After claiming that the first critical bug of 2008 would be difficult to exploit and unlikely to find in the wild, Immunity Inc., the makers of the well known and highly touted CANVAS pen testing application, publish a flash vid proving the exploit is readily and easily exploitable. From the looks of it, this is pretty serious.
31 January, 2008
29 January, 2008
Implementing corporate security
There's a great post by Jeremiah Grossman entitled, "Technology helps, but people matter most" and I wish my old boss would read this. J-bliggity, you should read this too.
All too often, managers (I'm making a generalization, it's not always managers, but they seem most prone to do this) lose sight of how to implement security. If we buy product X, our security posture will improve. If we scan our network with product Y, we will be more secure. This is not entirely true. While expensive tools can help in securing your network, if there aren't enough people to effectively and consistently understand and use these tools, then analyze results and implement fixes or mitigating factors to reduce the risk, the tool doesn't matter.
Sometimes the security shop is too small to undertake all the needs of a modern, growing corporation. That's a reality. But when the company reaches this point, it NEEDS to hire more people. No matter how many tools you buy, they will not replace one person in a chair doing good, old fashioned log and IDS analysis. This is a necessity.
In my last job, sure we had an IDS at every site. It worked in theory. In reality, we rarely had time to look at the logs, so who knows what was hitting our network day-to-day? Some days we wouldn't read logs at all, and our boss was OK with that!
I understand that it's difficult for managers to get funding for security sometimes. Security is not a cost center, it takes real people to secure a network. Sometimes it's easier to get the approval to buy a tool than a new employee. Great! But realize that unless your staff has the time to use that tool, and I don't mean schedule scans, you just wasted a bunch of money that could have gone to hiring someone to do real work.
I think this mentality is beginning to change. C-level execs and department heads are starting to understand the importance of a good security staff. Incident response is taken seriously in most medium and large businesses now. That's a good start, I just hope the trend continues.
Yahoo! CAPTCHA! hacked!
That's right, Russian hackers have gotten 35% accuracy with decoding Yahoo!'s CAPTCHA. Guess we need a new way to determine I'm not a bot.
28 January, 2008
Helping analysts ID malware?
This post by F-Secure caught my eye because the malware writers added in a line that says exactly what backdoor they're using, directed toward malware analysts!
What exactly is the point of this? Assuming the info is correct, are the writers just saying a friendly, "Hello?"
25 January, 2008
GNUCITIZEN: DHCP name poisoning
Ever heard of DNS poisoning? This is pretty similar, but seems like it's a lot more clever. How do you protect against this?
24 January, 2008
I'd like to search your cell phone
Police: Do you know why I pulled you over?
You: No sir officer.
Police: You ran a stop sign.
You: Sorry officer. I guess I didn't see it.
Police: I need to search your cell phone.
You: ??? Uh, I don't think that's legal, sir.
Police: TASER!
Don't let this happen to you. According to an article on Gizmodo, cops can search you, your vehicle, and your cell phone. Wow.
Update: North Dakota spam fighter
In a recent blog post, I was pretty critical of the North Dakota legal system. Security Focus published an in-depth look at this situation, and surprisingly the argument makes a lot of sense. That's not to say I agree with the decision, but I do believe the spam fighter did some questionable things.
In my mind, we need to have more clearly defined laws to eliminate any confusion in these kinds of situations.
23 January, 2008
Cyber jihadists uping the ante
We know that cyberterrorism is on the rise, and we know that these groups are getting more efficient. Read this post from Dancho Danchev to get a glimpse of the latest advances.
22 January, 2008
Idea for a new phishing filter
I've got an idea for a firefox addon, but I'm not sure how useful it would be. It struck me when I was looking for some active phishing sites and only one of the ones I found was detected by Firefox as a suspected forgery. Maybe this has been done already, but the type of detection I have seen is more reactive instead of proactive (ie: checking to see if the site is a known phishing site). You get limited use out of reactive detection, thus leaving the first few out to dry.
Why not just implement a simple(ish) checksum on the login page? If you are a customer of (say) Capital One, your banking login page probably won't change very often. Here's the idea: have a phishing addon that's completely tailored to the user. If you use (for example) gmail, Capital One, and facebook, put three URL entries into the plugin for those login pages, then tell it how often to update its fingerprint. You'd need a whitelist or 'add to site' option too for sites with multiple login pages.
After that, you're on your way. Next time you hit a fake facebook login page, the page gets checksum'd and compared with the original. If it doesn't match, BANG! You get a big fat alert with a % of certainty. There would need to be some kind of verification function to say, "Yes this is a page that is trying to look like a facebook login page" and that would be the hard part. A bitmap snapshot? MD5? SHA-1? Then matching on strings and phrases? Or code that won't change much (like CSS)?
Unfortunately this all assumes that the phishing page is somewhat similar looking to the original, and it assumes the user is vigilant enough to still be cautious and not put in credentials wherever it asks. Maybe there's not a whole lot of value in this idea, but the point is to use something non-reactive.
Fire sale phase two! or, what's the next step after SCADA?
Schneier: Dutch RFID transit card hacked before deployment
I hope they can fix this, otherwise that's 2 Billion Euros well spent.
(Yet another) Failure of the legal system
In North Dakota, there's this guy trying to fight spammers. He is trying to shut down a specific spammer and goes to court. A judge, severely technically ignorant, decides that performing a zone transfer is illegal and he now faces jail time. Are. You. SERIOUS??! First, the internetz was a system of tubes acting all tubular, then you couldn't use 'hacker' software, now you can't perform a zone transfer.
Can we PLEASE get some people who aren't completely clueless into power? How can we expect to successfully protect privacy, pass effective legislation, and continue to keep up with technological advances with this level of ignorance running rampant? At least Rothe-Seeger is retiring soon.
21 January, 2008
Why does Palm suck?
I've wanted to code up a Location Positioning System (LPS) ever since I got a Treo 700p. Google beat me to it with 'My Location' in Google Maps. Over the weekend I was in Manhattan and a friend recently bought a Garmin for her car. Another friend has a service called VZ Navigator for her phone that essentially does GPS and turn-by-turn via Verizon's network. Thinking this was pretty cool, I downloaded Google Maps and proceeded to try and use 'My Location.' Turns out, Palm decided not to open the API that gives access to the cell tower ID's, the piece of information needed for LPS calculations. According to a statement from Palm, they're going to open the API for 'newer devices.' I guess there's always a possibility they'll backport it to the 700p.
Needless to say, I'm considering a new phone. After looking around, I could get a crappy Blackberry, or a bunch of crappy Windows Mobile phones. I'm really really reluctant to buy anything Windows based since they've had stability problems in the past, but I'm actually considering it. Even with stability problems, if the damn phone doesn't lag as bad as the treo I'd buy it. I was really happy with the Pearl. Ahh well, maybe a new palm will come out that will actually work.
15 January, 2008
Active phishing sites
I'm on travel so I don't really have much will to post. So, here are some active bank phishing sites!
WARNING: VISIT THESE SITES AT YOUR OWN RISK!
I make no claims about the safety of these sites. Most likely they will try to harm your PC. You have been warned.
#1:
http://sitekey.bankofamerica-accountupdate.com/signin/loginsubmit.php
http://sitekey.bankofamerica-accountupdate.com/signin/
[whois.eurodns.com]
The Data in EuroDNS’ WHOIS database is provided for information purposes only.
The fact that EuroDNS display such information does not provide any guarantee expressed or implied on the purpose for which the database may be used, its accuracy or usefulness. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to EuroDNS (or its systems). EuroDNS reserves the right to modify these terms at any time. By submitting this query, you agree to abide by the above policy.
Domain: bankofamerica-accountupdate.com
Registrar: Eurodns S.A.
Registrant:
Name: Jordan Abbey,
Address: 340 W. Holland St.
City: Minden
State/Province: Jordan
Country: US
Postal Code: 68959
Administrative Contact:
Name: Jordan Abbey,
Address: 340 W. Holland St.
City: Minden
State/Province: Jordan
Country: US
Postal Code: 68959
Phone: +308 2151220
Fax:
Email: sweet_female_6969@yahoo.com
Technical Contact:
Name: Jordan Abbey,
Address: 340 W. Holland St.
City: Minden
State/Province: Jordan
Country: US
Postal Code: 68959
Phone: +308 2151220
Fax:
Email: sweet_female_6969@yahoo.com
Original Creation Date: 2008-01-14
Expiration Date: 2009-01-13
Status:
Nameserver Information:
Nameserver: ns1.eurodns.com
Nameserver: ns2.eurodns.com
#2:
http://www.wachovia-online-banking.com/
(not really sure what the point of this one is...)
Registrant:
Not Available
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: WACHOVIA-ONLINE-BANKING.COM
Domain servers in listed order:
NS4.SERVAGE.NET
NS3.SERVAGE.NET
NS2.SERVAGE.NET
NS1.SERVAGE.NET
#3:
http://www.capitalone0.go.ro/onlinebanking.capitalone.com/CAPITALONE/index.html
No whois available
#4:
http://djmfarms.com/https/login.php?id=1200458174
Domain Name: DJMFARMS.COM
Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.OKIE.NET
Name Server: NS2.OKIE.NET
Status: ok
Updated Date: 29-jun-2007
Creation Date: 30-apr-2007
Expiration Date: 30-apr-2009
There are so many of these sites and they are so easy to find.
I really thought it was the feds
I'm out at this restaurant. Not a fancy restaurant, but rather a hole-in-the-wall type place. Everyone is in jeans and t-shirts. Dirty t-shirts at that. So there I am eating some food and in walks this guy with a crew cut, glasses, buff, a black suit, shiny shoes, is totally nondescript, a blandly colored tie, and is looking around, as if for someone. My immediate thought was, "FED!" Shortly thereafter he passed out of my sight and I never saw him again. This is the first time where I actually thought a fed was going to take someone in. Weird.
11 January, 2008
There goes phase 1 of the fire sale...
A polish teenager was able to modify a TV remote control to manipulate track switches and, ultimately, derail some trams. He had to do some substantial information gathering and research before this, but this is pretty neat, albeit EXTREMELY dangerous. Interesting that he used a TV remote.
REPOST: In-store kiosks
I was at a major computer and electronics store recently and found myself waiting for a salesperson. To help pass the time, I started playing with one of the in-store kiosks at the main 'Computers/Tech-support' counter. The kiosk provides access to an internal domain (kiosk.storename.com I think) that mirrors the external storename.com website but with some subtle differences. Store employees can also use it to search inventory and probably a couple other things.
I poked around the mirror site and sure enough, XSS. A big one too. Right in the main search field. Simple as this:
<script>alert("XSS")</script>
Come on guys. I expect better.
=-=
Had to repost because I am stupid ;)
09 January, 2008
Just because it says so doesn't mean it's true
Geeks.com hacked? Check. Customer info stolen? Check. Still 'Hacker Safe?' Check. Wait a minute...
I wonder if they even have a little gif for 'Not Hacker Safe.' Let me lend a hand.
08 January, 2008
You like Encase? Enough to be a PI or cop?
Some states have already passed legislation that limits the admissibility of computer forensic evidence in court. Evidence is admissible in court only if the examiner is either a PI (with valid PI's license) or police. As 'The Register' says, this doesn't make too much sense since there are many (many) more highly qualified security people who will now be excluded from doing forensic examinations.
Makes no sense. No sense at all. That encase cert will be useless soon enough.
07 January, 2008
Hackers on a plane revisited
The new Boeing 787 Dreamliners have a problem: the network designed to provide in-flight internet access to travelers is not properly separated from the network used to control vital plane functions (namely keeping it in the air). Wired magazine reports that this "is causing concern in security circles." Imagine hooking in-flight controls up to Microsoft Flight Simulator. Look mom, no hands!
New census; is this for real?
I can't imagine anyone who wouldn't want to give the government his/her annual salary information, health details, number of children, what time he/she leaves and returns from work, etc. This new census isn't an invasion of privacy at all, and it has immediately understandable reasons why it is necessary and how it will help the general population. I am a meat popsicle.
/sarcasm
You have got to be kidding me.
Some people just don't get it.
The audacity! The incompetence! The nincompoopery! No matter how you present an idea, no matter your intentions, someone will always decide that he/she is the subject matter expert and that anyone actually cares what he/she has to say.
I'm referring to the contest that RSnake is holding for studying how XSS worms replicate. Unfortunately, there has been quite a bit of backlash to the news of this, including at least one highly regarded security person. Maybe I shouldn't be, but I am very surprised at the amount of outcry-slash-criticism over this. It's not the first time a contest like this has been held and will certainly not be the last. To all the people who believe this contest will drastically hurt the overall state of net security, shame on you. The only way to advance our protection is to come up with new and ingenious exploits BEFORE they are used in the wild by a small group of people. If we collaborate together in an open community (read: this contest) then everyone benefits. Not only will the code and logic be out there, but it gives companies the insight on how to fix existing and potential problems. Compare that to scrambling to secure a website against some 0day.
Just because you ignore a problem doesn't mean it will go away. Nor does it mean that 'bad guys' won't use the code that comes out of the contest. There are tradeoffs in everything. At least in this scenario, everyone has access to the code at the same time instead of some anonymous hacker using an 0day to steal (potentially) millions of people's information. It makes me so frustrated to see that the ideologies of so many 'security experts' are so skewed. Keep up the good work RSnake, hope to catch you at Black Hat/DefCon.
05 January, 2008
Thinking more about SMS spam...
I started thinking about a recent post and was wondering what kind of affect one could achieve with a botnet the size of Storm Worm, or even just a few thousand workstations. More specifically, I'm thinking about how hard it would be to DoS a telecom, or if it would even be possible. You'd probably need to use a number of free SMS-sending services targeting a small, local-ish telecom. Let's say the average person sends 20 text messages a day. Let's say your targeted telecom is small -- only around 37,000 customers. That's 740,000 text messages sent right there. Pretty trivial.
Potential problems would include DoSing your free SMS services and DoSing your targeted phone numbers (the actual cell phones). That doesn't really matter though since the message will get sent regardless of the phone being on or off. This might actually work in your favor if the messages get queued up for delivery if the phone is unreachable.
In the course of writing this post, I find an analysis of vulnerabilities in SMS-capable networks. Granted, this is from 2005 so cellular networks are (presumably) somewhat more capable now, but maybe that is a fallacious assumption. After looking at this research, a small telecom would be pretty easy to DoS. I'd love to see a POC of this. We've seen this happen before in real conditions (9/11).
To extend this thought, I wonder how much effort it would take to DoS a specific cell tower. I'm not sure how you would target a single tower, or even small group of towers. Hmm.
04 January, 2008
Information leakage is like...
When given a seemingly mundane piece of information, say a press released pdf, or a partially-redacted image, what kind of information can you retrieve? Turns out, a lot, if you don't cover your tracks properly. Even though there have been some big leaks recently regarding metadata or not properly sanitizing released information, I think we need to be much more aware of what kind of information is associated with things we share with others that isn't immediately visible.
Trusting external USB devices
A few people have found a very aggressive virus on USB digital picture frames. Upon connecting the frame to the user's computer, the virus silently installs itself and hides its presence. The company denies that anything is wrong, but the complaints come from multiple sources. This is a cool idea if you ask me, although hardly a new one, what with the harddrives that recently got shipped to Taiwan with viruses pre-installed. Malware authors really keep us on our toes! Malware can be anywhere, even the most mundane places.
I'd like to see one of those USB coffee warmers with a virus. After it steals your data, makes your coffee really, REALLY hot.
03 January, 2008
Malware changing for '08
Of late there has been significant discussion about how malware is changing. More specifically, how it is getting more sophisticated. I've touched on this before, but I think we're really going to see some changes in 2008. Consider what we've seen so far as a beta test.
Techtarget posted a great article on how malware has recently evolved. The article elaborates to include what we're to expect for the future. Not only are malware authors becoming more clever through the use of encryption and abandoning the usual command-and-control structure, but they are taking advantage of advances in technology and the need for security researchers to publish. Take fast-flux DNS and its use in Storm Worm for example. How about how detection engines use MD5 sigs? That's broken. Or how about how the authors of Storm change their code to adapt to what security researchers have found to work. This is not the old school group of virus writers. This is a new breed of intelligent, skilled, and active blackhats. This will be an interesting year for malware. Let's hope detection, like behavior-based instead of sig-based, will close the gap.
Back from vacation!
Apologies for the hiatus in posting, but I needed a real break. Now I need another one :)
Posts to follow. Happy New Year!
Subscribe to:
Posts (Atom)
