Security Stallions Blog "Musings of all things infosec…"

12Aug/09Off

Daily Digs – 08.12.2009

Good evening!  Wednesday, the kernel, of my week - oh how I'm glad you've almost come to a close.  The race for the weekend is all downhill from here.  We've got lots of great commentary and links to share today so on to the digs.

Generally I'd like to stay away from vendors advertising new, must-have, fabulous, can't-live-without technology - but BreakingPoint posted something that just looks too damn cool.  "Write and simulate your own network strikes" they say!  So as not to break out into a commercial for them I'll just lead you to the link.  I can't say I've ever had a chance to drive any BreakingPoint gear (I'll definitely take one for a test drive if they want to send me something though) so please don't take this as an actual advocation.
[Write and Simulate Your Own Network Strikes]

Gartner has a fun little graphic up with regards to the hype cycle of emerging technologies.  While it's interesting to look at that's about all it's good for in my book.  Really, if an analyst at Gartner could predict the peak appropriately they wouldn't need to work at Gartner.  Then we get to the crux of the "inflated expectations with", hold your breath, e-book readers and cloud computing.  There are more little nuggets of thought-provoking humor (microblogging on the edge of the trough of disillusionment) scattered in the colorful roller-coaster-of-a-graphic so check it out.
[Twitter Backlash Foretold]

UC Berkeley today disclosed they they may have disclosed roughly 493 SSN and other PII to a hacker.  That gets me thinking -- are the bigger schools just better at realizing they've been breached, or are they just the bigger target?
[Hackers Strike UC Berkeley]

So I had a great laugh this morning with this one and then also learned an interesting tidbit of information from a coworker.  At the surface of the story most news outlets are running the piece that Judge Leonard Davis of the U.S. District Court for the Eastern District of Texas issued a permanent injunction against Microsoft that prohibits them from selling or importing Word that, basically, has any XML functionality.  That's what the mainstream press is running.  What I learned was that Smith County in Texas has it's own story of shady shenanigans and now I have some "Murder She Wrote" style literature for my enjoyment this weekend.  That's because in 1985 a book called "Smith County Justice" was published by a man named David Ellsworth.  Let's just say that you can't get the book in print anymore because local authorities used pressure of sorts to have the book pulled from publishing and all unsold copies burned.  Dum dum dum.  Anyway, I'll leave it to you to solve the mystery of Smith County.  Check out the links to get started!
[Judge Orders Microsoft to Stop Selling Word]
[Wikileaks - Smith County Justice]

Branden Williams informed me (well not directly) that MasterCard has finally gotten around to clarifying their previously ambiguous L1 and L2 merchant fine machine.  MasterCard yells "All hail QSA!" while Heartland banters "QSA - thou are heretic!".  Well, at this point I might as well post both links with this banter.  Is it a full moon out tonight?
[MasterCard Clarifies Their Position]
[Heartland CEO on Data Breach]

Phish bombs away!  Want to pwn your own Safari 4 "Top Sites"?  Be prepared to get your electronica groove on with this screencast SecureThoughts has provided us with today.  On to the show ladies and gents!
[Hijacking Safari 4 Top Sites with Phish Bombs]

Diebold is up to their same old same old, quietly patching "secure" vote counting software.  If you like this story and are interested in more information on voting fraud and corruption I'd highly recommend watching "Uncounted - The New Math of American Elections".  A coworker of mine helped produce and contribute research to the documentary and it's presented very well.  After talking to him I learned that they actually had to chop out a few key segments because initial reactions were too strong from the public.  Anyway, get your vote fraud news on.

[Diebold Quietly Patches Security Flaw in Vote Counting Software]
[Uncounted - The New Math of American Elections]

The mobile-phone attacks are coming, the mobile-phone attacks are coming!  I didn't see this one on Gartner's hype cycle so it must be true.  C'mon anyone who hasn't seen this one coming since the release of the iPhone is living in a fantasy world where BeOS is making a comeback.  Ahh, the good old days of BeOS.  All in all it's a good discussion to be having now.  We're hitting the critical mass where it's becoming glaringly obvious why and where the monarchy approval system (i.e. Apple's App Store) fails, but at the same time why it's positioned well for sanity checks and balances of a completely open system that could easily be circumvented for the general populous.
[Android Security Chief: Mobile-Phone Attacks Coming]

From the you-may-not-have-known bin we pull out some Nmap goodness I learned from the fabulous VOIPSA blog.  Nmap has a rather extensive set of fingerprints for VoIP devices!  OK, so you already knew that fingerprinting was a big part of why you use Nmap in the first place, right?  Well it struck me, while I was perusing the list, that I could (will) help by adding a few that I have access to that aren't in that list already.  Truth be told is that I felt like I haven't contributed anything back to the Nmap project recently and I really should.
[Something Old, Something New: Nmap's VoIP Fingerprinting]

Wow there are lots of great links today!  Unfortunately I'm already >20 minutes past due because of a busy evening.  We'll leave you with a list in the grab bag tonight.  If you find the daily digs useful, humorous or flat out lame feel free to let us know in the comments!  Take care ya'll...

-windexh8er

[Dear Palm: Please Stop Tracking Me and My Pre Use]
[Typhoon Knocks Out Asia Telecom Cable]
[2Wire Routers Unauthorized Access]
[Energy Companies Say NERC Standards Inadequate]
[Technical Debt]

Tagged as: , , , , , , , , , , , , , , , No Comments
30Jul/09Off

Daily Digs – 07.30.2009

What better way to start off with some fresh content then the close of Black Hat 2009 and the start of DEFCON 17? Too bad I'm not in attendance, that's all I have to say about it.

First up to bat is the OpenDNSSEC project. At a high level, and to quote the site, "OpenDNSSEC takes in unsigned zones, adds the signatures and other records for DNSSEC and passes it on to the authoritative name servers for that zone."  From the looks of it it's based on the PKCS#11 abstraction layer.  Let's just hope it's not solely based on X.509 certs (we'll get to that)!
[OpenDNSSEC Project]

Keeping this one simple we'll call it like it is - Cisco BGP DoS.
[Cisco BGP DoS]

Who doesn't have an iPhone these days, right?  Well, Apple is staking a bold claim that those who jailbreak pose a, I kid you not, "national security threat".  All your baseband belong to jailbroken phones is what I'm thinkin'!
[Jailbreaking iPhone Could Pose Threat to National Security]

Rootkits abound thanks to chipmaker Intel.  El Reg ran an article about how chipzilla is warning of rootkit-style attacks that lead to privilege escalation.  BIOS: 0 / EFI: 1
[Intel Warns Over Baremetal BIOS Bug]

Moxie Marlinspkie and Dan Kaminsky collided today in both unveiling an X.509 bug.  Basically what it comes down to is the way the certificate is parsed.  Null characters stop the parsing dead in it's tracks and only what had been parsed (from left to right - www.bankofamerica.com<NULLCHAR>.yourdomain.com) is used in the validation method.  I'm not sure why anyone hasn't figured out a fix yet -- right to left anyone? (Save the comment, I know it's not *that* easy.)  Moxie went on to describe how easy it would be to push malicious code to FireFox using this technique.
[SSL Exploit Turns Firefox Into Malware Distributor]

Felix "FX" Lindner is at it again with Cisco.  This time he's focused on all the insecure web goodness Cisco is cranking out in their monolithic monopoly.  He couldn't have said it better when Linder made the comment "I think it's well established that infrastructure is where attackers want to be".
[New Cisco Bugs]

The antiquated domain name system (circa early 80's) takes a beating again due to a vulnerability found in the popular BIND software by ISC.  Really?  Like nobody thought something would be broke about DNS again this year?  If you're running a primary ('master' is so dominatrix) without the update you're more than likely pushing your luck at this point.
[BIND Crash Bug]

Today Charlie Miller basically told the world the iPhone doesn't deal well with squares.  Something about the sharp edges I think.  The bug reportedly can give total control to an evil-doer quite simplisticly.  The fix?  Shut your phone off if you think you've been had (for now).
[How to Hijack Every iPhone in the World]

Martin McKeay interviews Babak Javadi and Deviant Ollam from Toool.  The "Emergency Credit Card Lockpick Set" version 2 has just what you need in a bind and comes in a credit card form factor.
[Black Hat Microcast with Babak and Deviant]

If you can pack it into a framework / kit then you're a trendy hacker these days.  An article over on Dancho Danchev's blog about a web malware kit that's emphasis is on social engineering talks about just this and how the efficiencies of running these types of attacks directly correlate to the "template-ization" (uh framework?).
[Social Engineering Driven Web Malware Kit]

If you, or anyone you know, has a Volatility bug they've forgotten to submit the last call is out for 1.3 currently.  Volatility is an open collection of tools for the extraction of digital artifacts from volatile memory (i.e. RAM).
[Last Call for Volatility 1.3 Bugs]

Italian security researchers Andrea Barisani and Daniele Bianco's research has led to a new skimming technique to pull PINs from an ATM using just the "mains grid's earth lead" (I think this references the ground).  While interesting I'm not really sure of the practicality.  I might be missing something but I'm going to make a bold assumption that the card is still needed for the PIN to be of any value.
[Intercepting PINs at the Socket]

Everybody loves the Pwnies!  For 2009 the winners have been announced.  I'll save the suspense for the click through.
[Pwnies 2009]

In non-Black Hat / DEFCON news Ars ran a story about a cheerleader in Mississippi suing the school because the coach forced her to disclosure Facebook login credentials.  How someone is in a teaching position and clearly doesn't understand basic constitutional rights is baffling.  And fired.
[Cheerleader Sues School]

By this point if you haven't read about 'ZF05" you've really been living under a rock.  Rock stars Dan Kaminsky and Kevin Mitnick were of the many that were publicly disclosed.  Dan was quoted as wanting to have a beer with the perpetrator(s), fat chance.  The pasty-white-boy-skiddie-wannabes would be waiting in the wings to pounce I'm sure.
[Security Experts Hacked]
[ZF05 Digs]

Apparently MasterCard thinks that they are MastersOfTheUniverse.  In a most elegant move level 2 and 3 merchants are now being actively fined if they're not "compliant".  The only way some of these merchants found out was through the first $25,000 fine they received.  Don't even get me started.  Someone call Obama, we need to talk about this over a beer.
[MasterCard Fines Start NOW]

Project Quant, developed by Rich Mogull's company Securosis, has been unveiled by Microsoft this week.  The project is a new methodology aimed at calculating costs around evaluating and deploying patches.  Kudos to Rich and team!  I highly recommend heading on over to Securosis to take a peek and sumbit some feedback.
[Microsoft's Project Quant]
[Securosis Project Quant]

I'll be honest, when I started to read the article about "Vanish" I thought it was a joke.  Nope, it's for real.  Washington University has developed a simple way to expire data that you publish through a browser-plugin mashed up with, what looks to be, certificate based encryption technologies.
[Vanish - Self Destructing Digital Data]

News today of a leak pertaining to the safehouse of the President got suits in DC all up in a frenzy over P2P networks.  I'm sure they all understand the more you push the harder the resistance becomes.  We'll let them figure that out on their own though.
[Secret Obama Safe House Leaked]

We'll leave you tonight with something quite fun to laugh at.  Over on the innismir.net site is an article about an Internet lawyer who, honestly, knows little about the Internet or law.  Note to John W. Dozier: GET A CLUE.  Kthxbai.
[Internet Lawyer on DEFCON]
[Please Don't Hire This Jackass]

That's all for today folks as we've run out of time.  Check back soon or subscribe to the feed!  Comments are appreciated.

--windexh8er

Tagged as: , , , , , , , , , , , , , , , , , , , No Comments
   

Tags

Adobe announcement Apple AV Black Hat breach Cheerleader Cisco Cloud Craigslist DDoS DEFCON DHS encryption exploit Facebook forensics google Heartland IDS ie6 Intel iPhone IPv6 linux Lockpick Malware MasterCard Microsoft news OpenDNSSEC pci PIN Pirate Bay Pwnies skimmer Social Engineering SSL tools Tor Twitter Volatility wikileaks X.509 ZF05

 

July 2010
M T W T F S S
« Feb    
 1234
567891011
12131415161718
19202122232425
262728293031  

Random Musings

Previous Next

» Leave A Reply!



Twitter: windexh8er