Posted: 12 Oct 2008 04:57 AM CDT
Posted: 12 Oct 2008 04:51 AM CDT
This posting includes an audio/video/photo media file: Download Now
Posted: 11 Oct 2008 04:22 PM CDT
Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.
Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.
This update releases updates to the following items:
ATS -- Apple Type Services -- CVE-2008-2305
10.5 -- Updated to 9.4.2-P2
10.4.11 -- Updated to 9.3.5-P2
ClamAV -- Antivirus included with OSX Server
Updated to version 0.93.3.
CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329
Finder x2 -- CVE-2008-2331, CVE-2008-3613
ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382
Kernel -- CVE-2008-3609
libresolv -- CVE-2008-1447
Login Windows x2 -- CVE-2008-3610, CVE-2008-3611
mDNSResolver -- CVE-2008-1447
OpenSSH -- CVE-2008-1483, CVE-2008-1657
QuickDraw Manager -- CVE-2008-3614
Ruby -- CVE-2008-2376
SearchKit -- CVE-2008-3616
System Configuration -- CVE-2008-2312 (For 10.4.11)
System Preferences x2 -- CVE-2008-3617, CVE-2008-3618
Time Machine -- CVE-2008-3619
VideoConference -- CVE-2008-3621
Wiki Server -- CVE-2008-3622
So, all in all, quite a few updates here in this one.
Subscribe in a reader
Posted: 11 Oct 2008 02:54 PM CDT
Posted: 11 Oct 2008 02:24 PM CDT
Posted: 11 Oct 2008 02:22 PM CDT
Posted: 11 Oct 2008 02:07 PM CDT
Posted: 11 Oct 2008 01:39 PM CDT
you are going to be embarrassed, ashamed, labeled as an idiot, shunned, ridiculed, and occasionally driven from the village with pitchforks. on average, YOU ARE GOING TO FAIL. MULTIPLE TIMES, in NEW & INTERESTING ways. GET USED TO IT. –Dave McClure: Fear is the Mind Killer of the Silicon Valley Entrepreneur
Reposted from c3o
Posted: 11 Oct 2008 01:39 PM CDT
Posted: 11 Oct 2008 01:29 PM CDT
Posted: 11 Oct 2008 12:04 PM CDT
The most extensive government report to date on whether terrorists can be identified through data mining has yielded an important conclusion: It doesn't really work. A National Research Council report, years in the making and scheduled to be released Tuesday, concludes that automated identification of terrorists through data mining or any other mechanism "is neither feasible as an objective nor desirable as a goal of technology development efforts." Inevitable false positives will result in "ordinary, law-abiding citizens and businesses" being incorrectly flagged as suspects. –Government report: Data mining doesn't work well
Posted: 11 Oct 2008 08:26 AM CDT
After only a handful of patches were released with September's update Microsoft are expecting to release 11 patches for October.
Of the 11 patches, four attract Microsoft's highest rating, of Critical. These patches are expected for Windows, Host Integration Server, Office, and a cumulative Internet Explorer patch.
The six patches labelled as Important are all for Windows, while the Moderate patch will be for Office.
While it would be expected that all of the Critical patches are for remote code execution opportunities (and they are), some of the Important patches are also for remote code execution problems. Given that Microsoft has done this in the past, it suggests that the affected components are not present in a default Windows installation and that some level of user modification / configuration is required away from the standard installation in order for them to be vulnerable.
Users of Microsoft Office on OS X should also expect to receive updates for some of the Office vulnerabilities.
In addition to the routine updates to the Malicious Software Removal Tool, and the high-priority, non-security updates, Microsoft will be introducing the Exploitability Index alongside this month's patches. The tool was introduced at this year's Black Hat conference in Las Vegas. It will be interesting to watch to see if the addition of the Index provides any extra benefit to users and administrators, or if it merely identifies which vulnerabilities are more vulnerable to exploitation if left unpatched.
Posted: 10 Oct 2008 06:24 PM CDT
Posted: 10 Oct 2008 05:13 PM CDT
What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, *you* might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening.
Webcasts, Podcasts, and Conferences:
Favorite Securosis Posts:
Favorite Outside Posts:
Blog Comment of the Week:
Posted: 10 Oct 2008 01:17 PM CDT
MX lab intercepted emails with the subject “Security Update for OS Microsoft Windows” with a rather long email with the instructions to run the attached file named, in this case, KB934178.exe, which is a keylogger program that can capture all user keystrokes. It is known by Sophos as Mal/EncPk-CZ and F-Secure as Trojan-Spy.Win32.Goldun.bce. The message even includes a PGP sugnature to make it even more realistic.
The author has some some basic home work. Steve Lipner is indeed working for Microsoft as Senior Director of Security Engineering Strategy in Trustworthy Computing (found it on the net - what a title by the way) and has published the book The Security Development Lifecycle. You can also read some blog articles from Steve Lipner, and other authors, at http://blogs.msdn.com/sdl/default.aspx.
Virus Total permalink and MD5: 1ffcb1ea024c228ade6d8dad681c6ed7.
As a general rule, Windows only distributes patches and security update through Windows Update on your computer. Every other way of distribution by email is not recommended at all.
Posted: 10 Oct 2008 12:23 PM CDT
At a time when the financial crsis is taking the DOW below 8000pts and the world economy is starting to feel some of the repercussions, a high profile security breach is being reported. The World Bank has been under siege for at least a year and more information and details regarding the intrusions was published today by Fox News.
The first breach of the bank's secrets was discovered in September, 2007, after the FBI .while at work on a different cybercrime case . notified the bank that something was wrong. The feds pointed to a part of the bank's network that led out of the Johannesburg hub of the International Finance Corp. (IFC), a bank arm that lends to the private sector.
The second major breach . of the bank's treasury network in Washington . was discovered in April 2008. The World Bank's Treasury manages $70 billion in assets for 25 clients . including the central banks of some countries. It carries out substantial collaborations with the world's finance ministers on public wealth and debt management, runs an active bond-trading desk in Washington, and does everything from currency trading to capital markets financings.
What really makes this particular breach interesting (besides the target) is that at least one portion of the intrusion was allegedly sourced from one of the largest outsourcing firms in India. Why does the government and major financial institutions insist on the outsourcing model when it is readily apparent that the security of these organizations just isn't there. To really bring this home, how much of our software development has companies like Cisco, Microsoft, and even security vendors like Symantec outsourced to India. Obviously any is too much. If we really must continue to outsource overseas there really needs to be a requirement for independent security assessment of all outsourced development. *GASP* who would have thunk it.NOTE: Fixed broken link. Thanks Scott.
Posted: 10 Oct 2008 11:35 AM CDT
For those of you who are new to these things, NASL stands for Nessus Attack Scripting Language. NASL is part of the closed-source Nessus vulnerability scanner and its open-source form called OpenVAS (Open Vulnerability Assessment System).
Nessus plays big part in the hearts of many administrators, security consultants and scanning vendors. Nessus practically was the first stable and well maintained open-source security scanner until they closed the source.
Anyway, so since version 3 Nessus is closed source. Now we have OpenVAS, a 2.x fork of Nessus. The project is coming nice but still far from begin good enough for environments where stability is a must. At some point I decided to contribute since I am particularly interested in haviong a free Nessus clone with a good community behind it. As soon as I started putting down some code I realized that this is not what I want. Nessus’ code seems undeservingly complicated.
In reality I do not need Nessus neither NASL. All I need are the tests. I believe that everybody feels the same. Perhaps the whole OpenVAS project should concentrate on writing the tests and let the user choose the engine. In my case Nessus was not a good engine due to license limitations. OpenVAS was not a good fit as well because of stability reasons. I am stuck!
Unfortunately, I do not have the time to start such a project although I will most certainly contribute. I hope that someone is willing to take on the challenge. Any takers?
Posted: 10 Oct 2008 11:34 AM CDT
Posted: 09 Oct 2008 10:07 PM CDT
Someone at Google has created Mail Goggles. It’s a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say …
“Sometimes I send messages I shouldn’t send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together,”
And who hasn’t, really? It’s no wonder I am not smart enough to work at Google. I would never have thought this up, never mind actually coding it. I checked, and it’s really there, under the Lab’s section, along with a dozen or so other productivity tools. I really think they could be onto something here … just consider this from a “Reputational Risk” perspective; this could be a hot product for Postini. One too many Martinis with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your “spa day” executive retreat was cancelled? No problem, Google will quarantine your outbound email! And if you’re too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon …
Posted: 09 Oct 2008 09:09 PM CDT
Posted: 09 Oct 2008 07:01 PM CDT
Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same.
Here is why:
The best way to explain what I mean is to show an example. Most frame injection issues occur in web applications because dynamic frameset/iframe insertion is not implemented with enough filtering. For instance, say that we have the following URL on the target site:
A malicious user with intentions of launching a phishing attack will try tampering the
I thought that showing a live example would help our readers get an idea of what frame injection looks in action. For that purpose, I prepared a rather not elegant proof of concept which takes advantage of the Google Images service. What’s neat is that although the legitimate URL would normally use the images.google.com domain, Google also allow us to use other google.com subdomains such as mail.google.com which is used by Gmail. This is ideal, as we’re trying to accomplish a frame injection attack which can be used to perform phishing attacks against Gmail users.
The previous PoC URL will cause the entered credentials to be submitted to www.gnucitizen.org when clicking on Sign in, so please do NOT submit any real credentials!
Needless to say, in real-life the attacker would most likely automate the process of obtaining the harvested credentials by using a tool such as our x.php data-theft script.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|