Saturday, August 23, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Oyster not all it’s Cracked-up to be [Voice of VOIPSA]

Posted: 23 Aug 2008 06:34 AM CDT

Some Dutch researchers recently illustrated once again that "security by obscurity" is not a good way to secure systems. Transport for London (TFL) have for some years been running a prepay card system called the "Oyster Card". The Oyster Card is an RFID card that you wave over a sensor at the start and end of your train trip, which takes money from your prepay account with TFL. Oyster offers a preferential rate, cheaper than paper tickets, and has had a very high take-up rate with London commuters and residents.

However, the system has now been cracked. At the heart of the Oyster card is a chip called the Mifare Classic, which uses a secret algorithm. Some Dutch researchers decided to target this system, and have discovered how this works. As a demonstration, they used their knowledge to create their own card, which they used to travel around free on the London Underground for a day.

Their interest in the Oyster Card probably stems from the fact that the same Mifare Classic chip is also used in access cards used to secure Government buildings in the Netherlands. In a rather nice demonstration of the separation of powers working in a democratic country, they now have leave from a Dutch judge to publish details of how the Mifare algorithm works, which they will be doing at a security conference in the coming October. This would not have been the outcome that the Dutch government would want, since they now have to take extra steps to secure buildings with more security personnel.

But "hushing the problem up" is not a solution in the security world. The problems don't go away when you punish the researchers. For every ethical hacker there are probably another two Black-Hats who want to sell the information to those that could profit from free travel in London, or access to Dutch Government property.

BelsecTV the security of webapplications [belsec] [Belgian Security Blognetwork]

Posted: 23 Aug 2008 03:15 AM CDT

Google TechTalks April 13, 2006 Mike Andrews Mike Andrews is a senior consultant who specializes in software security and leads the web application security assessments and Ultimate Web Hacking classes for Foundstone. ABSTRACT It all started out as a place to share physics documents, but has grown into potentially mankind's largest and most complex creation. The World Wide Web is a lot of things - a soapbox for everyone, a giant shopping mall, an application platform, and unfortunately a hacker's playground. As more applications get "web-ified" moving from the desktop or legacy systems onto the web, attackers follow the vulnerabilities. Without sophisticated tools or "1337 5x1llz", web applications are now the most attacked technology, with the majority of attacks categorized as "easily exploitable". So, before your application is placed out into one of the most hostile environments, how do you stop your software from being "0wn3d" by the 14 year old in their blacked-out bedroom, or being used by a Russian crime cartel? In this TechTalk, Mike Andrews will look at how web applications are attacked, walk through a testing framework for evaluating the security of an application and take some deep-dives into a few interesting and common vulnerabilities and how they can be exploited.«

Cold War tanks to remember East-Berlin 1953 [belsec] [Belgian Security Blognetwork]

Posted: 23 Aug 2008 03:15 AM CDT

Uprising of 1953 in East Germany - Wikipedia, the free encyclopedia

The Uprising of 1953 in East Germany took place in June 1953. A strike by Berlin construction workers on June 16 turned into a widespread uprising against ... - 58k


Berlin3 1953

Hotel Lobby Security [The Security Shoggoth]

Posted: 22 Aug 2008 08:27 PM CDT

I'm not a physical security guy, but I am learning. I found some pictures that I took at the hotel for a conference I was at earlier this year.

Some background: The hotel is a resort hotel where the main building contains the registration desk, some restaurants/bars and meeting rooms. That leads to a large outside pool. Surrounding the pool are three large towers which contain all of the rooms. The towers have two entrances - one from the pool area and one from the parking lot. The picture below is taken as if you were coming in from the parking area. (Notice the computer used for theme park reservations - this was left unattented, but turned on, after 5PM.)

Can you spot the security flaw?

What about now?

While I'm glad they have cameras in the lobbies, I find it very pointless to have the plug about 6 inches away. BTW, the ceilings were maybe 7 feet high so its not like someone couldn't teach up to unplug it. While I never unplugged it to see how fast security would respond, if at all, I found this very interesting and have been noticing physical security flaws like this much more.

Joomla hacking expands to .nl domain [belsec] [Belgian Security Blognetwork]

Posted: 22 Aug 2008 07:21 PM CDT

More than 100 other domains touched by hacking offensive overnight


Dutch hacker wants flanders annexed to Holland [belsec] [Belgian Security Blognetwork]

Posted: 22 Aug 2008 07:14 PM CDT

joomla48  his idea sounds as he was inspirated by the site....

Joomla hacked : such a good pr for your professionalism [belsec] [Belgian Security Blognetwork]

Posted: 22 Aug 2008 07:11 PM CDT

especially if the patch is already more than a week old and that you work in the security and trust business a site hold by a private company that uses Joomla




Joomla was there

ALERT RED HAT CRITICAL UPDATE OR CONTROL FOR SOME [belsec] [Belgian Security Blognetwork]

Posted: 22 Aug 2008 06:46 PM CDT

From the Internet Storm Center

"Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action". "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)".

"processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk".

Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

CVEs ( CVE-2007-4752

Update - RedHat OpenSSH blacklist script released

RedHat has released "shell script which lists the affected packages and can verify that none of them are installed on a system".

comment from me : the problem is that Red hat was the Microsoft of the Open source movement. You could as a business more or less say to your boss that you were not having linux but Red hat and that that was secure and looked after while in the other systems you were more depending on the community which a CEO didn't want to have. This intrusion is for that reason more embarrassing. [.:Computer Defense:.]

Posted: 22 Aug 2008 03:54 PM CDT

Just a quick little note to share with people. In my efforts to add to the social activities associated with SecTor and to foster discussion, I've created a new website, On the page you'll find a forum and a mailing list. I would invite everyone who is attending SecTor to join both and share in the discussion. For those of you that aren't quite sure yet, sign up and you'll most likely find a reason (hopefully in time to beat the end of August price increase)... and for those of you that can't make it to SecTor this year, you're all welcome as well, you'll see what's happening so that you can make it next year.

Google Search from Quicksilver [Jon's Network]

Posted: 22 Aug 2008 02:57 PM CDT

Google Search from Quicksilver| Macintosh Tutorials, News, and Reviews

A useful trick that takes 30 seconds to set up.

ThreatLinQ: Using Filter Groups - Guilty By Association [DVLabs: Blogs]

Posted: 22 Aug 2008 01:47 PM CDT

Posted by Marc Eisenbarth
This post shows how the "Filter Group" section of the website can be used to find some very interesting events. Lets start by looking at the "Metasploit Shellcode" group, which is more often that not a very good starting point for finding malicious attackers. Not surprisingly, in analyzing ThreatLinQ data we have noticed that shellcode filters fire in tandem with many severe attacks. This makes sense, as the Metasploit shellcode is borrowed by a majority of exploit tools and proof of concept code circulating on the Internet. So, lets take a look at the "Source IPs" tab and select one of the IP address that has a large number of hits for this ThreatLinQ Filter Group, namely which originates from the Republic of Korea. On 7-16-08 we see a number of filter 3990 "Exploit: Shellcode Payload" hits along with a single hit for filter 3885 "PHP File Include Exploit". This attacker then proceeded 6 days later to launch a DCOM IsystemActivator Overflow attack. Groupings of severe attacks such as these three strengthen our case that is an active, malicious host and one to keep an eye on in the future.

Hack With New People [ImperViews]

Posted: 22 Aug 2008 01:10 PM CDT

Do you have the next great web idea but lack technical staff? Do you have technical skills and are looking for the next big thing to drive your excitement and enthusiasm? There are several sites that will try to connect entrepreneurs with highly skilled professionals but JustHackIt is the first site that is dedicated to web applications.

So the idea is to connect people who want to build something RIGHT NOW. Ideas can be simple 1 page websites or complex Google competitors. The main point is to just get started hacking with new people! Hopefully you'll meet your next co-founder or your 1 page website will be successful by itself. If you find out you don't work well with someone, try someone else. No pressure.
Simple idea, nicely executed. Some of the ideas are good. From an ROI perspective, it looks like a good $7 investment. According to Centernetworks, the site is now for sale. The use of the hack-words, with all possible diversions and inflections makes sense as well as a buzz generation tool. If nothing works, it can always continue to be used as the hackers dating site. 

Friday News and Notes [Digital Bond]

Posted: 22 Aug 2008 12:56 PM CDT

Next week should be a lot of info with the PCSF annual meeting and three from our team in San Diego. Only a couple of items this week.

Nir Zuk on YouTube [Jon's Network]

Posted: 22 Aug 2008 12:34 PM CDT

Ya, there are other IT vendors on YouTube (StillSecure, Lumension, Sophos), but so far only Palo Alto has tried to be funny.

Here’s to going viral:

Barracuda and Fortimail Feedback [Jon's Network]

Posted: 22 Aug 2008 12:17 PM CDT

A customer recently evaluated Brightmail, Fortimail 400 and Barracuda 600. They said Barracuda would have been great had it been the only one they tested, since the reporting impressed them, but they noticed the poor catch-rate once they tested Brightmail and Fortimail. Fortimail ended up winning the deal.

  • Spam filtering - Barracuda detection rates were fair compared to Brightmail and Fortimail
  • User experience - All were good, no complaints
  • Mail server integration - Barracuda fair, Fortimail much better
  • Reporting - Barracuda reporting excellent
  • Yearly subscription - Barracuda higher than Fortimail

Uniform Time []

Posted: 22 Aug 2008 12:06 PM CDT

As many of you know, I’m more a washed up paramedic than a security analyst. My youthful indiscretions tended to involve ambulances and fire trucks (you’d be amazed at all the fun things you can do with them when no one is looking).

Although I’m just an EMT these days, I’m still on a federal response team for disasters and other large incidents. In a couple hours I’ll be heading out to wear uniforms for a week and sleep with 60 other people in an undisclosed location (don’t worry, I’m not breaking opsec by revealing that). I’m just a low level grunt on the team but find that a little manual labor does the soul some good on occasion.

I may still get some writing done since we should have a fair bit of down time, but I won’t be very responsive over email.

A day after that, I head off for a *real* vacation- my wife and I are cruising Alaska before it all melts. If I try to work on *that* trip I’ve been told I better practice my cold water swimming skills. Still, I’ll be checking email for emergencies.

The next couple of weeks will definitely be ones of contrasts.


Line Noise [DVLabs: Blogs]

Posted: 22 Aug 2008 11:27 AM CDT

Posted by Cameron Hotchkies
It's that awesome time unscheduled by conventional schedules for the blog that everyone loves to power Fridays with. Line Noise! 

First up, Ali found a paper on someone implementing a sublanguage within haskell in order to enforce data flow control, for security reasons. A cool in concept, especially if you're a fan of the functional programming.

Here's a set of new UI concepts. The first one takes a bit to get going, but it's really impressive when it's done. Some seem new-ish, but like they were implemented in 1982. Go see what I mean.

noted improvements to fiber optic materials in order to speed up the net. They're actually talking about slowing down the light to increase speed. This is also the exact opposite of how most Austinites drive, don't ask how that works.

The body of a priest trying to raise money for a chapel for truckers in his highway parish came up with the idea of floating over the ocean hanging from hundreds of helium balloons was finally found three months later. His last contact before his demise was a cell phone call he made to his friends notifying them he was about to crash into the ocean.

Designers at the University of Kitakyushu in Japan have created a life-like robotic red snapper fish. The realistic design is hoped to help the robot blend in while in the wild. Robotic red snapper... very tasty. I'd still take the mystery box.

You probably remember it from TED, now Microsoft has finally released Photosynth. Based off the multitude of pictures taken of me from various conferences over the years, this technology scares the crap out of me. But then, so do the people that would be trying to map pictures of me on Microsoft photosynth.

You may have caught this and thought "Hey reversing iPhone binaries ON the iPhone? does it support batch mode of ida-python scripts?".. or maybe that's just me. Then again, if you did, maybe you'd be a shoe-in for this job (props to Ryan Naraine for finding that one).

Spanish automaker IFR has developed a steering wheel capable of electronically tweaking your vehicle's valve timing, rev limit, ABS, and other characteristics.

Now you're probably thinking "Hey! It's been a month, and that's al you've got?". Well, I went to Black Hat, so our IRC has been very quiet. If you want to read about that, you'll have to check our write-up here.

That's it for now, stay classy blogosphere!

Random stuff on my to do list [Security Coin]

Posted: 22 Aug 2008 10:33 AM CDT

SQL injection in web apps is sooooo old. It still exists everywhere and security companies are still making good moolah by capturing 'crown jewels' by exploiting this - However, I'm not sure that SQL injection testing for non web based applications/scenarios has caught on. Are they even worth trying ? For example: I'd really like to test the logic for the following (for starters) at some point in life :

1. Cell phones - IMEI registration. Attempt to SQL inject the backend during registration and/or normal communication - would that work ? Before I even say "Only one way to find out.." I should really read up on cell phones to test the theory..

2. Magstripes on cards - change data in the magstripe of ID cards , hotel access cards, credit cards, debit cards etc - to SQL inject the backend - Hmmm.. my name/cardnumber/PIN is now ' OR 1=1 -- ?
Something like little bobby tables.

3. Checks - Change the account number on checks to SQL inject the backend. I'm almost certain this would fail because of the MICR E13b restrictions of characters.. ah well..

Ah well..I would need to get back into security consulting at some point if I want to test this out in a legal way..

Baroness Pauline Neville-Jones Joins Our Keynote Line-up [RSA Conference - Blog]

Posted: 22 Aug 2008 08:51 AM CDT

IIS Secure Parameter Filter (SPF) Released [GDS Security Blog]

Posted: 22 Aug 2008 08:48 AM CDT

We have publicly released the Beta version of IIS Secure Parameter Filter (SPF) on our tools page. SPF is an application security module specifically designed to thwart parameter-based attacks against applications running on Microsoft IIS web servers. SPF requires minimal initial configuration and does not require making any modification to the underlying application code.

Those of you who attended the “Protecting Vulnerable Applications with IIS7” talk which I presented at Black Hat earlier this month will recognize SPF as the module which I demonstrated. The version we released today works with both IIS6 and IIS7 and is written in managed .NET code.

So what exactly does SPF do? SPF provides two primary protection mechanisms which are each explained in more detail below.

Tamper Protection

The tamper protection capabilities of SPF are primarily designed to thwart authorization attacks. Tamper protection works at the following levels:

  • URI Protection - Protected URI’s require a cryptographic token to access. The only way to obtain a valid URI token is for the application to present you with a link to the URI. This is primarily designed to thwart direct browsing attacks where users can forcefully request pages for which they are not entitled.
  • Query String Protection - Protected query string values are validated using a cryptographic token which ensures they were not tampered with. This protection is designed to secure embedded query string values from manipulation.
  • Form Field Protection - Protected form fields that contain embedded values (i.e. Hidden Fields and Select Lists) are encrypted to prevent un-authorized viewing or modification by malicious users.
  • HTTP Cookie Protection - Protected cookies are encrypted to prevent un-authorized viewing or modification by malicious users.

SPF tokens can also be bound to the calling user and set to expire, resulting in the ability to protect against Cross-Site Request Forgery and thwart certain types of hijacking, replay and cross-site scripting attacks.

Malicious Input Filtering

Malicious input filtering (referred to as Black List Protection) is designed to identify parameters that include known attack patterns. SPF supports Black List pattern matching against Query Strings, Post data, and Cookie values.

In some ways, this functionality can be compared to existing server filters like Microsoft’s URL Scan, but SPF provides much more flexible capabilities. Black List Protection was originally not within the scope of SPF’s protection mechanisms, however with the recent wave of SQL Injection worms it became apparent that URLScan (specifically the recently released 3.0 Beta version) is not sufficient for protecting web applications from attack.

URLScan is a good server-level protection mechanism that has been adapted to provide basic web application protection whereas SPF is designed specifically to defend web applications and therefore can provide more comprehensive protection against harmful input. SPF’s Black List Protection provides the following:

  • Regular Expression Support - Provide a powerful mechanism for defining malicious input patterns
  • Flexible Request Entity Coverage – Black List patterns can be applied to any combination of Query Strings, Post data or Cookie values. This level of HTTP request coverage is especially critical as SQL Injection worms become more advanced and move beyond exploiting Query String parameters. Specific URLs can also be excluded from Black List coverage for greater flexibility.

SPF is currently available for free download and use from the GDS Tools page. The current Beta of SPF provides full protection for any application running on IIS7 and for ASP.NET applications running on IIS6. Non-ASP.NET applications on IIS6 will be limited to only the Malicious Input Filtering (Black-List) capabilities of SPF. A detailed administration guide is included with the download.

The importance of key management [Data-Centric Protection and Management]

Posted: 22 Aug 2008 07:56 AM CDT

As encryption and data protection becomes more prevalent, dont forget the equal importance of managing those keys. This seems to be the message from Jerome Wendt.

I think there are two sides to the story here - while I agree that managing keys is important, I think this is something users SHOULD NOT be concerned about. This is something the vendors should be focused on solving and not leave it to end users to stumble over.

Key management is hard and it makes sense to solve it at the product level rather than leaving it to implementation variances.

Research Project Value Creation [Digital Bond]

Posted: 22 Aug 2008 12:56 AM CDT

Believe it or not research teams are not always marketing wizards, and even the best results can have little impact if the potential users don’t understand the value of the solution. So the DHS Science and Technology Directorate is putting a representative from all the research teams in the recently awarded contracts through SRI’s Value Creation workshop. I attended the two-day workshop this week.

The group arrived from a variety of different organizations - academia, small companies, massive companies, very different research projects, and different levels of experience doing this sort of thing. And I think it was fair to say many arrived as skeptics. SRI put us through a set of instructions and exercises in a structured process to describe the need, approach, benefits and competition of our projects. First in a 1-minute elevator pitch, then adding more elements in a 3-minute presentation and finally a 5-minute presentation. As you can imagine the brevity forced focus.

A key part of the process was the way the attendee and teacher feedback was presented and acted on in the class.

It is hard to do the workshop justice. It is a combination of the environment, energy, process, materials, teachers, and fellow students. The best way to convey it is every attendee had dramatic improvement in their ability to present the value of their project. Dramatic is not hyperbole here. You had to see it to believe it.

Hats off to DHS S&T for realizing the importance of this effort to maximizing the impact of their research dollars and SRI for a strong program. [FD: Obviously DHS S&T has funded Digital Bond research projects]

Now We Are Cooking With Gas []

Posted: 21 Aug 2008 11:19 PM CDT

Better late than never, right?  We finally got around to adding some of our new Nevis Networks hardware into our environment today.  “Some” is a slight exaggeration.  We added one LANenforcer 2024.  Hey, that’s more than we added last week!  The process of configuring these things is really insanely simple.  We went through this a year ago with some assistance, which I would recommend the first time, but with practically a year under our belts with it the second time is easily handled without assistance.  By tomorrow we should have a switch on it.  The next thing we are going to is to take the IPS out of reporting mode and see what kind of problems we can create!

You’re Allowed to Have It []

Posted: 21 Aug 2008 10:40 PM CDT

When you’re a grown up, you get to enjoy beer.
Now you have it, when you’re in high school and college you have it.
But when you’re an adult you really get to enjoy it.
Lets’ say you work all day.  You’re on your way home.  You’re really tired.
But its that really good kind of tired, you know.  Where you know that you’re on your way home.
You know.  And soon you’re going to be at your home.  You’re gonna be by yourself for a little bit.  You know. 
You get home, go to your fridge. 
You get yourself a bottle of beer.  Its ice cold.
You open it up and it makes that great sound.  That hissing sound.  You know. 
Even the cap hitting the counter.  Its a great sound.
You go to your living room, sit down on the couch.  You bring that bottle up to your lips. 
You can smell that smell, that beer smell, you know.
It reminds you of what beer smelled like to you were a little kid and you didn’t like the taste of beer.  But now its a fond memory.
Remember when you were a little kid and things were really simple and you didn’t like the taste of beer?  But now you’re a grown up. 
You take a sip.  And it really taste like beer.  Now you’ve had plenty of beers in your life.
But this one reminds you of what beer tastes like.  Its kind of sharp on your tonge.
Its a little bitter.  Its so cold. 
There’s nothing else like it.  A nice cold beer.

From Paul F. Tompkins HBO special “Driven to Drink.” 

Imperva goes to the Shooting Range [ImperViews]

Posted: 21 Aug 2008 08:41 PM CDT

As a follow up to our ADC webinar on SQL Injection led by our CTO - Amichai Shulman, I had an opportunity to meet with some of our customers and discuss the latest SQL attack trends.

Our partner, AppSec Consulting, chose the location, which I admit was not to my liking. They choose an indoor gun range and while for some people, shooting stuff is the ultimate stress reliever, I'm not one of them. As a veteran Lieutenant of the Israeli Defense Force, shooting brings up some stressful memories. If you have never experienced shooting in an indoor range, let me tell you - it's scary. The sound produced by gunfire is deafening outdoors, but when the acoustical energy it produces is confined to a small indoor space as in a firing range, it gets even louder. Add to that the fact that some shooters are new to the experience, and some (not our customers) may be doing stupid, crazy things... oh, well. I stayed outside while the guys were having fun.

But as I mentioned, we spent some time talking about SQL Injection attacks as well. Often when we talk about SQL Injection attacks, we think about protecting the application with a web application firewall. Less often, we talk about the impact on the database behind the website. In the past, when most of the SQL Injection attacks tried to get valuable information out of the database, and in that case we didn't compromise or change anything on the RDBMS itself. But lately we see more attacks that try to manipulate the content of the RDBMS. The example I used at my demo showed how you can use SQL Injection to insert into the database a command to run  JavaScript. The compromised database can have a piece of JavaScript (JS) embedded in it, which in turn points to another JS file on a separate domain. Any web page which is now built based on a compromised database may result in running these scripts, downloading malicious code and silently distributing malware through the connected system.

A compromised database entry:


The bottom line is that databases are a critical component of any web application and when protecting the application you can not ignore the database itself. Databases should be scanned and monitored continuously to prevent compromised content.

I hope our next event takes place at a less stressful location - perhaps even an outdoor gun range. How about paintball? I heard that's a lot of fun.

Imperva goes to the firing range.jpg

More public DNS servers getting exploited in the wild (updated) [Security4all] [Belgian Security Blognetwork]

Posted: 21 Aug 2008 08:18 PM CDT

Ryan Naraine spotted an article describing how a Chinese ISP's DNS servers got poisoned because they were not patched. Their customers were redirect to a site which would launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. Read the full article for some screenshots.

We shouldn't criticize Chinese providers too much as we still have some vulnerable networks of our own. But it's about time, they all got patched (everywhere).

If it appears, you are using an unsafe DNS server, switch to openDNS. Here are the instructions.

UPDATE: Dan Kaminsky is confirming attacks in this article on Cnet. Remember that DNS (MX) records also decide the traffic flow of mail servers. This is why Dan added an additional test on his website to test your mailserver's DNS for the patch.

The story has also hit Slashdot.

Related posts:

Video of the Pwnie Award Winners [Security4all] [Belgian Security Blognetwork]

Posted: 21 Aug 2008 06:50 PM CDT

A video of the Pwnie Award Ceremony is up on Google Video:

Here is the complete list of winners.

Flash banners taking over your clipboard [Security4all] [Belgian Security Blognetwork]

Posted: 21 Aug 2008 05:52 PM CDT

Several sites reported on the "Clipboard" attack. Through Adobe Flash and Actionscript.
According to US media reports, Flash banners that appeared on websites for Newsweek, Digg and MSNBC manipulated the clipboards on visitors' PCs. The banners copied the URL of a site, to the clipboard, that was supposedly an online antivirus scanner. This then sought to convince users to purchase software by frightening them with the message that their PCs were infected by a virus. Users who are in the habit of copying links from text and pasting them into their browser's address line were likely to have copied the URL to the spammers' site and ended up there. (Source: Heise)
That attack works under Windows, Mac OS and Linux. A side-effect is that the clipboard will freeze and cannot be used until the browser is restarted.

Adobe has reported it is looking into the problem, but doesn't have any patches at this point.

As long as you don't visit the URL contained in your clipboard, you are fine. But it's advisable to use a flashblocker or to use Noscript which also blocks Flash by default.

Despite some reports
, NoScript will protect you. Of course, if you deactivate the features that are meant to protect you, you are vulnerable. It's like deactivating your virusscanner and blaming it for not stopping a virus. Noscript will block Javascript, Java, Flash and other plugins. But it's not made to block actionscript if flash protection/blocking is disabled. Default settings will keep you protected. Just make sure, you have the latest version.

This is also part of an email campaign to try to convince you, your PC is infected and tricks you into installing their Antivirus product (which is just a Trojan).

Here is a more detailed analysis of what happens, if you do happen to visit the clipboard URL and get infected.

Where are the Apples of Yesteryear? [DVLabs: Blogs]

Posted: 21 Aug 2008 05:32 PM CDT

Posted by Rob King
There was a time, not so long ago, where Apple was the plucky upstart. They weren't the second-largest music retailer in the United States. They didn't hold a virtual monopoly on portable music players, and they didn't capture nearly half of the high-end laptop market.

Apple was instead, a geek's company. They were open and friendly, flexible and more than a little quirky. Sure, the fact that large portions of their code are open source is great, and certainly something of which I approve, but they've definitely started playing their cards a bit closer to their chest, at least on security issues.

At this year's just-passed Black Hat, I was very much looking forward to attending two talks discussing security in Apple's products. One was to be a general discussion of Apple's security practices, and was to be presented by several members of Apple's security staff. That would have been, I'm sure, interesting, but I was far more excited about the discussion of an apparent security flaw in Apple's FileVault technology by Charles Edge.

Both talks were unceremoniously yanked from Black Hat by Apple. I don't know what the details of either talk would have been (had I known, I wouldn't have seen the use of attending, now would I?), but I love FileVault, and I'm sad I wasn't able to see the talk.

For the non-Mac users out there, FileVault is Apple's disk encryption technology. In true Apple fashion, it attempts to be easy to use for the vast majority of users, at the expense of some higher-level features for the real power users. Like Time Machine, Apples simple-but-limited built-in backup solution, FileVault aims to be disk encryption that's so easy to use, people actually use it.

FileVault is easy in part because you don't say what you do and don't want to encrypt - you don't get a choice. It's your home directory, your whole home directory, and nothing but your home directory. This is accomplished by the simple expedient of placing your home directory in a disk image and loopback-mounting that disk image when you login.

This was actually cited as one of FileVault's big File  Faults - most things in your home directory don't need to be encrypted. That's true, of course. The gigabytes upon gigabytes of photos in my home directory don't need to be encrypted. I'm sure if someone steals my laptop, the photos of my fiancee and I in Japan aren't what they're after. So, spending the CPU power to maintain the encryption on those files is seen as pointless.

I'm going to defend Apple on this one, though. Here's why I like that my whole home directory is encrypted: I don't know where everything interesting is. Well, okay, I do, but most people probably don't. Quick: Where does Safari store its cached images? How about Mail, where does it store your mailboxes? And iChat, where are those remembered chats?

See, if FileVault had made me pick and choose what directories to keep encrypted, chances are I would have forgotten to encrypt Safari's cache, or one of my mailboxes. Or maybe I would have remembered to do those (and known where to look), but some application I download reads a sensitive document and caches somewhere I wasn't expecting. Now my security was just completely compromised. Hooray!

So, I actually very much approve of FileVault's all-or-nothing approach, because I don't want to have to track down where all my applications store all of my potentially-sensitive data. Also, I like the elegance of the approach.

So, yes, I use FileVault. I was therefore eager to see what sort of flaws FileVault suffered from. Some of them are well-known: FileVault doesn't encrypt things other than home directories, for example. Well, I'm not in the habit of storing sensitive information outside of my home directory, so that's not really a flaw for the vast majority of users. Besides, Mac's are multi-user now; you need per-user encryption.

Other flaws are more practical: Apple's Time Machine backup software doesn't really work with FileVault. That is is a legitimate criticism, and I really do hope they fix that in the upcoming Snow Leopard edition of Mac OS X.

The biggest flaws, however, deal with how encryption is actually performed. While the disk image is encrypted using the state-of-the-art Advanced Encryption Standard (AES, also known as Rihndael), it is done using Cypher Block Chaining mode, making it potentially easier to guess the unencrypted contents of the disk. Also, keys are stored in a less-than-perfect manner, using a 3DES (Triple DES) system.

Additionally, there exists a Master Key that can be used to decrypt FileVaults for users who have forgotten their passwords. These master keys end up having an effective key size of only 72 bits in some situations. In other words, its not as hard as some people might think to circumvent FileVault encryption.

Not as hard, but still pretty difficult; it would take some specialized hardware a potentially very long time to crack a FileVault volume.

Additionally, there is some concern that encryption keys are stored insecurely in memory, so if someone grabs my laptop while it's asleep or the contents of memory are otherwise available, they could get a big leg up in bypassing the encryption.

Several weaknesses in FileVault have already been addressed by Apple: when a user migrates to FileVault, the old contents of their home directory are "securely' wiped, by overwriting the files with random data numerous times before deleting them. This is not a perfect solution, but it is worlds better than the old method of simply unlinking the files' directory entries and leaving the data around for any forensic investigator to find.

Another flaw was address when Apple provided the option of encrypting the on-disk swap file. This, of course, has reasonably high performance implications, but it does address the issue. (I'm actually pretty pleased to note that, with 4GB of memory, I rarely, if ever, touch swap. Of course, I run my Mac as a Unix workstation primarily, so I generally don't run anything more memory-demaning than vi.)

(That's mostly a joke, of course - I run iTunes and such, but I rarely have more than 2GB of memory in use at any one time; swap is rarely touched.)

In any case, the encryption implementation weaknesses in FileVault are well documented (see Applebaum's and Weinmann's analysis at the NSA here:

Key stealing and cryptanalysis of the algorithms used are likewise well known and widely published.

All this makes me wonder what the FileVault Black Hat talk could have been about. Was it simply a rehash of the known vulnerabilities? Was it something more esoteric, like remanence issues in RAM (also a well-known flaw, and not just with Apple)?

The problem is that I don't know. No one, save for Apple, Mr. Edge, and whomever they chose to tell knows the details.

The big evil corporation guilty of being notoriously tight-lipped about security vulnerabilities used to be Microsoft. However, Microsoft has become considerably more forthright of late: with their new MAPP initiative ( and their rather wry sense of humor about vulnerabilities, Microsoft has actually become one of the most open major vendors when it comes to details about security flaws. This is nothing but a good thing.

Apple has the whizbang factor sewn up, especially with Joe Consumer: Apple is just cool, while Microsoft is seen as stodgy at best. But one of the fanboys' rallying cries, of "better security", may be falling by the wayside. Apple can't really claim the moral high ground on security issues anymore. At best, they're on par with the rest of the industry, and at worst, they're falling behind.

I'd love to see a MAPP-like initiative from Apple. They could even come up with a marketing-friendly snazzy name for it, like MAPPLE or something. I'd love to see Apple embrace the security community. I'd love to see more details in Apple's security advisories, and I'd love to see less restrictive NDAs on development tools and software licenses.

In other words, I'd love to see an Apple that's not just cool for Joe User, but also for Joe Researcher. Apple's got great inroads in the security community: at Black Hat I saw an equal number of Macs and non-Macs. If Apple wants to keep those sort of inroads, a little more goodwill to the security community would be much appreciated.

The New Personal Identity Portal (PIP): [Blue Ocean]

Posted: 21 Aug 2008 04:58 PM CDT

Today, we are releasing a brand new version of the Personal Identity Portal (PIP). With support for two-factor authentication, the PIP remains a strong OpenID provider as VeriSign remains committed to the broad deployment of OpenID across the Internet. Beyond OpenID, the new PIP also includes some unique identity management features. As the user-centric identity movement reaches beyond authentication and attribute exchange, we wanted to evolve the PIP into an identity aggregation service that enhances control, convenience and security over personal data even when the data is scattered across non-interoperable Web sites.homepage.jpgThis theme of identity aggregation is going to remain an important product philosophy for us moving forward. Our first implementation focuses on personalization, convenience and security. This post provides a brief overview of the new features. For those of you who never read product description, you can sign up for a free PIP account here. For the more curious minds, please, read on, and let us know what you think.

Personalization and the Personal Identity Page

The Personal Identity Page allows you to aggregate public identities and presence across multiple Web sites under your OpenID. In my case, my personal identity page can be found at You can see that I have chosen to aggregate my Blog, my Flickr pictures, my YouTube videos, and other personal links to provide a complete reflection of my public Web persona. With a Personal identity page, my OpenID URL now provides a simple way for people to find and discover my "aggregate me". Think of it as a modern version of public white pages. We have tried to keep it simple enough that it can be built within a few minutes, but rich enough to keep it interesting.
idpage.jpgOf course, for many, the logical place to share their identity is their social network. For that reason, we have also created a FaceBook application. As shown below, the PIP FaceBook application lets you embed your "identity carrousel" into your FaceBook profile to share it with your friends.

Convenience and 1-Click Sign-in across any Web site
The PIP 1-click sign-in service may be one of the most interesting new features. The service aims at enabling single sign on across all popular Web 1.0 and Web 2.0 sites (whether they support OpenID or not). We have devised a client-less authentication solution that only requires one single click for you to log in across your social sites (FaceBook, Yahoo!, Google, MySpace...), your travel sites (TripIt, Expedia, United...), your financial site (Wells Fargo, E*Trade, ....), almost any of your sites, really! Think of it as a password vault in the cloud. Think of it as a universal single single-sign-on Web service. 1Click.jpgSince, we did not think you wanted to give all your names and passwords to VeriSign, we have designed it in such a way that VeriSign never sees your actual names and passwords (we only receive and store an encrypted form of them and you keep the secret key for yourself). Of course, you still need to log into the PIP (that is the one required login). Unlike most existing solutions out there, there is no client to install, only an optional bookmarklet to save in your browser (the install is drag and drop in Firefox and Safari and we have an automated install script for IE6 and IE7 users). It works on Windows, and the MAC. It will work in your 3G iPhone too, making OpenID and general login really user-friendly in a mobile environment (more in my next post). Note that the Beta 1-click service only supports 70 popular Web sites at this point. If your feedback is positive, we will add many more, so once again, let us know what you like and what you dislike.1CkickJS.jpgThe bookmarklet is also a nifty navigation tool. When you are not on the login page of a Web site, it triggers a small navigation window (see above). The window displays the list of all the Web sites that you have registered with the 1-click sing-in service. Simply click any of these links; you will navigate to the site and be logged in automatically. No more URL to enter, no more name and passwords to remember or type, only your PIP OpenID!

Security and Free Digital certificates
Since the 1-click vault security hinges on the PIP authentication, we wanted to offer you a broad choice of strong authentication solutions. Last year, we enabled VIP credentials (OTP tokens) within the PIP. This year we added a free layer of security that does not require any hardware. Indeed, we are giving our PIP users a free VeriSign certificate to secure their PIP account. Certificates and PKI have often been blamed for poor user experience. Therefore, we decided to create a new user interface for logging in with a certificate. Instead of issuing an identity certificate, we are issuing what we call a "browser certificate. A browser certificate is anonymous. It does not contain any information about you. Think of it as an opaque token that you link against you PIP account to protect it (it provides a second authentication factor: "something you have". Your PIP login name and passwords remains your first authentication factor: "something you know"). You can install these certificates on Mac and Windows (as many as you need). The certificates are free. We are still working on the iPhone (we have encountered a few challenges with certificates with the iPhone Safari, but with a little help from Apple, we will get there).

The whole PIP team has worked hard during the last 8 months to bring you all this new functionality. We are really excited to release this new version of the Personal Identity Portal to our growing PIP community. We hope you will enjoy using it as much as we enjoyed building it. Feel free to drop us a note, report bugs and make product suggestions. Our support email is We are looking forward to your feedback!

No comments: