." From the looks of it it's based on the PKCS#11 abstraction layer. Let's just hope it's not solely based on X.509 certs (we'll get to that)!
[OpenDNSSEC Project]
Keeping this one simple we'll call it like it is - Cisco BGP DoS.
[Cisco BGP DoS]
Who doesn't have an iPhone these days, right? Well, Apple is staking a bold claim that those who jailbreak pose a, I kid you not, "national security threat". All your baseband belong to jailbroken phones is what I'm thinkin'!
[Jailbreaking iPhone Could Pose Threat to National Security]
Rootkits abound thanks to chipmaker Intel. El Reg ran an article about how chipzilla is warning of rootkit-style attacks that lead to privilege escalation. BIOS: 0 / EFI: 1
[Intel Warns Over Baremetal BIOS Bug]
Moxie Marlinspkie and Dan Kaminsky collided today in both unveiling an X.509 bug. Basically what it comes down to is the way the certificate is parsed. Null characters stop the parsing dead in it's tracks and only what had been parsed (from left to right - www.bankofamerica.com<NULLCHAR>.yourdomain.com) is used in the validation method. I'm not sure why anyone hasn't figured out a fix yet -- right to left anyone? (Save the comment, I know it's not *that* easy.) Moxie went on to describe how easy it would be to push malicious code to FireFox using this technique.
[SSL Exploit Turns Firefox Into Malware Distributor]
Felix "FX" Lindner is at it again with Cisco. This time he's focused on all the insecure web goodness Cisco is cranking out in their monolithic monopoly. He couldn't have said it better when Linder made the comment "I think it's well established that infrastructure is where attackers want to be".
[New Cisco Bugs]
The antiquated domain name system (circa early 80's) takes a beating again due to a vulnerability found in the popular BIND software by ISC. Really? Like nobody thought something would be broke about DNS again this year? If you're running a primary ('master' is so dominatrix) without the update you're more than likely pushing your luck at this point.
[BIND Crash Bug]
Today Charlie Miller basically told the world the iPhone doesn't deal well with squares. Something about the sharp edges I think. The bug reportedly can give total control to an evil-doer quite simplisticly. The fix? Shut your phone off if you think you've been had (for now).
[How to Hijack Every iPhone in the World]
Martin McKeay interviews Babak Javadi and Deviant Ollam from Toool. The "Emergency Credit Card Lockpick Set" version 2 has just what you need in a bind and comes in a credit card form factor.
[Black Hat Microcast with Babak and Deviant]
If you can pack it into a framework / kit then you're a trendy hacker these days. An article over on Dancho Danchev's blog about a web malware kit that's emphasis is on social engineering talks about just this and how the efficiencies of running these types of attacks directly correlate to the "template-ization" (uh framework?).
[Social Engineering Driven Web Malware Kit]
If you, or anyone you know, has a Volatility bug they've forgotten to submit the last call is out for 1.3 currently. Volatility is an open collection of tools for the extraction of digital artifacts from volatile memory (i.e. RAM).
[Last Call for Volatility 1.3 Bugs]
Italian security researchers Andrea Barisani and Daniele Bianco's research has led to a new skimming technique to pull PINs from an ATM using just the "mains grid's earth lead" (I think this references the ground). While interesting I'm not really sure of the practicality. I might be missing something but I'm going to make a bold assumption that the card is still needed for the PIN to be of any value.
[Intercepting PINs at the Socket]
Everybody loves the Pwnies! For 2009 the winners have been announced. I'll save the suspense for the click through.
[Pwnies 2009]
In non-Black Hat / DEFCON news Ars ran a story about a cheerleader in Mississippi suing the school because the coach forced her to disclosure Facebook login credentials. How someone is in a teaching position and clearly doesn't understand basic constitutional rights is baffling. And fired.
[Cheerleader Sues School]
By this point if you haven't read about 'ZF05" you've really been living under a rock. Rock stars Dan Kaminsky and Kevin Mitnick were of the many that were publicly disclosed. Dan was quoted as wanting to have a beer with the perpetrator(s), fat chance. The pasty-white-boy-skiddie-wannabes would be waiting in the wings to pounce I'm sure.
[Security Experts Hacked]
[ZF05 Digs]
Apparently MasterCard thinks that they are MastersOfTheUniverse. In a most elegant move level 2 and 3 merchants are now being actively fined if they're not "compliant". The only way some of these merchants found out was through the first $25,000 fine they received. Don't even get me started. Someone call Obama, we need to talk about this over a beer.
[MasterCard Fines Start NOW]
Project Quant, developed by Rich Mogull's company Securosis, has been unveiled by Microsoft this week. The project is a new methodology aimed at calculating costs around evaluating and deploying patches. Kudos to Rich and team! I highly recommend heading on over to Securosis to take a peek and sumbit some feedback.
[Microsoft's Project Quant]
[Securosis Project Quant]
I'll be honest, when I started to read the article about "Vanish" I thought it was a joke. Nope, it's for real. Washington University has developed a simple way to expire data that you publish through a browser-plugin mashed up with, what looks to be, certificate based encryption technologies.
[Vanish - Self Destructing Digital Data]
News today of a leak pertaining to the safehouse of the President got suits in DC all up in a frenzy over P2P networks. I'm sure they all understand the more you push the harder the resistance becomes. We'll let them figure that out on their own though.
[Secret Obama Safe House Leaked]
We'll leave you tonight with something quite fun to laugh at. Over on the innismir.net site is an article about an Internet lawyer who, honestly, knows little about the Internet or law. Note to John W. Dozier: GET A CLUE. Kthxbai.
[Internet Lawyer on DEFCON]
[Please Don't Hire This Jackass]
That's all for today folks as we've run out of time. Check back soon or subscribe to the feed! Comments are appreciated.
--windexh8er
