ZDI-09-041: Microsoft Internet Explorer 8 Rows Property Dangling Pointer Code Execution Vulnerability

11 June 2009 @ 04:24 AM

ZDI-09-040: Microsoft Office Excel QSIR Record Pointer Corruption Vulnerability

11 June 2009 @ 04:24 AM

ZDI-09-039: Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability

11 June 2009 @ 04:24 AM

ZDI-09-038: Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability

11 June 2009 @ 04:24 AM

Breaking News

Subscribe to the EC-Council | Security Channel and learn about some of the hottest topics and latest trends in the security space, via webcast.

To subscribe to the Channel, click HERE.

You will get automatic updates and reminders on the webcasts that are scheduled.

Webcast Schedule for June 2009 June 4, 2009 View HERE.
Topic: Harnessing SIEM for More Effective Investigations Presenter: Eric Knight, CEH | LogRhythm Inc

June 11, 2009 Register HERE.
Topic: Steps to Implementing ISO 27001 Presenter: Eric Lachapelle, CEO | Veridion Inc

June 18, 2009 Register HERE.
Topic: Importance of Risk Management in Governance & Compliance Presenter: Sanjay Anand, Chair | The GRC Group (aka SOX Institute)

June 25, 2009 Register HERE.
Topic: Conficker - Why it Happened? And How We Can Prevent It From Happening Again? Presenter: Mark Harris, Director | Sophos Labs

EC-Council Certified Members attending these webcasts will earn 1 ECE credit

11 June 2009 @ 04:17 AM

Microsoft Updates for Multiple Vulnerabilities

11 June 2009 @ 04:14 AM

Microsoft Updates for Multiple Vulnerabilities

11 June 2009 @ 04:10 AM

Adobe Acrobat and Reader Vulnerabilities

11 June 2009 @ 04:10 AM

Anybody who reads my diaries has long since figured out that I am a big fan of the Sysinternals tool ...(more)...

11 June 2009 @ 03:49 AM

"The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 263, the researchers have been able to whittle that down to 252, a number that puts practical...

11 June 2009 @ 02:08 AM

Three prominent news organizations reported on a scam email message that didn't come from the SEC. Why is this newsworthy and what can we learn from it?

read more

11 June 2009 @ 01:19 AM

Sean’s Blog - Program analysis, verification and security

10 June 2009 @ 09:07 PM

‘Hide the ball’ suspended
Symantec and McAfee have agreed to pay $375,000 apiece to settle charges they charged fees against customer credit cards without authorization.…
Whitepaper - Creating portals with Office Sharepoint: put an end to the information free for all

Read more…

10 June 2009 @ 09:02 PM

Reuters - BOSTON (Reuters) Microsoft Corp is getting ready to unveil a long-anticipated free anti-virus service for personal computers that will compete with products sold by Symantec Corp and McAfee Inc.

10 June 2009 @ 08:43 PM

PC World - Antivirus vendors Symantec and McAfee have agreed to pay the New York Attorney General's office US$375,000 in fines to settle charges that they automatically charged customers software subscription renewal fees without their permission.

10 June 2009 @ 08:00 PM

Via ACLU.org.

United States Customs and Border Protection (CBP) policy permits officials to search the laptops and other electronic devices of travelers without suspicion of wrongdoing, according to a Freedom of Information Act (FOIA) request filed today by the American Civil Liberties Union. The ACLU filed the FOIA request with CBP, a component of the Department of Homeland Security (DHS), to learn how CBP's suspicionless search policy, first made public in July 2008, is impacting the constitutional rights of international travelers.

"Based on current CBP policy, we have reason to believe innumerable international travelers – including U.S. citizens – have their most personal information searched by government officials and retained by the government indefinitely," said Larry Schwartztol, staff attorney with the ACLU National Security Project. "The disclosure of these records is necessary to better understand the extent to which U.S. border and customs officials may be violating the Constitution."

In July 2008, CBP issued its "Policy Regarding Border Search of Information," which permits CBP to subject travelers to suspicionless searches of information contained in documents and electronic devices, including laptop computers.

According to the ACLU's request, giving the government unchecked authority to search travelers' personal documents and electronic devices is a violation of Fourth Amendment privacy rights and the First Amendment freedoms of speech, inquiry and association.

10 June 2009 @ 08:49 PM

The owner of a company called LX Labs killed himself this week a day after one of the firm's big customer's in the U.K was hacked. The death appears to have been unrelated to the hacking, but it has added pathos to an already serious incident.

read more

10 June 2009 @ 07:16 PM

One of the risks of using a commercial OS for embedded systems like ATM machines: it's easier to write malware against it:

The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.

The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.

Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.

After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.

10 June 2009 @ 06:51 PM

Via News.YC, a deep dive on the TLS handshake that’s more good than bad, and a recommended read if you’re lucky enough not to have to know this stuff. At the end of this article, and in the YC discussion, an interesting issue: why RC4 vs. AES? TLS can do both.

RC4 is an older stream cipher. AES is a newer block cipher. Block ciphers encrypt in multi-byte chunks (AES’s block size is 16 bytes). Stream ciphers encrypt byte by byte. You might therefore assume RC4 was more convenient to use than AES. RC4 is also simpler than AES, and significantly faster on some benchmarks.

But the practical difference between the two is that you shouldn’t be using RC4. RC4 has significant weaknesses, some of which have contributed to serious breaks in 802.11 security.

The industry “knows” this. So why does RC4 keep popping up? Here’s a theory.

Stream ciphers seem like what you’d want if you were building crypto into a protocol. Most protocols send variable length messages. Block ciphers force you to think about how to fit those messages into fixed-size blocks.

RC4 is a famously simple algorithm. Extremely easy to implement.

There are lots of other stream ciphers. The eSTREAM project has spent the past several years conducting Stream Cipher Thunderdome, in which seven (7) ciphers remain standing despite the best efforts of full-time academic cryptographers. One of them, Trivium, is comparably simple to implement in C.

But nobody knows anything definite about these ciphers. You can still get fired for picking one of them.

It seems simpler to fit RC4 into a protocol than AES. But it’s remarkably easy to make AES act like a stream cipher: run it in Counter mode (CTR).

In CTR, you don’t use AES to encrypt your plaintext. You use it to encrypt a concatenated (say) 96 bit nonce and (say) 48 bit counter to generate a keystream, which you simply XOR into your plaintext. Every time you run out of keystream, you increment the counter and generate more of it. This is secure as long as the counter doesn’t cycle and the nonce is never reused for a new stream.

CTR turns block ciphers into stream ciphers.

CTR actually has practical benefits over RC4; because the keystream is generated by a counter, you can seek to an arbitrary point in the stream and start decrypting.

This is extremely well known to practitioners, and blessed by the 4 cryptographers at NIST. But a friend of mine recently asked a room full of developers how many knew the difference between ECB and CBC (a much more basic question). Almost no hands.

You need to encrypt variable length data. No modern stream cipher escapes the “exotic” stigma. Nobody wants to be the developer who picked FROG or MAGENTA instead of Rijndael before AES. Meanwhile, you don’t “get” block cipher modes. What are you left with?

A bad algorithm that still occassionally gets used in real designs.

I suppose I’d argue that if you see a bespoke crypto design, and it dates from after 2000, and it uses RC4, that’s an audit flag.

10 June 2009 @ 06:35 PM

New DOS attacks threaten wireless data networks

10 June 2009 @ 06:29 PM

Via The Missoulian Online (Missoula, Montana).

When Don Luke saw a tall former Marine Corps drill instructor walk into the Wells Fargo Bank on Russell Street on Monday, a light clicked on.

“He looked very familiar,” Luke said. “I watch the History Channel a ton.”

Sure enough, it was R. Lee Ermey, star of the network's “Mail Call,” with a line of movie credits that stretches back to the 1970s.

Ermey, in Missoula this week to shoot a segment for his upcoming series “Locked and Loaded,” had been driving with crew member Harlan Glenn to a Fort Missoula museum when he spotted something black lying on the blacktop.

On closer examination, it turned out to be a bank deposit bag. Ermey stopped the car and picked it up.

“We look in there and - Lord have mercy,” he said.

The bag contained a pile of dough: cash and checks that looked like they were meant for deposit in an American Indian fund of some sort.

“Just on one deposit slip alone was, like, $3,700, and another one for $2,800,” Glenn said. “There was easily $8,000 in cash, and the rest in checks.”

Ermey said his first thought was: “Some poor guy, right now, is probably getting fired, probably having the worst day of his life.

“So what we did was we went right down to the Wells Fargo bank and deposited it for him.”

10 June 2009 @ 07:02 PM

Microsoft, Adobe warn of critical security flaws - from Joe

10 June 2009 @ 05:48 PM

Yet another critical Adobe flaw - When will people learn that Adobe Acrobat is a meta-vunerability.

10 June 2009 @ 05:47 PM

PC World - Computers infected with malicious software remain a big headache for ISPs, but two companies have designed systems that have made the problem much more manageable.

10 June 2009 @ 05:10 PM

LinuxSecurity.com: This bugfix release makes it possible to pass additional options to the ntpdate utility and for the releases lacking it the ntpd server by utilizing the /etc/sysconfig/ntpd file while starting the ntp service.

10 June 2009 @ 05:09 PM

The New York Times reports that China will start requiring censorship software on PCs. One interesting quote stands out:

Zhang Chenming, general manager of Jinhui Computer System Engineering, a company that helped create Green Dam, said worries that the software could be used to censor a broad range of content or monitor Internet use were overblown. He insisted that the software, which neutralizes programs designed to override China’s so-called Great Firewall, could simply be deleted or temporarily turned off by the user. “A parent can still use this computer to go to porn,” he said.

In this post, I'd like to consider the different capabilities that software like this could give to the Chinese authorities, without getting too much into their motives.

Firstly, and most obviously, this software allows the authorities to do filtering of web sites and network services that originate inside or outside of the Great Firewall. By operating directly on a client machine, this filter can be aware of the operations of Tor, VPNs, and other firewall-evading software, allowing connections to a given target machine to be blocked, regardless of how the client tries to get there. (You can't accomplish "surgical" Tor and VPN filtering if you're only operating inside the network. You need to be on the end host to see where the connection is ultimately going.)

Software like this can do far more, since it can presumably be updated remotely to support any feature desired by the government authorities. This could be the ultimate "Big Brother Inside" feature. Not only can the authorities observe behavior or scan files within one given computer, but every computer now because a launching point for investigating other machines reachable over a local area network. If one such machine were connected, for example, to a private home network, behind a security firewall, the government software could still scan every other computer on the same private network, log every packet, and so forth. Would you be willing to give your friends the password to log into your private wireless network, knowing their machine might be running this software?

Perhaps less ominously, software like this could also be used to force users to install security patches, to uninstall zombie/botnet systems, and perform other sorts of remote systems administration. I can't imagine the difficulty in trying to run the Central Government Bureau of National Systems Administration (would they have a phone number you could call to complain when your computer isn't working, and could they fix it remotely?), but the technological base is now there.

Of course, anybody who owns their own computer will be able to circumvent this software. If you control your machine, you can control what's running on it. Maybe you can pretend to be running the software, maybe not. That would turn into a technological arms race which the authorities would ultimately fail to win, though they might succeed in creating enough fear, uncertainty, and doubt to deter would-be circumventors.

This software will also have a notable impact in Internet cafes, schools, and other sorts of "public" computing resources, which are exactly the sorts of places that people might go when they want to hide their identity, and where the authorities could have physical audits to check for compliance.

Big Brother is watching.

10 June 2009 @ 05:01 PM

I'm selling my laptop on eBay. It's basically new, although the box has been opened. I wanted to downgrade the OS, but learned that one of the key drivers -- it controls the camera and the hibernate function -- was only available for Vista.

So it's up for sale, at a good price.

ETA: It's been sold.

10 June 2009 @ 04:47 PM

Security is only as strong as your weakest link.

Everyone has heard this. It seems obvious. Yet, people repeatedly fail at understanding it.

Recently, a startup called "StrongMail" offered a $10k competition to hack their CEO's webmail account. They give you the CEO's password. Their hook is that they also authenticate by calling you back on the phone, so knowing their password isn't enough. Hackers broke in and claim the reward using a typical cross-site-scripting attack.

When conceding, StrongMail said this:

It is important to note that the front end protection offered by StrongWebmail.com was not compromised. In fact, Lance [James] and his team were forced to find a way around the phone authentication. We are working with our email provider to solve this vulnerability and ensure that the backend email software is more secure.

This misses the point. The flaw used to crack the system wasn't something rare or unusual, it was instead the most common flaw in web applications. It is a type of flaw that was first exploited over a decade ago in webmail applications.

At the same time, all webmail providers can fix flaws like this within hours, not wait weeks for some other organization to fix the flaw.

This is like advertising you have elite commandos protecting the front door of your bank, yet leaving your back door open. Sure, no other bank has commandos, yet no other banks leave their back door open, either.

Nobody cares about the strength of your strongest feature. What people care about is the strength of your weakest feature. By this measure, StrongMail is less secure than any other e-mail system and you would be a fool to rely upon it. It doesn't matter how strong their strongest link is when they have so many weak links.

UPDATE:

By the way, the simple fact they had this contest in the first place means they cannot be trusted. It's a magic trick most frequently used by snake-oil salesmen.

10 June 2009 @ 05:31 PM

Here's something you don't see everyday.

Alex Eckelberry

10 June 2009 @ 05:27 PM

Last night I realized there was one more step needed to restore my 2002-2006 archive. All of my references into that archive from this blog, which started in December 2006, had to be redirected. What’s more, they had to be remapped. Old URLs like http://weblog.infoworld.com/udell/2006/12/04.html#a1571 had to become new URLs like http://jonudell.net/udell/2006-12-04-hunting-the-elusive-search-strategy.html.

Even without the remapping, it’s not obvious how to do a simple search and replace (say, from weblog.infoworld.com/udell to jonudell.net/udell) across a set of blog entries. I tried the export/edit/import route, but — at least in the case of WordPress — that doesn’t seem to be a way to update existing stuff.

So I wound up writing a script that uses the MetaWeblog API to fetch my current blog entries, find references to the old namespace, adjust them to point to the new namespace, and update the entries. It’s here for my own future reference, and for yours if you need it.

As always in these situations, I end up wondering what a civilian would do. Blog publishing systems don’t seem have bulk search-and-replace capability. They do, however, have APIs. There could be a tool or service that helps people make these kinds of changes. It’d be hard to avoid the password anti-pattern, so if this were a cloud-based service rather than a locally-installed tool you’d want to change your password after using it. But still, it should be doable.

Do such tools or services exist?

10 June 2009 @ 04:20 PM

Adobe issued its first regularly-scheduled security updates on Tuesday, fixing at least 13 critical flaws reported by outside researchers and secretly patching an unspecified number of bugs found by its own team.

10 June 2009 @ 04:00 PM

Charles Dunstone, CEO of Carphone Warehouse, has slammed plans by the government to restrict the broadband speed of web users caught illegally downloading.

10 June 2009 @ 04:00 PM

A high percentage of UK businesses have no idea that the Internet's top-level domains (TLDs) are to be liberalised next year and some of those who do fear it will simply put them at the mercy of cybersquatters, an in-depth survey for domain outfit Gandi has found.

10 June 2009 @ 04:00 PM

It's been almost 15 years since David Kent first came to Genzyme, a biotech firm headquartered in Cambridge, Mass., that develops medical treatments for ailments such as certain genetic diseases and some forms of cancer. In 1994, the company had less than $200 million in sales, and only about 1,000 employees-a stark contrast to its worldwide workforce of 11,000 today and the $4.6 billion in revenue it reported in 2008.

10 June 2009 @ 04:00 PM

Symantec is urging wireless keyboard users to consider the security of the devices following a project that interpreted keystrokes by analysing the electromagnetic signals produced when keys are pressed.

10 June 2009 @ 04:00 PM

Security vendor Symantec is so concerned about the potential misuse of a new wireless keyboard sniffer it has put out a warning about the technology.

10 June 2009 @ 04:00 PM

IT security managers should enable cloud computing by learning how to manage risk, says RSA chief Art Coviello.

10 June 2009 @ 04:00 PM

Just one third of illegal downloaders would stop their file sharing activities if they received a letter from their ISP, says Wiggin.

10 June 2009 @ 04:00 PM

With Apple's release of Safari 4, Agile Web Solutions has updated its 1Password software to 2.9.19, adding support for the new version of the Web browser. It's a free update for version 2.x users, and costs $40 for a new license.

10 June 2009 @ 04:00 PM

Kaspersky Lab has pre-announced its latest all-in-one security suite with the lure that it has packed even more protection layers of into one software product.

10 June 2009 @ 04:00 PM