Sunday, September 7, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

CHROME. [ - A Revolution is the Solution]

Posted: 07 Sep 2008 03:26 AM CDT

Hello Front Door, Let Me Introduce To You The Internet []

Posted: 06 Sep 2008 08:34 PM CDT

Technology is great. I mean look at the Internet and Space Stations and the LHC… and then we have electronic door locks. Don’t get me wrong, I think that electronic door locks are great, I mean inserting a key and turning it is for chumps and why would you do that when you can swipe your RFID card on a reader and *click* get into your house.

In a previous role I spent the majority of my time configuring and working on electronic access control systems, so I’m aware of how much physical and logical security have meshed together. Our security posture was fairly straight, we followed a number of principles such as defense in depth, secure defaults etc. One of the overriding principles we had was that of the air gap. That is, the system that controls those doors, does not come in contact with the Internet or any other networks that pose significant risk. So it doesn’t fill me with comfort when I read about new products like this.

Schlage LiNK deadbolts operate using keyless entry with four-digital access codes on an 11-digit keypad. The LiNK deadbolts can also be operated using Schlage’s LiNK Web portal, which employs Secure Sockets Layer (SSL) protection.

Schlage LiNK deadbolts leverage Z-Wave, a wireless home automation technology that helps to unify home electronics into a single integrated wireless network using Z-Wave accessory modules — everything from lighting to temperature control, pool systems and more.

Personally I would have some concerns about linking my front door to the Internet or a wireless network, but that’s probably just me and the security/risk hat I wear. What concerns me is the people doing the sales pitch for these sorts of devices would not be ensuring that the consumer is doing a risk assessment against their use, the only assessment the consumer has to do is “can I afford it?” or “how cool will I look when I can unlock my door from work for the plumber”.

Would the consumer be enquiring into the level of diligence that the producer had applied to ensuring the security of their locks and their web portal? Probably not. The sales pitch would probably go something like “Yes of course we are protected over the Internet, we utilise Secure Sockets. Yes their secure, those same sockets are the same that get used by your bank”.

For all the bleeding-edge customers of these locks their fortunate because the probability that someone wanting to get in their house without authorisation knows about the technology is low, so contact with an external threat source is also low. On the other hand, the probability that people with malicious intent will want to break into the web portal is probably quite high, not strictly because they want to break into the house, just because the portal is a juicy target. The impact of this event is potentially much larger though, because if the vulnerability of the portal is such that you can enumerate doors, it means you may be able to unlock a large number of doors. This isn’t taking into account how easy it is to phish users of their passwords and simply log into the portal as them, maybe it utilises some form of two-factor? In which case you may as well just give them a key.

But are voting machines really dangerous in practice? [The Security Mentor]

Posted: 06 Sep 2008 06:27 PM CDT

Spokesmen for the voting machine manufacturers like to say that the reported vulnerabilities are unrealistic in the context of an actual election, with all its tests and security procedures.

This is plausible. There are lots of cases in security work where it's OK to work around a problem with a cross-check instead of eliminating the problem altogether.

Are they right?

Princeton researcher Dan Wallach rebuts vendor claims in detail. He explains how an attacker or a corrupt official could do the same things his team did, and throw an election without getting caught.

View your online banking records without your password [The Security Mentor]

Posted: 06 Sep 2008 06:08 PM CDT

This is a good example of how a simple feature change can create a security issue, and why security features that seem unnecessary can be important in practice.

Google's Chrome browser has a feature I've dreamed of for a long time. You can search the text of pages you've visited before. If you remember that you looked at a great recipe using arugula but can't remember where you found it, you can type "arugula" into Chrome's do-everything bar and it will find the page in your history with the word "arugula" in it. Nifty. Useful.

OK, but what about your online banking activity? It turns out that if you search for words like "balance" or "Visa" you'll bring up copies of pages that your online bank showed you, with potentially sensitive information on them. Humphrey Cheung reports on Chrome indexing banking records. You can't transfer money or anything like that, but it's an information leak.

If you want your banking activity to be confidential from other users of your computer, there is an answer. Use Chrome's "incognito" window, which turns off storing pages into your history. This is a good idea for any security-sensitive activity.

Also, turn off Chrome's autosuggest feature if you don't want Google to know everything you type into the do-everything bar.

United Arab Emirates: Breach Yields US Embassy Related Credit Data [Infosecurity.US]

Posted: 06 Sep 2008 03:11 PM CDT

According to The National’s Hugh Naylor, a logged network intrusion has yielded stolen credit card data from variety of sources, including employees of the United States Embassy in Abu Dhabi. [Hat Tip - Chris Walsh  @

Evidently, the credit information was utilized to fund purchases within US borders. Based on story content, no reports of purchases utilizing the stolen data have been received from inside that country.

[1] The National

[2] United States of America Overseas Security Advisory Council

[3] Attrition

No Privacy Chernobyls [Emergent Chaos]

Posted: 06 Sep 2008 01:39 PM CDT

Over at the Burton Identity and Privacy Strategies blog, there's a post from Ian Glazer, "Trip report from the Privacy Symposium," in which he repeats claims from Jeff Rosen:
I got to hear Jeffery Rosen share his thoughts on potential privacy "Chernobyls," events and trends that will fundamentally alter our privacy in the next 3 to 10 years.
I don't believe it, and haven't believed it in a long time. As I said in 2006, There Will Be No Privacy Chernobyl. There's too much habituation, too much disempowerment, and too diffuse an impact of any given issue.

I'd love to have to eat those words. Rosen suggests five issues:

  1. Targeted ads
  2. Search term links
  3. Facebook
  4. The Star Wars kid
  5. Ubiquitous surveillance
Do you see any of these rising to the level of Chernobyl? Where you could stop the average person on the street in most of the developed world, ask a simple question, and not get a blank stare?

PaulDotCom Security Weekly - Episode 121 Part I - September 4, 2008 [PaulDotCom]

Posted: 06 Sep 2008 11:19 AM CDT

Paul & Larry interview Mike Kershaw, Brad Haines, and Frank Thorton to discuss Kismet, the ultimate open-source wireless monitoring/IDS tool!


Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian


Direct Audio Download

Audio Feeds:

Se la nuova Alitalia vale più di 300 milioni [Security Circus]

Posted: 06 Sep 2008 07:00 AM CDT

More e-projects [IT Security: The view from here]

Posted: 06 Sep 2008 06:25 AM CDT

I'll come back to secure email at a later date, I'm interested to see if our business processes will come up with the same conclusions as I have. I'm prepared to admit that this is a two-sided argument, there may be a requirement for secure email, or it may be that email was never meant to be secure, so no-one will ever use it as such. Comparing it to terrestrial mail services doesn't really help, because to a large extent, email has replaced snail mail, and even phone calls. The 'more secure' version of land mail was email, so the more secure version of email is...?
Personally I think it will be as the banks are finding - directing people to portals to download (NOT giving links in the mail, but asking them to log into their account - beware of phishing attacks).

So I now have 3 new Security Projects (note the capital letters) to get on with:

1. Endpoint Security - not DLP, we don't have any data classification on our network, and it was identified specifically to stop CD burners being used on our network, so DLP is deemed too much.

2. Firewall Monitoring - thrilling stuff, we need to know if our firewall rules are sensible.

3. Web Application Scanning - Third party web app provider, variable quality of code, our problem.

I keep going backwards and forwards, depending on who I talk to about these. The higher up the chain I go, the less I want 1 and the more I want 3. When I come back to the security team, I want 2 to help them, and 1 to protect them.

I'm not sure there is a good way to justify endpoint security, not until the market has settled down a bit anyway. Maybe then we'll be ready for DLP?

Firewall monitoring seems to be something that's been put in to make someone's job easier, so again, hard to justify.

Web Application Scanning on the other hand seems to be vitally important. As I've been brought in to secure the e-commerce rollout, I think this is the one I will be most behind.

WebInspect seems to be the best (only) option at present. I'll talk more about how I get on with it once I've found the best way to justify it.

Microsoft's September Patch Release Advance Notice [Sunnet Beskerming Security Advisories]

Posted: 06 Sep 2008 02:12 AM CDT

Microsoft's Advance Notification for September's Security Patch Release has been placed online. This month there will only be four patches released, all of which will be identified as Critical.

This month's patches will address critical holes in the Windows Media Player, Windows Media Encoder, Windows, and Office. From the description of affected components for the Windows-specific update (Windows, IE, .NET Framework, Office, SQL-Server, Visual Studio) it suggests that it may be an ActiveX or .NET component related problem.

The Malicious Software Removal Tool will also receive updates, as well as a number of high-priority non-security updates through Microsoft Update and Windows Server Update Services (WSUS).

As with previous monthly Security Patch releases, Sûnnet Beskerming will be providing detailed Briefing Packs covering the patches.

Alarming security bug in Google Chrome [The Security Mentor]

Posted: 05 Sep 2008 10:11 PM CDT

Some security experts, whose names I can't find offhand, have discovered a bug in Google's new "Chrome" browser that could sidestep all of Chrome's security measures and take over your computer.

The good news is that it can only happen while you're saving a web page, there's no evidence of bad guys trying this in the wild, and it's unlikely that they will given how few Chrome installations there are.

What's alarming is that it's a kind of bug ("stack based buffer overflow") that can usually be avoided by checking a program with well-known tools, and which can usually be blocked from taking over your computer if the programmers use appropriate options when they translate the program from a human-readable computer language into an executable program.

Without the details, it's impossible to tell whether this is just the kind of accident that could happen to anybody, or whether Google has been overlooking precautions that should be standard procedure these days. If the latter, we'll know because there will be a flood of security bug reports in short order.

SEO Code Injection [The Security Shoggoth]

Posted: 05 Sep 2008 10:49 AM CDT

Gunter Ollmann posted an excellent article explaining SEO Code Injection attacks at This is one of the best explanations of the attack I've read. Go read it. NOW!

SEO code injection attacks have been gaining popularity by those evil malware authors as a way to get unsuspecting victims to their attack pages. A few highly publicized attacks were done earlier this year which resulted in alot of head-aches for some major sites. Dancho Danchev has alot of excellent information on these attacks on his blog.

Things only An Astrologist Could Believe [Emergent Chaos]

Posted: 05 Sep 2008 10:06 AM CDT

There's a really funny post on a blog titled "Affordable Indian Astrology & Vedic Horoscope Provider:"
Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making.
This is a beautiful example of confirmation bias at work. Confirmation bias is when you believe something (say, Vedic astrology) and go looking for confirmation. This doesn't advance your knowledge in any way. You need to look for contradictory evidence. For example, if you think Google is using Vedic astrology, they have a decade of product launches with some obvious successes. Test the idea. I strongly believe that you haven't.

"According to the Treasury Inspector for the Tax Administration - a Treasury D..." [Security Circus]

Posted: 05 Sep 2008 03:27 AM CDT

According to the Treasury Inspector for the Tax Administration - a Treasury Department watchdog - the IRS operates 2,093 web servers with at least one vulnerability. It said 540 of those servers contained one or more vulnerabilities rated high risk. The report identified 1,811 internal servers that had not been approved to connect to the network. Some 1,150 of those were being used for non-business purposes. Under IRS rules, all internal websites and servers must be registered with the agency's Modernization and Information Technology Services organization. –Report: IRS networks riddled with vulns, rogue servers - OMG, this is what I would define "a mess"...

Get back here, you! Part 2 [ - A Revolution is the Solution]

Posted: 05 Sep 2008 03:10 AM CDT

Some websites abuse the end-user with a general creep of popups, "don't go" tactics and drag it out as much as they can.

Others are the equivalent of a twenty pound sledgehammer in the face. This is one of the latter.

Can't remember where I saw this site - think it might have been a follow-on advert after I closed a US news website. It's something to do with weightloss or whatever. Let the onslaught begin - as soon as you try to leave the page....

Fake Operator Woman (TM) and....some little talking Chinese dude appear on the screen. While Fake Operator Woman is pounding you with chat text, the little Chinese dude is yammering away in the corner and HE WON'T SHUT UP, OH GOD MAKE HIM STOP.

Doesn't matter if you scroll up......or can't seem to get rid of his horrendous, droning sales pitch.

Shut up! Shut up!!!!

......ack. He does provide some comedy value however, when he tries to explain why "fat cat" diet experts don't want the "secret of his tea" getting out there and costing them a fortune. He talks about how all products are made to fail, why cars aren't built to last and

"That's why Bill Gates makes operating system after operating system that's incompatible with the one before."

...what? What does that even mean? Mind you, this is the same person that apparently also says "It makes me madder than a wet ham"(?)

Let's try and blank him out while we have fun with the "no, she's real, honest" chatbot chick. If you haven't already been suckered into buying everything (because they claim there's "Only 11 Trials remaining....hmmmm), before you can even talk to her you have to sit through another one of these:

Yeah yeah, hit me with the sales pitch already.

Cleverly, as soon as you click into the chatbox, you see a message appear saying "Viki" is typing. You know, just in case you thought she wasn't real. Unfortunately, Viki appears to have explosive finger diarrhea because within about 1.5 nanoseconds, all of the below has appeared:

Okay, she's the chatty type. I can live with tha-

Oh Lordy, woman. SHUT UP. Time to break out the charm:

She doesn't seem to be paying attention.

It's like I'm not even there or something.

Waiter! Bring me my divorce papers, this isn't gonna work out!

Gee, let me think about that for a se


Get back here, you! Part 1 [ - A Revolution is the Solution]

Posted: 05 Sep 2008 01:59 AM CDT

I don't know whether it's fate or chance or a centuries old Voodoo curse, but the last couple of weeks I've been hammered by sites that will do anything (short of climbing out of the monitor and punching you in the face) to keep you on their site in ever-increasingly obnoxious ways. I thought I might point and laugh at some of them.

Here's the first.

Perfspot is yet another social networking site thing. It seems like most of the others out there, but I'm not really familiar with it. However, their adverts leave a lot to be desired. While checking out this thing (and clicking through various adverts to find the one I was looking for), I stumbled upon GET BACK HERE, YOU in the most annoying form possible. Probably.

Picture the scene - there I am, on some advert splash page thing for Perfspot (via Facebook), I go to close the page and....

Hoo-boy, who's the hot chick? She seems like she wants a slice of PG Pie. No, wait....she......seems to be overtly interested in me "signing up". Doh. Mind you, she's nearly obscured by the secondary popup beating me round the head. You know, just in case I wasn't aware of the large box in the middle of the screen with "Katie" in it.

This is the stupidest marketing gimmick ever. She pops up asking me if I'm "Having trouble signing up", yet she immediately refuses to help me unless.....I sign up. If I couldn't work out how to do it myself, her crappy instructions certainly aren't going to help me much. Shall we confirm this is actually a useless bot and not a hot chick?

Well, she's either real calm under pressure or she is indeed a bot. Note more sloppy logic - the entire purpose of this bot is to pretend to be a customer service rep and "help" you register, yet she refuses to help you register. Someone isn't paying their programmers enough.

After this, Katie gives you the cold shoulder treatment. Even better, if you decide to click the "Add as my friend" button on her chatbox, you see.....

Does anyone still fall for stuff like that? Apart from the gloriously insane logic they're emplying here - offer the chance to add a fictional woman to your contact list, except you can't add her because you can't work out how to register and the fictional woman designed to help you won't help you - this stuff needs to get back where it belongs, which is permawedged in 2004 or earlier.

Definitely one of the more obnoxious, over the top ads for a social networking site I've seen recently.

More thoughts about Google Chrome [The Security Mentor]

Posted: 04 Sep 2008 10:54 PM CDT

Chrome will save passwords for you, but unlike Firefox it doesn't let you define a master password that protects all your stored website passwords.

This could be OK. I worry about future occurrences of a problem that happened in 2006, in which malicious code could put up a login form and fool a browser into entering a saved password silently without asking you first. With a master password in place, you'd get a reminder that your browser was about to retrieve and send a password. A master password also makes password storage more secure.

I've been reluctantly coming to the conclusion that the AdBlock Firefox extension is a security measure. Bad guys have figured out that they can expose zillions of people to malicious code by putting that code into an ad. Don't expect to see anything like AdBlock for a browser that comes from an advertising company.

My other favorite way to reduce my exposure, which is to minimize the number of pages I allow to run Javascript, isn't likely to find a home in Chrome. One of Chrome's main design goals is to have a better, stronger, faster Javascript engine.

This could all work out OK. Google has taken steps to limit the harm that web-based malware can do to you. If Google's paid enough attention in the right places, they might be producing a browser with fewer security bugs for bad web pages to exploit.

No comments: