Skip to main content

Posts

Showing posts from 2008

Gimmiv worm strikes Windows

That didn't take long, did it? Apparently Microsoft released their "out of band" patch in a hurry because they had already seen exploits "in the wild" for this defect. They guessed a worm couldn't be far behind, and they were right. Gimmiv: New worm feeds on latest Microsoft bug The cycle of patching will never fix this problem. If you are a CIO or manager of an enterprise or government network which has been hit by new worms this week, contact Intrinsic Security to discuss FireBreak AntiWorm. Worms are detected instantly and trapped without signatures.

Microsoft's "Out of Band" Security Bulletin

Microsoft plans to issue an "out of band" patch today, e.g. a patch released on a day other than "Patch Tuesday". Microsoft Security Bulletin Advance Notification Thw defect, which hasn't been publicly described just yet, apparently exists in every version of Windows that anyone who is likely to patch anything actually uses: Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista. Microsoft describes this update as "critical" which means they know it can be remotely exploited without user intervention (and without exploit chaining, which they don't yet consider to be critical.)

DNS flaws expose many services (exploit chaining with old defects)

The flaws discovered in DNS recently by Dan Kaminsky have existed for years. He linked several of them together, a concept known as " exploit chaining " to reveal a much more serious flaw. His technique makes it possible to hijack and misdirect a user's web browser to a malicious web site, even in cases where the user types the correct URL. ' That, of course, completely makes a fool of Verisign's Ken Silva, chief technology officer, who's been running around to the press saying irresponsible if not utterly foolish things like: "We have anticipated these flaws in DNS for many years and we have basically engineered around them." Kudos to Mr. Kaminsky, for working in private with the major vendors of DNS server software, who had patches ready to go before the flaw was announced. This kept the script kiddies from having a field day with the vulnerabilities, which were endemic to nearly all DNS servers. Apparently there remain some issues not yet addr...

Secrets, Lies, and Email Passwords

British hacker Gary McKinnon apparently was able to crack over 90 computer systems at various government agencies of the United States, including NASA, the U.S. Army, the U.S. Air Force, and the Department of Defense in 2001 and 2002. He was apparently hunting for secrets about aliens. No, he wasn't searching for illegal immigrants, but rather, aliens from outer space. He believed that the U.S. government was hiding evidence that these aliens exist, and maybe hiding materials and bodies of dead aliens, as well. I hope that if he's extradited and then tried, the judge goes easy on him. Yes, he's guilty of embarrassing several U.S. government agencies by breaking into their computer systems and rifling through data. It shouldn't have been so easy for him to do. The layers of management who didn't take network and information system security seriously until 9/11 will not be on trial, and they certainly bear partial responsibility for contributing to this probl...

Hands-on SQL Injection - Show me!

Security training for application developers is an under-funded activity in most of the organizations that build software. Fixing security defects in custom applications remains an underfunded activity, even after defects are identified. Why does this continue to be the case? It can be easier to find defects for a customer in a security penetration test than it is to convince the customer that the problem is serious enough to fix. Sometimes this is because the incentives are messed up. I'm not the only person who has observed that the Federal Information Security Management Act (FISMA) seem to have given Federal agencies a much higher incentive to find problems and write lengthy, complicated reports on those problems, than to fix them. Other times, managers may not understand the technical details of various vulnerabilities, or may be interested in a certain category of defects, while wearing blinders to other types of defects, particularly outside their comfort zone. If ...

Microsoft Fingerprint Reader - The Fine Print

If you haven't noticed, somehow lately computer keyboards and laptops in the Windows PC world are sporting a little pad for reading fingerprints. Notice the fine print at the bottom of this page, which I'll quote here in case it goes away: Microsoft Fingerprint Reader "The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities." Why do you suppose Microsoft and all those hardware makers would go to all the trouble to add a fingerprint reader to laptops and keyboards, and then advise you not to use it? Probably because they know something that the average consumer probably doesn't: these devices can be spoofed. It's only a matter of time before there are clear, step by step instructions available on the internet for lifting a fingerprint and applying it to a model finger for spoofing purposes. H...

Rogue DNS

I haven't seen the original paper, but this article claims that researchers at Google and Georgia Institute of Technology estimate that there are 68,000 rogue DNS servers on the net. Use of Rogue DNS Servers on Rise Rogue DNS is one of the services provided by the zillions of malware, virus, worm, and rootkit infested zombie PC systems on the internet at any given time. The interesting part of this trick is that zombie PC systems might get "cleaned up" after an infestation has been detected, but their DNS configuration might (OK, probably does in nearly every case) remain pointing to a rogue DNS server, which occasionally, but not always, provides fraudulent data back to requesting clients. This is yet another reason why infested PC systems must be re-installed from clean original media whenever possible, in case you didn't have enough reasons already. The paper: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority David Dagon, Chris Le...

Swatting - 911 and telephony systems are defective

Several publications are running stories this week about Swatting , an extension of a prank phone call, which has the aim of eliciting response from emergency response teams, including SWAT (Special Weapons and Tactics) teams. The prank calls are made to 911 operators, who are tricked into dispatching SWAT, police, or other response units on the basis of false information. Obviously social engineering is peformed as well, operators are told of bomb threats, killings or hostages. According to some accounts, some type of caller id spoofing might be used in some of the Swatting calls, which have been directed at 911 operators in over 60 cities by the five people arrested thus far. Several stories make a point to state that 911 systems are not defective, such as this otherwise excellent story, Swatting - a dangerous new game by KSBW TV in California which reports that the masochistic pranksters are not "exploiting any real technical flaws in the 911 system" and that these sy...