« June 2008 | Main | August 2008 »

July 2008

07/31/2008

AT&T dropping wireless subscribers who use P2P

This is a less-then-subtle attack on network neutrality. Service providers (including, in this case, wireless network providers) keep confusing providing the network and providing content. Everything that happens on the application layer is, frankly, none of their business. Besides, if they begin attacking p2p users systematically, all they're going to do is force the next generation of software to encrypt its traffic.

From IP Democracy:

AT&T will jettison wireless users that engage in P2P file-sharing over its network, the company said Friday in a letter PDF filed at the FCC (and flagged today by Ted Hearn at Multichannel News). Senior lobbyist Robert Quinn answered a question posed at hearing last week by Republican FCC Commissioner Robert McDowell about the company's policies of managing P2P network traffic on its broadband wireless platform.
uinn said that AT&T's terms of service (as well as the TOS for most other carriers) bars the use of P2P applications on the wireless platform. "Use of a P2P file sharing application would constitute a material breach of contract for which the user's service could be terminated," he said. [From IP Democracy]
, , , , ,

Posted at 05:54 PM in News | | Comments (0)

|

07/30/2008

Metasploit author hacked by metasploit DNS tools

In an interesting turn of events, the controversial release of the BailWicked Metasploit modules has led to BreakingPoint research director and Metasploit author HD Moore getting hacked. We he targeted? Coincidence? Or is it karma?

From NetworkWorld:

HD Moore has been owned. That's hacker talk, meaning that Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack.
It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore's company. [From DNS attack writer a victim of his own creation - Network World]
, , , , , , , ,

Posted at 08:01 AM in News, Security, Software | | Comments (0)

|

07/28/2008

BailiWicked Metasploit modules updated for automatic tuning

The Metasploit BailiWicked modules for Kaminsky's DNS vulnerabilities have been updated for automatic tuning.

From the Metasploit blog:

The bailiwicked modules (host and domain) were updated today to include the ability to predict the time window between the outgoing request from the target nameserver and the response from the real nameserver(s). This measurement is used to tune the number of spoofed replies sent by the exploit. The result is a big increase in exploit reliability, especially when the target domain has a ton of nameservers (Yahoo has eight) or changes its responsiveness during the test (BIND tends to slow down when it has a full cache). [From BailiWicked Automatic Tuning]

Posted at 05:54 PM in News, Security | | Comments (0) | TrackBack (1)

|

Evilgrade targets insecure software updates

Infobyte has released a tool that targets insecure online updates. This is a case where I'm not sure that an automated testing tool is actually a good thing -- I'm sure that the problem with many of the exploitable applications is the process itself rather than a bit of insecure code that can be patched or disabled. In that situation, I'm not sure how constructive this tool would be for a pentester or analyst.

On the other hand, if it is used widely enough for illicit purposes, it may put enough pressure on vendors to fix flawed processes. I'm sure the repercussions of this tool will be felt for a long time to come.

From the Metasploit blog:

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit [From Metasploit: Evilgrade Will Destroy Us All]

Posted at 05:07 PM in News, Security, Software, Systems | | Comments (0) | TrackBack (0)

|

New Storm campaign uses FBI access to Facebook as bait

Just what the world needs, another Storm campaign. This is an example of the mixed threat that modern worms such as Storm and Kraken pose. It uses social engineering -- in this case threatening Facebook users' privacy -- to bring victims to a page that launches both browser-based threats (an iFrame attack) and a trojan horse download.

From the Trusted Source blog:

It's another new Storm campaign on the loose, with a minor change in the social-engineering trick. Mail with subjects like "FBI wants instant access to Facebook" is hitting users' inboxes at the moment. If a user follows the trick, he will be presented with the following web site:

50_20080728-Storm_FBIvsFaceBook
As usual the fake web site is hosted on an infected Storm web proxy. The text states that "Your download will start shortly. If you are unable to read the article, save it in and run on your computer". If you follow the lure and click the link you'll end up with an executable named "fbi_facebook.exe". This is the malware - don't run it. Again the malware authors don't just rely on pure social-engineering, the web site also fires a set of browser exploits leveraging known vulnerabilities. [From TrustedSource - Blog - FBI vs. Facebook - Makes Any Sense?]
, , , , , , , , , ,

Posted at 08:37 AM in News, Privacy, Security | | Comments (0)

|

07/26/2008

University of Michigan study details online banking design flaws

A University of Michigan study found that 75% of online banking websites suffer from design flaws then open customers to criminals.

From The IT Security Guy:

This should, of course, come as no surprise to anybody in IT security, particularly those specializing in protecting web sites. But a study released by researchers at the University of Michigan says 75% of banking web sites have design flaws that open online customers to cybercriminals, according to Finextra and CNET. [From The IT Security Guy: Banking Web Sites Still Insecure]

You can read the full study here.

, , , , , ,

Posted at 08:51 AM in News, Security, Trust | | Comments (0)

|

Learning to pentest the safe and legal way

Kees Leune has pointed me towards some excellent pentest training resources, a set of live CD's that provide safe and legal targets for learning the tools included in Backtrack.

From Leune's blog:

I've been keeping an eye open for some other challenges, and I found one at The Last HOPE. One of the speakers mentioned that www.de-ice.net hosts some bootable CD images that are used to teach people pentesting skills. They author of the CD's did a nice job and grouped them in different levels of difficulty. The de-ice CD's are designed to be breakable with the tools included on the Backtrack Live CD.
After downloading the images, I was hooked.
Unfortunately there are only three CD's out at the moment, but I am proud to say that I managed to win all three challenges. I also admit that I needed some help getting the last one; I was unfamiliar with one of the tools used and needed a little hint. With that last hint, I was able to solve the third and final challenge. [From De-ice.net pentesting live CD's - Kees Leune]

, , , , , , , , ,

Posted at 08:40 AM in Security, Software, Systems | | Comments (0)

|

07/25/2008

2008 data breach report released

The Identity Theft Resource Center has released the 2008 Breach List. The 117 page document identifies 377 specific breaches that expose 17,011,691 identities as of July 22. It's a very specific and interesting look into data breaches so far this year.

About the center:

Identity Theft Resource CenterĀ® (ITRC) is a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides consumer and victim support as well as public education. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of identity theft. [From Identity Theft Resource Center | A Nonprofit Organization]
Here's the full report.

, , , , , , , ,

Posted at 10:27 PM in Identity, News, Privacy, Security | | Comments (0)

|

NIST releases security perfomance measurement guide

NIST has released a new revision of Special Publicatoin 800-55, the "Performance Measurement Guide for Information Security." With all of the blogosphere conversation about security metrics going on right now, I thought this a well-times publication.

From NIST:

NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security program. [From NIST SP 800-55 Rev 1: Performance Measurement Guide for Information Security | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills]

Here's a direct link to the document.

, , ,

Posted at 10:18 PM in News, Security | | Comments (0)

|

Microsoft embraces open source

Today at OSCON, hell froze over.

According to The Register, Microsoft has decided to embrace (some) free/open source software and has joined the Apache software foundation to the tune of $100k a year.

From The Register:

After years of hostility towards Free Software Foundation (FSF) licensing (here and here) Microsoft has announced the first in a series of PHP patches - and it's using an FSF license.
Microsoft told The Reg it's submitted a patch to the community for the ADOdb database abstraction library for PHP to add support for the PHP SQL Driver developed with PHP shop Zend Technologies. The patch is under the FSF's Lesser GPL (LGPL).
And, in a further move towards greater support of open source, Microsoft is becoming a platinum member of the Apache Software Foundation (ASF), paying $100,000 annual membership. The move follows work between the two to support the Office Open XML file formats in Apache's POI project. [From Microsoft pledges love and money to open source | The Register]

This is a smart move on Microsoft's part. There is an enormous amount of innovation going on in the open software communities, and rather than fighting that innovation, Microsoft can now leverage it. This move will make the Windows platform more compatible for open source projects and open a new marketplace for the core operating environments such as Windows Server and SQL server.

More importantly, though, it makes it much easier for many developers to jump back and forth between platforms, coding in whichever environment makes the most sense for a project.

One has to wonder if this is Ray Ozzie's first major change as the new Chief Software Architect at Microsoft. If so, he's started out on the right foot

, , , , , , , , , , , ,

Posted at 05:40 PM in Culture, News, Systems | | Comments (0)

|

Next »