Wednesday, February 28, 2007

F-22 Raptor Software Glitch Fixed

Via theregister.co.uk -

Significant new capabilities have been added to the US Air Force's latest superfighter, the F-22 "Raptor". The USAF's Raptors cost more than $300m each, and are generally thought to be the most advanced combat jets in service worldwide. However, until recently they were unable to cross the international date line owing to a software bug in their navigation systems.

A group of F-22s heading across the Pacific for exercises in Japan earlier this month suffered simultaneous total nav-console crashes as their longitude shifted from 180 degrees West to 180 East.

Luckily, the superjets were accompanied by tanker planes, whose navigation kit was somewhat less bleeding-edge and remained functional. The tanker drivers were able to guide the lost top-guns back to Hawaii and the exercises were postponed.

"Every time we fly this jet we learn something new," Raptor squadron commanding officer Lt-Col Wade Tolliver said.

But enemies of democracy who may have been planning an opportunistic attack on Hawaii followed by a retreat to safety across the date line shouldn't get their hopes up. The software bug has been rectified, and the Raptors have now successfully travelled to Kadena Air Base in Japan, where air-combat exercises are now well underway.

"This is history in the making," said Brigadier Punch Moulton, commanding the Kadena-based 18th Wing.

The deployment is expected to last more than three months.

Seven-day Session Kills Chinese Gamer

Via theregister.co.uk -

A Chinese man who spent "almost all" of the seven-day Lunar New Year holiday glued to a computer game finally dropped dead at the end of the marathon session, Reuters reports.
The unnamed 26-year-old, who weighed in at a fighting 150kg (330lb), collapsed on Saturday in Jinzhou, Liaoning province, following the week-long gaming bout.

Local teacher Xu Yan told China Daily that the "dull life" during the New Year celebrations "prompted many people to turn to computer games for entertainment". He explained: "There are only two options. TV or computer. What else can I do in the holiday as all markets, KTV and cafeterias are shut down?"

Racial Slur Banned in New York

Via BBC -

The resolution to ban the so-called "N-word" is largely symbolic as it carries no weight in law and those who use the word would face no punishment.

But it reflects a growing unease that the racial slur is now part of everyday conversation and that the taboo against its usage has been swept away.

The word is in common usage among sections of the younger generation in the United States.

------------------------------------

While I agree that the word shouldn't be used, I don't believe that making it illegal is the best way of dealing with the issue.

IMHO, this is double-plus ungood.

New Tool Designed to Steal Browser History

Via gnucitizen.org -

After releasing my Firefox specific history scanner, RSnake came up with his own bleeding edge history scanning technique which is based on Jeremiah Grossman’s implementation but it does not require JavaScript. This approach has its own limitations and advantages.

On the advantages side, you don’t really need JavaScript to steal the victim’s browser history. So, everybody who is thinking that turning off JavaScript is the safe way to go, you are most definitely wrong. You should turn CSS off too. This is it. Sparten browsing is the key. On the other hand, history scanning without JavaScript is less powerful in a way that attackers are not able to perform actions as soon as the history is retrieved.

Still, I think that RSnake’s approach is quite interesting and innovative. I decided to write a generic scanner that can be configured on the fly to steal any browser history.

Worm Actively Exploits Vulnerability in Sun Solaris Telnet Daemon

Via US-CERT -

US-CERT is aware of public reports of a worm that is actively exploiting a known vulnerability in the Sun Solaris telnet daemon (in.telnetd). The worm targets Solaris 10 (SunOS 5.10) systems that are not patched to address this vulnerability and have enabled the telnet daemon. When the worm discovers a vulnerable host, it attempts to log into the host using the lp or adm account to invoke one or more of the following malicious actions:

  • Modifies the /var/adm and /var/spool/lp directories
  • Installs and runs a server on port 32982
  • Schedules a crontab entry to run at 1:00 A.M.
  • Scans for other vulnerable hosts

More information about this vulnerability is located in the following:

  • Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerability
  • Sun Alert 102802 - Security Vulnerability in the in.telnetd (1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host

US-CERT recommends the following actions to help mitigate the security risks:

  • Apply the latest patches, as specified in Sun Alert 102802 to address this vulnerability.
  • Run the Sun inoculation script if your host is infected.
  • Disable Telnet daemon if unable to apply the patch at this time.
  • Restrict access to port 23/tcp to trusted hosts only.
---------------------------------

For more in-depth information about this Telnet worm, check the Arbor Networks Blog.

GAO: U.S. Military Unprepared for Chem, Bio Attacks

Via Bad Guys Blog -

Few terrorism experts doubt that we're going to get hit by a biological or chemical attack. Recent strikes by Iraqi insurgents using chlorine gas underscore the concern. That's why Washington has spent billions of dollars preparing for such an event. But two reports quietly declassified last week suggest that the backbone of any U.S. response–America's military units–are alarmingly unprepared.

The reports are by the Government Accountability Office, Congress's investigative agency, which is typically careful in its language. (Consider the title of one report, the modestly named Management Actions Are Needed to Close the Gap between Army Chemical Unit Preparedness and Stated National Priorities.) But reading between the lines it's clear that investigators, who analyzed preparedness data for 78 Army chemical units, were disturbed at what they found. As one report put it, "Most Army units tasked with providing chemical and biological defense support are not adequately staffed, equipped, or trained to perform their missions."

Particularly in the National Guard and Army Reserve–key to any U.S. homeland response–chem and bio units "are reporting the lowest readiness ratings–meaning that they are not considered sufficiently qualified for deployment," according to the GAO. The reason: critical shortages of trained personnel and key equipment, made worse by transfers to support the war in Iraq.

The bottom line, says the report, is that until the Army develops a plan to address the shortfalls, "adequate chemical defense forces may not be available in the event of a WMD attack at home or abroad."

Japan Moves to Centralize Intelligence

Via Japan Times -

The government needs to centralize its intelligence to be able to report the most important information to the proposed National Security Council, according to a government panel's interim report, released Wednesday.

The panel on intelligence-gathering has come up with proposals to provide assistance to the prime minister on issues of national security, including terrorist and nuclear threats.

Creating a security council was one of Prime Minister Shinzo Abe's key pledges when he took office in September, saying it would help him expedite policymaking.

A separate panel on national security issues, comprised of defense and diplomacy experts, proposed Tuesday that the proposed council be modeled after the U.S. National Security Council and that it be made up of four permanent members -- the prime minister, the chief Cabinet secretary, the foreign minister and the defense minister.

"We have focused on how to create a system that will properly provide intelligence and the highest level of analysis of it to the policymaking side," Chief Cabinet Secretary Yasuhisa Shiozaki, chairman of the intelligence-gathering panel, told a news conference.

The panel's interim report proposes the existing Joint Intelligence Committee collect intelligence from the different ministries. Intelligence experts then would analyze the data and compile regular reports for the NSC. The prime minister would appoint these experts from the ministries, government officials said.

The intelligence committee consists of senior officials from several bodies and agencies.

New Military Doctrine

Via Secrecy News -

A new U.S. Air Force directive "provides policies for managing nuclear weapons and weapon systems, and for protecting personnel, property, and the environment from hazardous exposure to radioactive materials." See Air Force Policy Directive 91-1, "Nuclear Weapons and Systems Surety" (pdf), 13 February 2007.

Another new Air Force document on combating the threat or use of weapons of mass destruction "provides guidance for understanding, planning, and executing counter-chemical, biological, radiological, and nuclear operations to enable US forces to survive and operate effectively in this deadly environment." See Air Force Doctrine Document 2-1.8, "Counter-Chemical, Biological, Radiological and Nuclear Operations" (pdf), 26 January 2007.

Army doctrine on the use of attack helicopters to locate and destroy enemy forces and to gather or confirm intelligence is presented in a new field manual. See "Attack Reconnaissance Helicopter Operations" (large pdf), Field Manual FM 3-04.126, February 16, 2007. The new manual notes that it has been reviewed for operations security considerations and approved for public release.

Psychology Professor in Florida Spied for Cuba

Via Intelligence Summit -

A Cuban-born university professor and his wife who pleaded guilty to spying for Cuba have been jailed in the US.

Carlos Alvarez, 61, and his 56-year-old wife, Elsa, received a five and three-year term respectively for exchanging coded messages with Cuba.

Both said they took responsibility for their actions but had wanted to establish an open dialogue with Cuba.

But a Miami district judge said that their behaviour had undermined US foreign policy towards the country.

"As we know, a good motive is never an excuse for criminal conduct," Miami Judge Michael Moore said before he sentenced the couple.

The pair were accused of sending coded messages about fellow Cuban-American exiles living in Miami back to Cuba.

Carlos Alvarez was accused of being in contact with Cuban intelligence agencies since 1977.

'Innocuous information'

The psychology professor, based at Florida International University, disguised his identity using the codename David.

His wife also communicated with Cuban agents under the name Deborah but to a lesser extent than her husband.

Before being sentenced, Carlos Alvarez told the court he had once been part of an underground movement that sought to oust Castro's regime but that he later became "an advocate of dialogue."

"I decided to engage in a relation that would require sharing what I consider innocuous information and analysis for access," he said, adding, "The method and channel that I used were unfortunately wrong."

Carlos Alvarez's lawyer claimed that the messages included no secret, classified or defence material and often amounted to no more than "simple gossip".

But US lawyer Matthew Axelord said that the pair had gone to great lengths to conceal their actions.

"This was not idle chit-chat," he said, "Carlos Alvarez was tasked directly by the Cuban intelligence service to provide certain information and he provided that information."

Tuesday, February 27, 2007

Legal Threats Kill RFID Talk at BH Federal

Via SecurityFocus & ZD Net Blog -

A security researcher scheduled to present information on issues with radio-frequency identification (RFID) technology at the Black Hat Federal conference this week was silenced by security technology giant HID Global, which claimed the presentation would violate its intellectual property.

The presentation would have described the technical foundations of RFID technology and demonstrate the security problems with contactless RFID, showing off a device capable of cloning HID cards, said the would-be presenter, Chris Paget, director of research and development for security firm IOActive. The device is similar to other RFID cloners and was built using $20 in parts bought on Ebay, Paget said.

"In terms of the electronics, it is not any more complicated than a Furby," Paget said. "This isn't something new we are doing. HID has known about this for at least two years."

...

"There is critical national infrastructure being protected by these things (RFID chips)," IOActive's Paget said. "There is a lot of misunderstanding in the industry regarding the security of these things. Our intent was to disseminate information so that people can make a knowledgeable decision about deploying RFID."

Whether the letter sent to IOActive and the subsequent discussions, which halted at 5 a.m. Tuesday with no agreement between the companies, constituted a legal threat appears to be a matter of debate. HID Global did not ask IOActive to refrain from giving the presentation, but asked that any schematics and source code belonging to the company not be distributed, Kathleen Carroll, HID's director of government relations, told SecurityFocus.

"We did not threaten IOActive with a lawsuit, if they went forward with the presentation," Carroll said. "We were in talks with them throughout the night to try and resolve this with them. We merely wanted them to modify the presentation."

...

Carroll, who spoke with SecurityFocus from a conference in Washington D.C. on deploying such technology for identification cards, said that IOActive's attack amounted to a theoretical threat, not a real-world risk. Two weeks ago, IOActive demonstrated that it could clone RFID cards at the RSA Security Conference in San Francisco. However, Carroll maintained that in the real world, the attack would not be subtle or, likely, feasible.

"You don't see (Paget) walking by somebody," Carroll said. "Someone handed him the card. It has to get within 2 to 3 inches of the reader and it has to be in the same plane as the reader."

For IOActive's CEO Josh Pennell, the threat of a lawsuit filed by HID seemed to be a real possibility, he told reporters during a conference call on Tuesday. The technology giant has claimed that teaching others about RFID devices violates two of the company's patents, Pennell said. On the advice of lawyers, IOActive's chief would not describe other details about the claims.

"If I say anything, HID will sue us," he said. "Large companies have lots of resources, and small companies, such as IOActive, don't."

The relevant presentation has been ripped out of the conference proceedings, according to Jeff Moss, the founder of Black Hat. The presentation will be replaced with a policy discussion about RFID insecurity and national identification.

This is not the first time that computer professionals have been threatened by lawsuits," said Nicole Ozer, technology and civil liberties policy director at the American Civil Liberties Union (ACLU) of Northern California. "We feel that discouraging IOActive ... may have the most grave consequences."

Ozer pointed out that, on Friday, the U.S. Department of Homeland Security is scheduled to present the specifications for next-generation driver's licenses and could include RFID technology,. The inclusion of the problematic technology could result in U.S. citizens having their information stolen, leading to identity fraud and possibly endangering people.

"At this junction, it is particularly important that the government and consumers have all the information possible regarding RFID security," Ozer said.

----------------------------------

So HID Global wants us to believe that the IOActive's talk is just "smoke & mirrors" and isn't even likely feasible, however...they force them to change their talk and the use the rumor of legal threats.

Does anyone see the disconnect here? I know I do.

HID Global wants us to "ignore the man behind the curtain" and you know what? I am not going to do that.

More Sony PSP Hacks

Via BBC News -

Sony sells its PSP with built-in software, known as firmware, which controls how the console operates.

The firmware locks many of the PSP's capabilities, preventing enthusiasts from writing their own programs, known as homebrew, and running them on the machine.

It also limits its ability to play some films which are not bought on special Sony PSP disks.

But last month three hacker teams - Noobz, Team C+D, and a group led by PSP hacker Dark Alex - co-ordinating their efforts over the internet, found a flaw in the most recently released version of the firmware - version 3.03.

Using this flaw they devised a way to unlock all PSPs, regardless of their age or the firmware running on it.

This development has been a cause for celebration in the PSP homebrew community, but caused alarm at Sony because unlocked PSPs can be used to play pirated PSP games.
"The problem experienced here is not with homebrew applications, but with hackers who pirate commercial titles," a Sony spokesperson said.

Malware with Service Contracts

Via InternetNews.com -

Malware authors in Russia are now offering service contracts with their spyware.

Yes you read right: You can now get a service contract to provide upgrades for spyware, Trojans, rootkits and key loggers, just like you get with your computers, Oracle databases and CRM software.

You have to marvel at the sheer brass of it all. "The pricing model is scarily professional," Mark Sunner, chief security analyst at security firm MessageLabs, told internetnews.com.

"You can buy a one-off and get an update or pay more and get many updates. The whole thing looks like a commercial model but is revolving around malware."

The prices start at around $260 for just the software, and can go up to $3,500 for something guaranteed with updates and containing specific functionality, such as being able to recognize specific online banks.

Sunner first noticed late last year that Russian spyware and virus sites were offering to sell the Bespoke Trojan, which is designed to steal corporate information and intellectual property. Bespoke had been around a while, but now they were offering modifications to target a specific company and updates if a company's security methods detected it.

------------------------------------

Big ups to my friend, Fergie, for the find.

I guess these security experts don't remember the "Holy Father" and a little rootkit project called "Hacker Defender". It was only one of the most used rootkits developed against Windows servers for years.

HF would sell private versions of Hacker Defender, dubbed Golden Hacker Defender, and provide 6-months of anti-AV and anti-rootkit detector updates as part of the deal.

However, last year, HF called a truce with the security companies and quit selling version of Hacker Defender.

So is this really new? Nope....

Is it expanding trend ? Most likely.

Is it something to worry about? You would be damned crazy not to worry.

Monday, February 26, 2007

Europe Seeks to Tighten Some Online Laws

Via Physorg.com -

(AP) -- Some European countries are proposing outlawing the use of fake information to open e-mail accounts or set up Web sites, a move intended to help terror investigations but which could face resistance on a privacy-conscious continent.

The German and Dutch governments have taken the lead on the proposals, crafting legislation that would make it illegal to provide false information to Internet service providers and require phone companies to save detailed records on customer usage.

The aim, analysts say, is to make it easier for law enforcement to access information when they investigate crimes or terrorist attacks.

But Europeans have long cherished their privacy, railing against measures that would see personal information stored for commercial use or government examination. "The people of Europe have a long record of fighting for their personal freedom, and are unlikely to accept such regulations being imposed upon them," said Graham Cluley, a senior technology consultant with the London-based consulting group Sophos. "

No one disagrees with the need to take decisive action against terrorism and organized crime, but to introduce such restrictive surveillance on the general public and Internet companies - without proper safeguards in place - seems positively Orwellian," he said this past week.

Look Christian, 42, who works at an Internet cafe in Berlin, said it's his business - not the government's - if he wants to set up an anonymous e-mail account. "

I understand that the police might want to hunt people down on the Internet, and I wish them luck, but it's not going to happen through anonymous Internet accounts," he said.

Nano-Coating Makes a Splash

Via NewScientistTech.com -

When a spherical object such as a ball is dropped onto water, it sometimes pierces the surface with a gentle “plop”, and sometimes slams through creating a big splash.

Lydéric Bocquet at the Claude-Bernard University in Lyon, France, and colleagues found these varied impacts a puzzling phenomenon. Why would two spheres of the same size, shape and material create such different effects?

Now Bocquet believes his team has found the answer: the molecular treatment of the surface of the spheres – whether it attracts or repels water – is paramount, he says.

...

The finding could prove useful in reducing splashing that occurs during high-speed water impacts, for example during air-to-water torpedo entries, he says. Here, a nano-layer could prevent air bubbles forming at the tip of the torpedo.

-----------------------------------------

Does anyone remember the Russian Shkval (шквал) supercavitating torpedo?

Genetic Information Nondiscrimination Act

Via NewScientist.com -

A law that would protect people in the US from being denied jobs or insurance because of their genetic make-up looks set to be passed after 12 years of debate.

The Genetic Information Nondiscrimination Act (GINA), introduced into Congress on 16 January, is sweeping through committees in the House of Representatives and is tipped to appear before the Senate and the full House within weeks. If passed, GINA will become the first federal law to prevent employers from collecting genetic information on their employees. It would also outlaw genetic discrimination, preventing insurers from denying coverage or charging higher premiums based on a person's predisposition to disease.

Previous attempts to introduce such a law faltered in a Republican-dominated House, but that all changed when the Democrats took charge of Congress last November. "There's a willingness to get something passed," says Karen Rothenberg at the University of Maryland School of Law in Baltimore.

Washington State Looks Into Legal Hallucinogenic Herb

Via Physorg.com -

Both Washington state and U.S. officials are growing increasingly concerned over the popularity of a legal hallucinogenic herb in the region around Seattle.

An herb from the mint family, Salvia Divinorum has become a popular drug of choice with many Washington teenagers and its reported ability to make its users hallucinate and forget has many officials concerned, Seattle's KIRO-TV reported. "

Just because it's legal, just because it's not classified, just because it's not a controlled substance doesn't mean that it's healthy and safe," DEA official Rodney Benson said.

The herb, whose origins are in Mexican spiritual ceremonies, has already been linked to the suicide of a teen in Delaware, prompting officials there to ban the hallucinogen.

enson said with the herb growing in popularity in the suburbs of Seattle, scientists are working quickly on determining if the herb should be deemed a controlled substance.

Until that decision can be made and authorities can act, Benson told the TV station area parents should inform their children of potential risks, including violent behavior and hallucinations.

------------------------------------------------

I guess Nutmeg is next...my Christmas eggnog will never be the same.

Sarasota Voting Machines Insecure

Via Freedom to Tinker -

The technical team commissioned by the State of Florida to study the technology used in the ill-fated Sarasota election has released its report. (Background: on the Sarasota election problems; on the study.)

One revelation from the study is that the iVotronic touch-screen voting machines are terribly insecure. The machines are apparently susceptible to viruses, and there are many bugs a virus could exploit to gain entry or spread:

We found many instances of [exploitable buffer overflow bugs]. Misplaced trust
in the election definition file can be found throughout the iVotronic software.
We found a number of buffer overruns of this type. The software also contains
array out-of-bounds errors, integer overflow vulnerabilities, and other security
holes. [page 57]

The equation is simple: sloppy software + removable storage = virus vulnerability. We saw the same thing with the Diebold touchscreen voting system.

Julie Amero Court Transcripts Online

Via vitalsecurity.org -

There are some important things we can learn from the sad case of Julie Amero:

1) Without fail, almost every single article published on this website seems to present an uneven, hang em' high style approach to journalism that frankly makes me sick. Whether it's this guy deleting blog posts left, right and centre or the main Norwich Bulletin website itself laying its cards on the table by means of presenting a continually slanted take on things with titles such as "Inaction Sank Amero" (apart from the fact it seems to be her actions, rather than inaction which seems to have "sunk" her, heaven forbid they should offer anything up that even remotely sounds like Amero might not be guilty), you're NOT going to get a fair crack of the whip in Norwich, CT.

2) Detective Mark Lounsbury promised we'd all basically look like idiots once the full transcripts became available - like there was some major smoking gun in amongst the wreckage.

Well, I've read about 85% of the documents now, and he's right - there IS a smoking gun in there. The smoking gun is that THIS ENTIRE CASE IS STILL A JOKE.

At some point, major, major alterations were made to the goalposts - the main thrust of the prosecution went from "SHE INTENTIONALLY LOOKED AT PORN! THE POOR KIDS!" to "SHE DIDN'T UNPLUG IT OR SWITCH IT OFF! THE POOR KIDS!"....it's great how "turning it off" or " unplugging it" WOULD have been considered "doing something about it", but no consideration is given to the similarly productive act of turning the screen away from the class (which wasn't hard, given that the PC was facing away from the kids in the first place).

If the kids in the class can't actually see the screen, does it matter at that point whether it's switched on or not?

Is this fair? Or does this smack of rampant stupidity and ignorance?

Worse, the closing argument from the Prosecution guy is ENTIRELY based around Julie Amero INTENTIONALLY ACCESSING PORN IN CLASS AND LOOKING AT IT AND STUFF. The whole stupid "throw a coat on it" thing is mentioned but the alternative of simply turning the screen away (which Amero did) is NOT given any thought as a possible solution.

Because, you know, that would've meant Julie Amero would have gone free.

Bruce Willis Stops Metasploit User, Saves World

Via theregister.co.uk -

Bruce Willis will face down cyberterrorists in upcoming blockbuster Live Free or Die Hard.

Ex-model turned actress Maggie Q will play an uber-hacker out to bring down the US's transport and banking system with a few mouse clicks in the forthcoming haxploitation opus.

In an entertaining development, the latest installment of the franchise finds Willis's character (John McClane) as a semi-retired, divorced, recovering alcoholic working for Homeland Security. He's aided in his fight by a whizz-kid hacker he has in custody at the time the cyber-attack kicks off.


Without giving away too much of the plot, Willis shoots the bad guys and knocks helicopters out of the sky after after his car gets stuck in traffic.

Well-known cyber-security myth debunker Rob Rosenberger said the movie frightens him, but not for the reasons the film makers are seeking to achieve. "I fear this movie will give 'cyber-terrorism' the hysterical push it's been waiting for," he told El Reg.

"Remember when the 'Good Times virus alert' spawned a year-long tsunami of email mass hysteria? I fear nothing less from this Bruce Willis movie. Imagine Richard Clarke, John Arquilla, and D.K. Matai on a 'This Week With David Nerdly' where they all scream about the coming cybergeddon."

---------------------------------

If the US Infrastructure can be pwned by Metasploit, then I think the only people we need to be talking to are the network administrators of said infrastructure.

I do hope that the "hysterical push" doesn't include a myth filled negative public image of the Metasploit project.

Apple Slow to Learn Security Lessons

Via SecurityFocus (March 2006) -

Microsoft giving advice to Apple on software security? What next, a lecture on timely shipping of product?

As crazy as it sounds, a member of Microsoft's security team has blasted Apple for failing to coordinate its security efforts and to issue proper security advice.Stephen Toulouse, communications manager for Microsoft's security response team, has blogged that Apple needs a "security czar" to batten down the hatches against an growing number of attacks on the company's OS X.

By contrast, he points to Microsoft as a prime example of how to respond to threats, providing well-documented communications and prescriptive "how-to" guidance with alerts that are delivered through email, RSS and deployment tools.

Toulouse was responding to Apple's recent update to a security fix that was designed to solve problems in installing an earlier patch. Apple's Security Update 2006-002 had caused problems with networking and with the Safari browser icon.

He criticized Apple's security mailing list for failing to "cover when there are new versions available when a bug is introduced by the update" and for lacking RSS.Also worrying for Toulouse was a recent BusinessWeek article where Apple's vice president of software technology Bud Tribble apparently rejected the need to appoint a security chief: "When we think about security and how we design software, the basic approach is to make it as secure as possible," Tribble said.

That, according to Toulouse, was "a little like saying the White House shouldn't have a Department of Home land Security because, DUH, everyone in the government cares about security!"He advised Apple to become more pro-active, warning that today's attacks are like the most prevalent form of attack on Windows - attacks that require the user to take action first."

We've learned the lesson of getting out there fast and providing clear prescriptive guidance," he said. "[Apple] will have to seek outside expertise in the form of a head of security communications in the next 12 months. Apple needs a person steeped in security issues."

-------------------------------------

Help wanted: An Apple security expert

Interesting, I wonder if Apple would like to think MS for its help??

Urban Word of the Day - Hostage Lunch

Hostage Lunch

Meal purchased by the company, often pizza, and delivered for employees who bosses require them to attend a meeting or work over their lunch hour.

"I was planning on running some errands over my lunch hour, but the VP is keeping us in a meeting. At least he ordered us hostage lunch."

Many HSPD-12 Cards Fail GSA Testing

Via GCN.com -

A majority of the identification cards agencies issued to meet Homeland Security Presidential Directive-12 fell short of complying with the federal standard and must be retested.

Industry and government officials confirmed that most cards issued in October had an assortment of problems—some of them major, such as a lack of interoperability, and some minor, such as using the wrong shade of blue on the card.

“There were over 100 tests the General Services Administration performed, but the most important one was for basic interoperability,” said one department official close to the HSPD-12 process, who requested anonymity.

“We knew we wouldn’t pass because we have our own testing tool and we were having specific issues [other than interoperability]. But we didn’t necessarily fail because, to me, [failing] means they weren’t interoperable, and they were.”

The official said many of that agency’s problems were due to not meeting the standard’s “persnickety” requirements. GSA has been testing since January.

As cards fell short of the National Institute of Standards and Technology’s Federal Information Processing Standard-201, the Office of Management and Budget asked agencies to resubmit cards for further analysis. GSA is testing the electronic personalization of the cards, which includes the encoding of the Personal Identity Verification data model on the integrated circuit chip. This will ensure an electronic exchange of data occurs between reader and card.

It also will look at the data objects on the cards, such as demographic data, fingerprint templates, facial data and the card holders’ unique identifiers, David Temoshok, GSA’s director of identity policy and management in the Office of Governmentwide Policy, said at a recent event on Capitol Hill.

Al-Qaeda Linked to Iraqi Chlorine Site

Via intelligence-summit -

The terrorist organization al-Qaeda is believed to have operated a factory linked to recent chlorine attacks in Iraq, Reuters reported yesterday (see GSN, Feb. 22).

Eight people were killed and scores injured in two attacks last week involving explosions of vehicles carrying the chemical. The deaths have been attributed to the explosions rather than exposure to chlorine.The U.S. military said a plant in Karma was connected to the attacks.

A Feb. 20 raid on the facility uncovered al-Qaeda propaganda fliers and “interactive DVDs,” said Lt. Col. Valery Keaveny.

“This is absolutely a display that al-Qaeda is trying to adjust its barbaric tactics,” Keaveny said. “Is this a threat? Yes. Are we prepared to deal with it? Yes.”

U.S. forces discovered three 55-gallon barrels of chlorine, three barrels filled with nitroglycerine that could be used in explosives, mortar and artillery shells, crude explosives, five vehicles and propane tanks, Reuters reported.“

They had all the munitions, they had all the cars. The chemicals found were not weaponized yet, but they were probably planning to use them,” said Capt. Matt Gregory (Reuters/Gulf Times, Feb. 25).

Egypt Ask Interpol to Arrest Three Israelis on Spying Charges

Via egyptdailynews.com -

Egypt asked the international police organization to arrest three Israelis it accuses of being part of a spy ring, a judicial official said Monday. Egypt's state security prosecutor on Saturday charged a 26-year-old Egyptian and three Israelis with spying for Israel and harming national interests. Authorities arrested the Egyptian, Mohammed al-Attar, on Jan. 1 after he returned to Cairo from abroad.

-------------------------------

The Egypt Daily News was linking to a Yahoo News article, which now appears to be offline, for whatever reason. But the story can be confirmed via this Yahoo News article.

New Symbol Launched to Warn Public About Radiation Dangers

Via IAEA.org -



With radiating waves, a skull and crossbones and a running person, a new ionizing radiation warning symbol is being introduced to supplement the traditional international symbol for radiation, the three cornered trefoil.

The new symbol is being launched today by the IAEA and the International Organization for Standardization (ISO) to help reduce needless deaths and serious injuries from accidental exposure to large radioactive sources. It will serve as a supplementary warning to the trefoil, which has no intuitive meaning and little recognition beyond those educated in its significance.

"I believe the international recognition of the specific expertise of both organizations will ensure that the new standard will be accepted and applied by governments and industry to improve the safety of nuclear applications, protection of people and the environment," said Ms. Eliana Amaral, Director, Division of Radiation, Transport and Waste Safety, IAEA.

The new symbol is aimed at alerting anyone, anywhere to the potential dangers of being close to a large source of ionizing radiation, the result of a five-year project conducted in 11 countries around the world. The symbol was tested with different population groups - mixed ages, varying educational backgrounds, male and female - to ensure that its message of "danger - stay away" was crystal clear and understood by all.

Using Honeypots to Learn about Web Application Threats

Introduction

With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services such as bulletin boards, mail services such as SquirrelMail, online shops, or database administration tools like PhpMyAdmin. They significantly increase the exposed surface area by which a system can be exploited. By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. In Appendix A, we give actual examples of a bot (a variant of PERL/Shellbot), the Lupper worm and an attack against a web Content Management System (CMS) as examples that show how web application threats actually act and propagate.

--------------------------------------

Rest the full paper over at Honeynet.org
- Know your Enemy: Web Application Threats

Sunday, February 25, 2007

Iran Launches Rocket Into Sub-Orbital Altitude

Via NYTimes.com -

TEHRAN, Feb. 25 — Iran announced today that it had successfully launched a research rocket to sub-orbital altitude, a test apparently moving it closer toward its aim of putting its own satellites into space.

Initially, the head of Iran’s Aerospace Research Center, Mohsen Bahrami, was quoted by the Iranian Student News Agency on Saturday as saying that the rocket, carrying a research cargo, “was launched successfully into space.” But he did not disclose any further information about the altitude the rocket reached or when it was launched. State television also reported the news today.

Ali Akbar Golrou, another official at the center, told the Fars News Agency today that the rocket was a so-called “sounding rocket” carrying atmosphere-testing equipment that rose 94 miles before falling back on earth by parachute, he said.

“The rocket was launched only for scientific and research purposes,” Mr. Golrou was quoted as saying. “Some of the news agencies have reported that a missile has been launched into space, which is false.”

AACS Device Key Found

Via Slashdot -

"The intense effort by the fair-use community to circumvent AACS (the content protection protocol of HD DVD and Blu-Ray) has produced yet another stunning result: The AACS Device Key of the WinDVD 8 has been found, allowing any movie playable by it to be decrypted. This new discovery by ATARI Vampire of the Doom9 forum is based on the previous research of two other forum members, muslix64 (who found a way to locate the Title Keys of single movies) and arnezami (who extracted the Processing Key of an unspecified software player). AACS certainly seems to be falling apart bit for bit every day now."

Saturday, February 24, 2007

South Korea Insist on Slower Military Power Transfer

Via aljazeera.net -

The United States will hand back wartime operational control of South Korea's armed forces in 2012.

The deal reached between Robert Gates, the US defence secretary, and Kim Jang Soo, his Korean counterpart, will end a command arrangement that has been in place since the 1950-1953 Korean War.

Under the deal announced on Friday, the current ROK (South Korea)-US Combined Forces Command, which is headed by a US general, will be disbanded, and American forces in the country will move into a supporting role.

"The agreement will serve as a key launching pad for a take-off in the South Korea-US alliance, praised as the most successful bond in the past 50 years," the South Korean president's office said in a statement.The United States, stretched by engagements in Iraq and Afghanistan, had hoped to transfer command as early as 2009, but ultimately agreed to South Korea's insistence that responsibilities be shifted at a slower pace.

Office 2K7 Not Immune from Remote Code Execution Attacks

Via zdnet.com -

Researchers have discovered a "highly critical" security flaw in newly released Office 2007, despite Microsoft's efforts to deliver its most secure version yet of the productivity software.

The consumer version of Office 2007, which launched only four weeks ago, is designed to withstand higher scrutiny by malicious code writers, as Microsoft subjected the software to code auditors as part of its security development lifecycle.

But researchers at eEye Digital Security found a file format vulnerability in Microsoft Office Publisher 2007, which could be exploited to let an outsider run code on a compromised PC.
"We were surprised we could find a flaw so quickly (after Office 2007 launched) and one that was part of their core products," said Ross Brown, eEye's chief executive.


An attacker could create a malicious publisher file, he said. Once the recipient opens the file, he or she could find the system infected and susceptible to a remote attack.

Researchers at eEye used a standard process of code auditing in discovering the vulnerabilities, Brown added. He noted that Microsoft either did not do a "good job" with its code auditing, or it may not have had enough people working on such a task.

Microsoft, meanwhile, said it is investigating eEye's report of a possible vulnerability in Publisher 2007 and will provide users with additional guidance if necessary.

Executives at the software giant have recently said they expect security challenges to keep emerging, as an increasing number of devices connect to the Internet.

No public exploits have been reported in circulation for Publisher 2007 and, given Office 2007's recent release, the flaw may hold little attraction for attackers who may wish to concentrate on software that is in greater distribution, eEye said.

Algeria Busts North African Terrorist Arms Ring

Via Intelligence Summit -

ALGIERS, Feb 24 (Reuters) - Algerian police have dismantled a network suspected of funnelling weapons to an al Qaeda branch in North Africa, a newspaper said on Saturday.

The busted ring included French, Tunisian and Algerian nationals and was believed to supply the Al Qaeda Organisation of Islamic Maghreb, the daily Liberte said, citing unnamed sources.

A French national, two Tunisians and 24 Algerians were in custody in the eastern town of Constantine after they were arrested by police following a search operation there.

Police raided a safe house in Constantine, 430 km (268 miles) from Algiers, on Feb.11 and seized 165 shotguns, 995 cartridges and 30,300 euros, the newspaper added.A 30-year-old Tunisan is suspected to be the network's financier and a French national named as Alain-Roger Raphael was believed to have smuggled the arms on a camper van from the eastern port of Skikda, the daily said.

Police believed another French national, still on the run along with 13 other members of the network, supplied the weapons. There was no immediate confirmation of its account from the authorities.

The daily said the main purchaser of the arms was The Salafist Group for Preaching and Combat (GSPC), which has claimed responsibility for seven bomb attacks on Feb. 13 in two provinces east of the capital Algiers.

SIPRNET Contract Goes to AT&T

Via gcn.com -

The Marine Corps has awarded AT&T Government Solutions Inc. a $9.4 million contract to support the Secret IP Router Network, which ensures secure communications among all of the Marine Corps commands worldwide.

The network, known as SIPRNET, is the interoperable command and control IP data network at the Defense Department and is primarily used for the exchange of classified operational and tactical information at the Secret classification level.

Under the contract, AT&T will provide networking and IT services such as network management, information assurance and program management for the command and control network refresh program. AT&T will also expand WAN security features, including firewalls and intrusion detection systems and will upgrade network WAN point of presence transport and routing capabilities.

AT&T will enhance the connectivity, capability and flexibility of the network architecture so that global Marine commands can have better communication and secure access to more applications, company officials said.

AT&T ‘s team includes Science Applications International Corp. and Smartronix Inc., which will provide technical equipment configuration and firewall installation services at the Marine Corps regional locations.

---------------------------------------

The Science Applications International Corp. appears to be grabbing a load of high value government contracts. The Homeland Security Department recently awarded Science Applications International Corp. a five-year, $39.2 million contract to assist with assessing risks and solutions for border security.

Calderón Cracks Down on Drug Cartels

Via usnews.com -

Is Mexico getting serious about cracking down on its out-of-control drug trade? Its new president, Felipe Calderón, may be the right guy at the right time. Along with dispatching military and elite police units to battle the gangs, last weekend his government–in an unprecedented move–extradited 15 of "the world's most violent and ruthless criminals," as U.S. Drug Enforcement Administration chief Karen Tandy put it.

Tandy isn't exaggerating, investigators tell me. The Mexican group including reputed leaders from that country's top four drug syndicates: the Juarez cartel, the Gulf cartel, the Federation, and the Arellano-Felix organization. These groups rank among the world's most formidable criminal organizations. Together, they move most of the dope pouring into the United States–the world's largest market for illicit drugs–and it has made them rich, hyperviolent, and powerful. Mexican drug cartels smuggle nearly 90 percent of America's cocaine, along with much of its heroin and methamphetamine.

Give Calderón some credit. The man is not simply doing Washington's bidding; he's trying to save his own country. The drug trade's cost to Mexico has been huge, with thousands of deaths, mob rule, and massive corruption. One sign of the times: Last year, Mexico passed Colombia as the second-deadliest country for journalists, behind only Iraq.

How bad is it?

"In Mexico, journalists who cover the drug wars–wars, literally, between the state and the cartels and between the cartels themselves–have become expendable," writes my colleague Pedro Armendares, director of Mexico's Centro de Periodistas de Investigación (Center for Investigative Journalism). "There is total impunity for the attacks. Too many regular folks have come to regard the death or disappearance of a reporter who covers drug trafficking almost as a normal event, just one more statistic along with the number of bad guys captured or kilos of cocaine seized."

---------------------------------

See this other usanews blog about all the money that is leaving the nation over the southern & Northern borders.

FireFox 2.0.0.2 Released

http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/

  • Release Date: February 23, 2007

  • Security Update: The following list of security issues have been fixed.

  • Windows Vista Support: Many enhancements and fixes for Windows Vista are included along with the following caveats.

  • New Languages: Beta releases for several new languages are now available for testing.

  • Permissions Bug Fixed: In the German (de) locale on Windows and Linux, resolved a problem with certain files tagged as read-only.

-------------------------------------------------

Several security issues were fixed in this new release, but not all of the current threats were addressed.

Emotion Robots Learn From People

Making robots that interact with people emotionally is the goal of a European project led by British scientists.

Feelix Growing is a research project involving six countries, and 25 roboticists, developmental psychologists and neuroscientists.

Co-ordinator Dr Lola Canamero said the aim was to build robots that "learn from humans and respond in a socially and emotionally appropriate manner".

The 2.3m euros scheme will last for three years.

"The human emotional world is very complex but we respond to simple cues, things we don't notice or we don't pay attention to, such as how someone moves," said Dr Canamero, who is based at the University of Hertfordshire.

The project involves building a series of robots that can take sensory input from the humans they are interacting with and then adapt their behaviour accordingly.

Dr Canamero likens the robots to babies that learn their behaviour from the patterns of movement and emotional state of the world around them.

The robots themselves are simple machines - and in some cases they are off-the-shelf machines. The most interesting aspect of the project is the software.

Dr Canamero said: "We will use very simple robots as the hardware, and for some of the machines we will build expressive heads ourselves.

"We are most interested in programming and developing behavioural capabilities, particularly in social and emotional interactions with humans."

The robots will learn from the feedback they receive from humans.

Friday, February 23, 2007

Inside the Windows Vista Kernel

Check out this cool three part series by Mark Russinovich over at Microsoft Technet. It comes in-depth on many of the new features of the Vista kernel.

Apple Works to Better Security

Via News.com Security Blog -

According to a post on the Bugtraq newsgroup, Apple has a job listing for a security expert.

The winning candidate would "help provide guidance on security topics to all groups across Apple, and help teams design security into new cutting-edge features and technologies," and also "help analyze potential security issues and work with groups across Apple for timely resolution."

Apple has come under increased scrutiny by the criminal hacker communities in the last year, and the was the target of a January's "month of Apple bugs." In 2006, it issued more Mac OS security patches than in previous years.

More telling is the requirement that the candidate "create training for development teams on security concepts and coding practices." This sounds like Bill Gates' call a few years ago for Trustworthy Computing at Microsoft.

-------------------------------------

This is good news overall, and I am glad to see that Apple is taking steps to increase the security of their coding practices. I have said that Apple could learn a few things from Microsoft and I think Robert hints toward that idea. Microsoft has been hit in the public on these exact issues in the past, but it looks like Apple is just now starting to see that.

Yes, Apple has a great security model on the OS level. But that is just one piece of the security puzzle, without secure coding practices, better communication with customers on emerging threats, and work on better internal controls instead of playing the blame card....problems will only get worse before than get better for Apple.

Sometimes Apple Fanboys forget that Apple writes software beyond OS X...and if I remember correctly Quicktime has been used in serious attacks against people on the internet.

Thursday, February 22, 2007

Quantum Key Distribution Attack Killed Before it Matures

Via theregister.co.uk -

Researchers believe they have secured a potential backdoor in a cryptography technique known as Quantum Key Distribution (QKD).

The QKD method involves the use of laser diodes to transmit crypto keys along fibre optic lines as streams of light quanta – individual photons. Any attempt to eavesdrop on the transmission involves measuring it in some way at a quantum level, which will necessarily alter the transmitted data and reveal to the communicating parties that the key is compromised.

The scientists at the Toshiba Research Europe Labs at Cambridge found that the laser diodes sometimes transmitted an extra photon in response to an energy pulse designed to elicit only one. This would allow an attacker to measure the second photon and leave the first untouched, potentially reading the secret key without being rumbled. This problem was especially prevalent when using stronger pulses so as to increase the rate at which key data could be sent.

But a team bossed by Dr Andrew Shields, Quantum Information group leader at Toshiba Research Europe, has stymied such so-called "pulse-splitting" attacks by introducing lower-intensity "decoy photons" to verify that a transmission is unmonitored.

According to Shields and his team, these decoy pulses seldom have a trailing partner and as such are impossible to read covertly. The communicating parties can use the decoys to check that no eavesdropping has taken place, so be assured that their higher-intensity, higher-bandwidth multiphoton stream of keys is uncompromised.

"Using these new methods for QKD we can distribute many more secret keys per second, while at the same time guaranteeing the unconditional security of each," says Shields. "This enables QKD to be used for a number of important applications such as encryption of high bandwidth data links."

QKD can now transmit at 5.5kbits/sec over a 25km optical fibre, a hundred times the previous rate.

Shields' crew has also, in a further burst of enthusiasm, rendered its own research ultimately irrelevant. The team has developed a new class of nano-diodes which are so small – at 45nm across – they can contain only a few electrons. This means they can only ever emit a single photon at the selected wavelength, so sidestepping the multi-photon minefield entirely.

Nessus Beta Released

On Feb 2oth, Tenable released Nessus 3.1.2 for Linux, FreeBSD and Solaris which is a beta version of the upcoming Nessus 3.2.

Nessus 3.2 contains the following new features :

- Experimental IPv6 support
- Improved bandwidth throttling
- Extended nessusd.rules to add support for ports and plugins
- New command 'nessuscmd' which lets you do a quick command-line scan
- Improved NASL engine
- Easy-update : Nessus can now update its own engine thru the use of a single command (nessus-update)

Detailed information about these features is available on the download site.

Thanks for testing this release and sending your feedback to deraison (at) nessus.org.

More Thoughts on the Stolen Seton Laptop

Tonight at dinner, I was thinking about that laptop that was stolen from Seton hospital last week.

Let’s assume for a second that the thief wasn't just after high priced hardware. Yes he stole a laptop and he can get money for it just as a simple laptop. But if you just wanted to steal a laptop, would you walk into a corporate building that is guarded with security officers, cameras and other security features. Maybe, but you could just hang out at a local coffeeshop and grab one...or walk around a parking lot and find a laptop sitting in the back of a car. Parking lots and coffeeshop have fewer cameras, are filled with people that aren’t thinking about physical security. They are easy targets and the chance of being caught in the long run is reduced.

So why chance breaking into a corporate office? I can think of a couple reasons.
  • The first type of thief is just after the easy money. They may have cased the joint and are pretty aware of the security measures in place. They have done their homework to reduce the risk of the attack, but they feel that the quality of the equipment outweighs the risk of the increased security. These types of attackers might check for easy data access but in the end, they just want to dump the equipment for the easy money.
  • The second type of thief is much scarier. They know that easier targets exist, but they aren’t just after the equipment. They are after what that equipment contains….the data. These types of attackers may have the skill to look deep into the computer and work to crack passwords. They aren’t just looking for personal data, they are looking for anything that could be sold on the black market or used to further pwn the target company - VPN keys, saved network passwords, text files that contains network device password, saved SSH passwords, outdated software on the computer that may have known vulnerabilities, etc. This type of information could allow the attacker to build a targeted attack in the near future and perhaps own the entire corporate network undetected.

While companies report on attackers of both types, IT security is worried about the second type more. The personal data is gone….that is done. But if they don’t force that user to change all their passwords right after the attack, they are putting their whole network at risk. And in the end that is more important to the security of the company than the names of 8000 people.

Julie Amero Gets New Attorney

Via norwichbulletin.com -

N
ORWICH -- Sentencing could be postponed for the former substitute teacher convicted of exposing her seventh-grade students to pornographic images on a middle school classroom computer.

At the same time, the husband of convicted teacher Julie Amero has written several entries in an Internet site that is accepting contributions for her legal defense.


Attorney John Cocheo, who defended Amero last month during her trial in Norwich Superior Court, said Wednesday he has enlisted aid from New Haven attorney William Dow before the March 2 sentencing and the appeal process. Amero faces up to 40 years in prison.

"He's one of the top lawyers in the state," Cocheo said of Dow.

A formal request for a postponement will be submitted to Judge Hillary Strackbein, he said, to allow Dow time to become familiar with the case. He expects a response by next week.

Cocheo said he thinks Dow has agreed to enter the fray of the highly publicized case because "he sees it as an injustice that this happened. I think it's a moral issue for him."

Dow did not return calls Wednesday for comment. Cocheo said Dow has offered to perform work for free.

Amero's husband, Wes Volle, is using an Internet site to appeal for money to pay her legal fees.

"Julie and I can't afford to fight this battle on our own. Our expenses have been in excess of $20,000 to date," Volle writes.

--------------------------------------------

This is good news. If you need some background on this story, check my other blogs on this subject - here & here.

Check out fellow blogger and friend, Alex @ the SunBelt blog for more details as well. Alex has been doing heaps to get this out into the public eye and has also been helping on the case.

Laptop Stolen from Local Hospital Contains Information on 8K

Via News8Austin (local) -

Nearly 8,000 uninsured patients who were treated at Seton hospital system facilities are being warned to watch for signs of identity theft.

A laptop containing personal information was stolen last week from an office in the system's information services department in Austin.

A security camera captured video of the thief carrying out a laptop and projector and that information has been provided to the Austin Police Department.

A Seton system official says the computer doesn't contain patient health information. But it can contain names, birthdays and Social Security numbers of uninsured patients who went to Seton-owned emergency rooms, outpatient services and area health clinics since July 2005.

However, the information isn't easily available because it is protected by a “complicated password protocol.''


Seton plans to send letters beginning this week to affected patients. The hospital system has set up a toll-free number and website for anyone seeking more information: (888) 325-3456.

-----------------------------------------

However, the information isn't easily available because it is protected by a “complicated password protocol.''

Ummm, This is a perfect example of what I was talking about in my blog this morning.

This single sentence makes me assume that if the data was encrypted, they would have said that...instead of talking about the "complicated password".

Hopefully they aren't referring to the Windows login password.

Do you think they disabled LM hashes? Or do you think the password was long enough to ensure LM hashes were not created? If they are talking about the Windows password, then the attacker could easily throw the laptop drive as a secondary drive on a desktop....and

Bang! Pwnage.

Getting Hacked via RSS

Via ComputerWorld -

Users of Web feed services such as Real Simple Syndication (RSS) and Atom might want to make doubly sure they are not downloading malicious code along with their favorite Web content.

That's because the growing use of Web feed readers and the proliferation of content-aggregation sites are giving hackers a really simple way to deliver keystroke loggers, Trojan horses and other malware onto their computers, security analysts warn.

The feed-hacking threat is not particularly new. However, the severity of the problem could be rising as feed services begin moving into the mainstream, said Ray Dickenson, vice president of product management at Authentium Inc., a Palm Beach, Fla.-based security vendor. "Malware authors are just taking advantage of the interconnectedness of Web 2.0" to distribute their code more efficiently, he said.

Web feed services such as RSS allow Web content from multiple sources to be aggregated and automatically delivered to a desktop without requiring the user to actually visit any of the content-providing sites. Users simply subscribe to syndicated news and content feeds. Then, feed readers and content aggregators regularly check the feeds for updated content on the users' behalf -- and automatically push it out to the user when something new is found.

The security problem arises from the fact that many RSS and Atom-based feed readers and aggregators simply pull in the content from the source without first checking to see whether it might contain malicious code, said Michael Sutton, security evangelist at SPI Dynamics Inc., an Atlanta-based Web application security vendor.

------------------------------------------

On another RSS hacking note, several years ago I bounced an idea off some of my friends in India. E-mail worms were huge at that time and I figured that sooner or later someone would use a News RSS feed to create dynamic e-mail headers and content to help the worm spread.

Basically each time it runs on a new host, it would attempt to put down a fresh news story and use that to send the next batch of virus lined emails. Of course, it would have to have a small number of static stories and headlines just in case it wouldn't connect. But with a large number of news feeds from all over the world, it would create a pretty big show to the security world.

But to my surprise, I still haven't seen an e-mail based virus use this technique to spread.

Cracking Weak Vista Passwords with With Ophcrack & Cain

Have you ever read any article about a company losing a laptop? Then somewhere in that article the company claims that the computer is protected with a password. This is exactly why that sentence doesn't matter...unless the data or the whole file system is encrypted. But even then the data is at risk, but it is less of a risk.

Virtual/cyber security is useless without physical security. If the hacker physically owns your computer...it isn't your computer anymore and neither is the data.

Check out this video over at IronGeek for all the illustrated glory.

IronGeek - Cracking Windows Vista Passwords With Ophcrack And Cain

Wednesday, February 21, 2007

How to Crash An In-Flight Entertainment System

Via csoonline.com -

One of the most interesting examples of a software "abuse case" came to me rather abruptly on an airplane flight from Las Vegas to Orlando in mid 2005.

Each seat in the airplane had a small touch screen monitor built into the head rest of the chair in front, and on this particular airline, passengers could watch a variety of television channels and play a few simple games. One such game looked remarkably similar to the classic strategy game Tetris, where players use their skills to manipulate falling blocks on a screen to try and form horizontal lines. I'm a big fan of Tetris; for a few months in 1998 I was borderline obsessed with it. I would start looking at everyday objects and start mentally fitting them together with other tings in the room to form weird line configurations. One of the options on this particular airborne version of Tetris was to alter the number of blocks one could see in advance on the screen before they started falling.

To give myself the biggest advantage in the game, I pressed the + control as many times as it would allow and got to the maximum value of 4. I then put on my "bad guy" hat on and asked: How *else* can I change the value in this field? Near my armrest was a small phone console; you know, the one where you can make very important calls for a mere $22 per minute. I noticed that the phone had a numeric keypad and that it also controlled this television monitor embedded in the seat in front of me.

I then touched the screen in front of me to highlight the number "4" in the options configuration shown in Figure 1. I tried to enter the number 10 into that field through the phone keypad with no luck: it first changed to the number "1" followed by the number "0". Frustrated, I then made the assumption that it would only accept single digit values. My next test case was the number "8"; no luck there either, the number didn't change at all. I then tried the number 5: success! '5' is an interesting test case, it's a "boundary value" just beyond the maximum allowed value of the field which was '4'. A classic programming mistake is to be off by 1 when coding constraints. For example, the programmer may have intended to code the statements:

0 < value < 5

When what actually got coded was


0 < value <= 5

I now had the software exactly where I wanted it, in an unintended state; the illegal value 5 was now in my target field. I then turn my attention back to the screen and hit the + button which, to my complete surprise, incremented the value to 6! Again, an implementation problem, the increment constrain probably said something like "if value = 4 do not increment." In this case, the value wasn't 4 but 5 so it happily incremented it to 6! I then continue to increment the value by pressing the + button until I get to 127 and then I pause for a moment of reflection. 127 is a very special number; it is the upper bound of a 1 byte signed integer. Strange things can happen when we add 1 to this value, namely that 127 + 1 = -128! I considered this for a moment as I kicked back a small bag of peanuts and in the interest of science I boldly pressed the + button once more. Suddenly, the display now flashes -128 just for an instant and then poof...screen goes black.

Poof...screen of the person next to me goes black.

Screens in front of me and behind me go black.

The entire plane entertainment system goes down (and thankfully the cascading system failure didn't spill over to the plane navigation system)!

After a few minutes of mumbling from some of the passengers, a fairly emotionless flight attendant reset the system and all was well. I landed with a new-found respect for the game of Tetris and consider this to be the most entertaining version of it I have ever played.

Serious Flaw in Google Desktop Prompts Patch

Via SecurityFix -

Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software.

For the uninitiated, Google Desktop is free software that sits on your computer and indexes your e-mail, chat conversations, documents and previous Web searches to make them easy to find. But according to a discovery last year by Waltham, Mass., security company Watchfire, attackers could hijack a user's sensitive data in older versions of the software.

This flaw appears to be quite dangerous, but the mechanics of it and the steps the bad guys would need to take seem complicated. Anyone who wants to learn more about this flaw should check out Watchfire's research paper
here. There also is a longish video that provides a real-world example of how an attack could work.

----------------------------------------

Unlike Brian over at SecurityFix, I have been avoiding this application like the bird flu and have never installed it on anything ever. While I agree that security is a trade-off, I guess I just never need to find stuff that bad. I like to always know where my stuff is...in the first place.

Google is a great company and I like most of their products, but in a corporate world....I just see this application has an unnecessary risk and I have been saying this since Feb 2006.

But hey, to each his own....

TJ to the Maxx - Hacking Exposure Widens

Via News.com -

The TJX Companies, the discount retailer best known for its T.J. Maxx and Marshalls clothing stores, said Wednesday that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed.

Information on millions of TJX customers may have been exposed in the long-running attack, which was made public last month. It affects customers of any of TJX store in the U.S., Canada or Puerto Rico, with the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have lasted from May 2006 to January. However, TJX said Wednesday that it now believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 was compromised. The company previously said that only 2003 data may have been accessed. According to TJX, however, some of the card information from September 2003 through June 2004 was masked at the time of the transactions.

The company added that names and addresses apparently were not included with the card information, that debit card PIN numbers are not believed to have been vulnerable, and that data from transactions made with debit cards issued by Canadian banks likely were not vulnerable.

Apple OS X ImageIO "gifGetBandProc" Integer Overflow

http://security-protocols.com/sp-x39-advisory.php

Overview:
An integer overflow vulnerability exists within ImageIO when processing a malformed .gif file. This allows for an attacker to cause the application to crash, and or to execute arbitrary code on the targeted host.

Technical Details:
When decompressing a specially crafted .gif file, the gifGetBandProc function within ImageIO incorrectly parses the malformed data causing the application to segmentation fault.

Vendor Status:
Apple was notified on 9/8/2006

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/sp-x39-advisory.php
http://security-protocols.com/poc/sp-x39.gif
http://security-protocols.com/poc/sp-x39-source.gif
http://apple.com

Month of PHP Bugs - March

Via SecurityFocus -

Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming "Month of PHP bugs" initiative, and common mistakes in the design of well-known applications such as WordPress.

--------------------------------------

I think there are enough bugs in PHP to make a "Decade of PHP Bugs"

Drive-By Pharming

Posted on the Symantec Website by Zulfikar Ramzan

I wanted to talk about a recent new attack, called Drive-By Pharming, which I co-developed with Sid Stamm and Markus Jakobsson of the Indiana University School of Informatics. It allows attackers to create a Web page that, simply when viewed, results in substantive configuration changes to your home broadband router or wireless access point. As a result, attackers gain complete control over the conduit by which you surf the Web, allowing them to direct you to sites they designed (no matter what Web address you direct your Web browser to).

I believe this attack has serious widespread implications and affects many millions of users worldwide. Fortunately, this attack is easy to defend against as well. In this blog entry, I’ll describe the attack, mention some prior related work, and then go over best practices.

Tuesday, February 20, 2007

Exposing a Myspace Script Kiddie

Via The MonKey juNGle -

I'm not a huge myspace fan. I had a profile for awhile, but recently bailed on the whole thing. A few days ago I was checking out the myspace page for Radio Discon and I noticed that a comment had just been made from a friend of the station that obviously was not real.

-------------------

Check out the link above for all the details on what he found....

Poll: Spy Agencies Least Trusted Federal Agencies

Via Govexec.com -

The CIA, Homeland Security Department and National Security Agency are the least trusted federal agencies when it comes to protecting Americans' privacy, according to a new study by the Ponemon Institute.

The annual survey, which will be released Wednesday, asked more than 7,000 citizens whether they believe the government takes appropriate steps to safeguard personal information. Answers were mixed, but the overall trend suggested a decline in public trust since the think tank first studied the issue in 2004.

The NSA has suffered a substantial flogging by lawmakers and privacy advocates amid questions in the past year over its domestic spying in search of terrorists. It also was revealed recently that the CIA has been utilizing a special subpoena power of the 2001 anti-terrorism law known as the USA PATRIOT Act to comb bank and credit-card records.

Homeland Security and the Transportation Security Administration, which were evaluated separately in the survey, have experienced their fair share of controversy over the mining of information from government and commercial databases and a program that screens travelers entering the United States.

After last year's massive breach of more than 27 million military personnel's data, furthermore, the Veterans Administration fell from a top-five ranking in 2006 to just outside the bottom five in the 2007 Ponemon study.

Attorney General Alberto Gonzales' office also was among the least trusted of the 74 federal entities included in the poll.

"There's a clear correlation between bad publicity and poor privacy trust performance," survey author Larry Ponemon said. Previous studies "lacked a big headline negative event," whereas this time, there were several.

"Initiating more transparent operations and communications with the public is often the first step toward repairing damaged trust, but for obvious reasons, those are not options that agencies like the CIA or NSA can take," Ponemon said. The confidential nature of the agencies' operations "will always carry a certain cloud of mistrust with some."

----------------------------------------------

As much as I agree that some things need to change...others need to be updated, overall I think this poll shows the big disconnect between those in the know and those that are not. As a member of the general public, I consider myself one of those not in the know.

There are people that have served in these agencies that have given everything to protect the way of life that most of us take for granted every day. There is no award, or public thank you waiting for them....only silence, secrecy and maybe a nameless star on the wall.

So as a member of the general public that isn't in the know, let me say "Thank you" to those guys & gals doing things that can't be talked about.

Jihad al-Bina Designated By DOT

Via CT Blog -

On February 20, the U.S. Department of the Treasury designated Jihad al-Bina, Hizballah’s construction company in Lebanon, effectively shutting the terrorist group’s firm out of the international financial system. While the designation will not take effect at the United Nations—sanctions under UN Security Council Resolution 1267 only target elements associated with al-Qaeda or the Taliban, to the exclusion of any other terrorist groups—international lenders and donors, including financial institutions, NGOs, and governments, are unlikely to want to assume the reputational risk of working to rebuild Lebanon in partnership with Hizballah instead of the Lebanese government. Moreover—and contrary to conventional wisdom—the designation presents a rare public diplomacy opportunity in the battle of ideas in the war on terror.

The full article can be found here.