Daily Digs – 09.15.2009
Amazing, I actually started tonight's digs before 10pm. Then I realized that I hadn't read most of what I marked for tonight so it'll take me just as long by the time I actually get this one posted. I just can't beat time these days!
The 'ctricky and Web Application Security' blog had a post on some great insight of things to ask during an app sec test. I've never actually run across this particular scenario before but the point is that JS pop-up warnings mean nothing to your proxy and may present warnings that the tester will never see (like "If you do this you'll break all of prod"). Anyway, read the post for the full rundown.
[BToD Target Scope and Precautions]
VeriSign's new DDoS attack protection service is an interesting topic for me. I've dealt with countless large enterprise carrier services along with the architecture around load balancing and multi-homed environments. So offloading all of your traffic in an event (i.e. throwing the BGP switch) to VeriSign seems a tad bit scary, oh - but no worries they'll route the good traffic back. The other thing is all of the Netflow data VeriSign collects (to do this) is an interesting concept. To me, architecturally, this looks like a bad idea and maybe I'll just have to dig into this one a little more. For now you can start your own opinions by starting to read about it at the link.
[VeriSign Extends DDoS Attack Protection]
Work in defense? Then COTS is something you probably deal with on a daily basis. The funny thing is that when I started my career in the defense industry a lot of proprietary hard and software were being gutted for COTS. Even I knew (as I started out as a System Engineering Associate), that the square peg they were jamming in the round hole didn't fit. Apparently the cyclical monster is coming around in the DOD on this one.
[DoD Rethinking Build Versus Buy]
West side what? Go figure - China modeling how to take down the US power grid for fun. Reminds me of a conference I was at a few years ago in which a consultant disclosed some interesting facts about the substation and grid connections the Mall of America has in it's substructure. We then learned how to shut the lights off in all of the neighboring communities that particular day.
[DHS to Review Report on Vulnerability in West Coast Power Grid]
This was one of the best / most disturbing banking related articles I've read in a while. It's also why you shouldn't do most any online business with HSBC. I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block. This one's just downright "special" (and not really from today, but I ran across it in my feeds).
[So Funny I Forgot To Laugh]
This one came across the OSF data loss incidents list and it made me think. Do you really think Jones General Store has any idea of PCI? It's so focused today in big business and infrastructure security yet these types of processes still exist in hundreds of thousands of small businesses day in and day out. In fact, this past weekend, I saw more carbon copies of card data at a local art fair than I'd care to pretend were still around.
[University Hill Shops Burglarized; Credit Cards Stolen]
As of this posting less than 19 hours until the Social Engineering Framework is released. Mark it on your smartphone yo.
[Social Engineering: Exploiting Human Vulnerabilities]
All you need to know about this one: "Operation Hot Date", Dumb Sheriff in Florida, and Craigslist for your evening entertainment.
[Another Sheriff Goes After CL]
That's all he wrote for tonight boys and girls. We'll leave you with some links to peruse, but without the colorful commentary. Take care and keep your stick on the ice! Also, first person to tweet "I won the easter egg hunt at www.securitystallions.com" and @s me in the message wins a $20 Starbucks gift card (first person = one winner). Figuring out where to find me on Twitter should be trivial. Get your tweet in before 10:30pm on Wednesday, September 16th 2009 Central.
[Does IBM Have a Fix for Banking Infrastructure?]
[Security Attitudes]
[Thoughts on the Cult of Schneier]
[Pwnage Tool and iPhone 3.1]
[AMD 'Eyefinity' Powers 24 Monitors]
[A BSoD and Possibly More]
[No TCP/IP Patches for XP]
[OpenDNS Announces Premium Cloud Services]
Daily Digs – 07.30.2009
What better way to start off with some fresh content then the close of Black Hat 2009 and the start of DEFCON 17? Too bad I'm not in attendance, that's all I have to say about it.
First up to bat is the OpenDNSSEC project. At a high level, and to quote the site, "OpenDNSSEC takes in unsigned zones, adds the signatures and other records for DNSSEC and passes it on to the authoritative name servers for that zone." From the looks of it it's based on the PKCS#11 abstraction layer. Let's just hope it's not solely based on X.509 certs (we'll get to that)!
[OpenDNSSEC Project]
Keeping this one simple we'll call it like it is - Cisco BGP DoS.
[Cisco BGP DoS]
Who doesn't have an iPhone these days, right? Well, Apple is staking a bold claim that those who jailbreak pose a, I kid you not, "national security threat". All your baseband belong to jailbroken phones is what I'm thinkin'!
[Jailbreaking iPhone Could Pose Threat to National Security]
Rootkits abound thanks to chipmaker Intel. El Reg ran an article about how chipzilla is warning of rootkit-style attacks that lead to privilege escalation. BIOS: 0 / EFI: 1
[Intel Warns Over Baremetal BIOS Bug]
Moxie Marlinspkie and Dan Kaminsky collided today in both unveiling an X.509 bug. Basically what it comes down to is the way the certificate is parsed. Null characters stop the parsing dead in it's tracks and only what had been parsed (from left to right - www.bankofamerica.com<NULLCHAR>.yourdomain.com) is used in the validation method. I'm not sure why anyone hasn't figured out a fix yet -- right to left anyone? (Save the comment, I know it's not *that* easy.) Moxie went on to describe how easy it would be to push malicious code to FireFox using this technique.
[SSL Exploit Turns Firefox Into Malware Distributor]
Felix "FX" Lindner is at it again with Cisco. This time he's focused on all the insecure web goodness Cisco is cranking out in their monolithic monopoly. He couldn't have said it better when Linder made the comment "I think it's well established that infrastructure is where attackers want to be".
[New Cisco Bugs]
The antiquated domain name system (circa early 80's) takes a beating again due to a vulnerability found in the popular BIND software by ISC. Really? Like nobody thought something would be broke about DNS again this year? If you're running a primary ('master' is so dominatrix) without the update you're more than likely pushing your luck at this point.
[BIND Crash Bug]
Today Charlie Miller basically told the world the iPhone doesn't deal well with squares. Something about the sharp edges I think. The bug reportedly can give total control to an evil-doer quite simplisticly. The fix? Shut your phone off if you think you've been had (for now).
[How to Hijack Every iPhone in the World]
Martin McKeay interviews Babak Javadi and Deviant Ollam from Toool. The "Emergency Credit Card Lockpick Set" version 2 has just what you need in a bind and comes in a credit card form factor.
[Black Hat Microcast with Babak and Deviant]
If you can pack it into a framework / kit then you're a trendy hacker these days. An article over on Dancho Danchev's blog about a web malware kit that's emphasis is on social engineering talks about just this and how the efficiencies of running these types of attacks directly correlate to the "template-ization" (uh framework?).
[Social Engineering Driven Web Malware Kit]
If you, or anyone you know, has a Volatility bug they've forgotten to submit the last call is out for 1.3 currently. Volatility is an open collection of tools for the extraction of digital artifacts from volatile memory (i.e. RAM).
[Last Call for Volatility 1.3 Bugs]
Italian security researchers Andrea Barisani and Daniele Bianco's research has led to a new skimming technique to pull PINs from an ATM using just the "mains grid's earth lead" (I think this references the ground). While interesting I'm not really sure of the practicality. I might be missing something but I'm going to make a bold assumption that the card is still needed for the PIN to be of any value.
[Intercepting PINs at the Socket]
Everybody loves the Pwnies! For 2009 the winners have been announced. I'll save the suspense for the click through.
[Pwnies 2009]
In non-Black Hat / DEFCON news Ars ran a story about a cheerleader in Mississippi suing the school because the coach forced her to disclosure Facebook login credentials. How someone is in a teaching position and clearly doesn't understand basic constitutional rights is baffling. And fired.
[Cheerleader Sues School]
By this point if you haven't read about 'ZF05" you've really been living under a rock. Rock stars Dan Kaminsky and Kevin Mitnick were of the many that were publicly disclosed. Dan was quoted as wanting to have a beer with the perpetrator(s), fat chance. The pasty-white-boy-skiddie-wannabes would be waiting in the wings to pounce I'm sure.
[Security Experts Hacked]
[ZF05 Digs]
Apparently MasterCard thinks that they are MastersOfTheUniverse. In a most elegant move level 2 and 3 merchants are now being actively fined if they're not "compliant". The only way some of these merchants found out was through the first $25,000 fine they received. Don't even get me started. Someone call Obama, we need to talk about this over a beer.
[MasterCard Fines Start NOW]
Project Quant, developed by Rich Mogull's company Securosis, has been unveiled by Microsoft this week. The project is a new methodology aimed at calculating costs around evaluating and deploying patches. Kudos to Rich and team! I highly recommend heading on over to Securosis to take a peek and sumbit some feedback.
[Microsoft's Project Quant]
[Securosis Project Quant]
I'll be honest, when I started to read the article about "Vanish" I thought it was a joke. Nope, it's for real. Washington University has developed a simple way to expire data that you publish through a browser-plugin mashed up with, what looks to be, certificate based encryption technologies.
[Vanish - Self Destructing Digital Data]
News today of a leak pertaining to the safehouse of the President got suits in DC all up in a frenzy over P2P networks. I'm sure they all understand the more you push the harder the resistance becomes. We'll let them figure that out on their own though.
[Secret Obama Safe House Leaked]
We'll leave you tonight with something quite fun to laugh at. Over on the innismir.net site is an article about an Internet lawyer who, honestly, knows little about the Internet or law. Note to John W. Dozier: GET A CLUE. Kthxbai.
[Internet Lawyer on DEFCON]
[Please Don't Hire This Jackass]
That's all for today folks as we've run out of time. Check back soon or subscribe to the feed! Comments are appreciated.
--windexh8er
Tags
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
Random Musings
Twitter: windexh8er
- @jamesonstudios KC9DXC. Have fun! :) about 9 hours ago from Twitter for Androidin reply to jamesonstudios
- @jamesonstudios I've had it since 2000. ;) Can haz stomp on your unlicensed freqs! about 10 hours ago from Twitter for Androidin reply to jamesonstudios
- Thinking I have one of the fastest/most resiliant/expensive networks ever at the lake. More than 20 components of just network gear so far. about 21 hours ago from web
- Now that's a nice wireless transport link to have running... http://twitpic.com/2ke7th about 23 hours ago from Twitter for Android
- A handful of Python & Arduino books that look like good reads on pre-order - glad to see books catering more to HW hacking lately! 05:54:51 PM September 01, 2010 from web