Spliced feed for Security Bloggers Network |
| Cyber Attack Data-Sharing Is Lacking, Congress Told [Security Circus] Posted: 12 Oct 2008 04:57 AM CDT I already pointed this out in my 2007 Black Hat presentation, and this is exactly why the WOMBAT project was formed in the first place. |
| Posted: 12 Oct 2008 04:51 AM CDT |
| OSX Update 10.5.5 and Security Update 2008-006 [Random Thoughts from Joel's World] Posted: 11 Oct 2008 04:22 PM CDT Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it. Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases. This update releases updates to the following items: ATS -- Apple Type Services -- CVE-2008-2305 BIND -- 10.5 -- Updated to 9.4.2-P2 10.4.11 -- Updated to 9.3.5-P2 ClamAV -- Antivirus included with OSX Server Updated to version 0.93.3. CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215 Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329 Finder x2 -- CVE-2008-2331, CVE-2008-3613 ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382 Kernel -- CVE-2008-3609 libresolv -- CVE-2008-1447 Login Windows x2 -- CVE-2008-3610, CVE-2008-3611 mDNSResolver -- CVE-2008-1447 OpenSSH -- CVE-2008-1483, CVE-2008-1657 QuickDraw Manager -- CVE-2008-3614 Ruby -- CVE-2008-2376 SearchKit -- CVE-2008-3616 System Configuration -- CVE-2008-2312 (For 10.4.11) System Preferences x2 -- CVE-2008-3617, CVE-2008-3618 Time Machine -- CVE-2008-3619 VideoConference -- CVE-2008-3621 Wiki Server -- CVE-2008-3622 So, all in all, quite a few updates here in this one.  Subscribe in a reader |
| "The intelligence of that creature known as a crowd is the square root of the ..." [Security Circus] Posted: 11 Oct 2008 02:54 PM CDT The intelligence of that creature known as a crowd is the square root of the number of people in it. –Terry Pratchett, Jingo Reposted from thoschsoup via astrid |
| Posted: 11 Oct 2008 02:24 PM CDT |
| A Day in the Life of Conservative Joe [Security Circus] Posted: 11 Oct 2008 02:22 PM CDT |
| Posted: 11 Oct 2008 02:07 PM CDT |
| "you are going to be embarrassed, ashamed, labeled as an idiot, shunned, ridic..." [Security Circus] Posted: 11 Oct 2008 01:39 PM CDT you are going to be embarrassed, ashamed, labeled as an idiot, shunned, ridiculed, and occasionally driven from the village with pitchforks. on average, YOU ARE GOING TO FAIL. MULTIPLE TIMES, in NEW & INTERESTING ways. GET USED TO IT. –Dave McClure: Fear is the Mind Killer of the Silicon Valley Entrepreneur Reposted from c3o |
| Posted: 11 Oct 2008 01:39 PM CDT |
| Ammanettato davanti a una scuola [Security Circus] Posted: 11 Oct 2008 01:29 PM CDT |
| "The most extensive government report to date on whether terrorists can be ide..." [Security Circus] Posted: 11 Oct 2008 12:04 PM CDT The most extensive government report to date on whether terrorists can be identified through data mining has yielded an important conclusion: It doesn't really work. A National Research Council report, years in the making and scheduled to be released Tuesday, concludes that automated identification of terrorists through data mining or any other mechanism "is neither feasible as an objective nor desirable as a goal of technology development efforts." Inevitable false positives will result in "ordinary, law-abiding citizens and businesses" being incorrectly flagged as suspects. –Government report: Data mining doesn't work well |
| Microsoft's October Patch Release Advance Notice [Sunnet Beskerming Security Advisories] Posted: 11 Oct 2008 08:26 AM CDT Microsoft's Security Response Centre has provided advanced notification of this month's expected Microsoft security patches. After only a handful of patches were released with September's update Microsoft are expecting to release 11 patches for October. Of the 11 patches, four attract Microsoft's highest rating, of Critical. These patches are expected for Windows, Host Integration Server, Office, and a cumulative Internet Explorer patch. The six patches labelled as Important are all for Windows, while the Moderate patch will be for Office. While it would be expected that all of the Critical patches are for remote code execution opportunities (and they are), some of the Important patches are also for remote code execution problems. Given that Microsoft has done this in the past, it suggests that the affected components are not present in a default Windows installation and that some level of user modification / configuration is required away from the standard installation in order for them to be vulnerable. Users of Microsoft Office on OS X should also expect to receive updates for some of the Office vulnerabilities. In addition to the routine updates to the Malicious Software Removal Tool, and the high-priority, non-security updates, Microsoft will be introducing the Exploitability Index alongside this month's patches. The tool was introduced at this year's Black Hat conference in Las Vegas. It will be interesting to watch to see if the addition of the Index provides any extra benefit to users and administrators, or if it merely identifies which vulnerabilities are more vulnerable to exploitation if left unpatched. |
| Contributing Writer: Truth to Power [The Falcon's View] Posted: 10 Oct 2008 06:24 PM CDT As of this week, I'm an official core guide for "Practical Security" on a new collaboration site, Truth to Power (T2P). So, what is T2P? From their "About Us" section:"Truth to Power is about the control of information. It is... |
| Friday Summary, 10-10-2008 [securosis.com] Posted: 10 Oct 2008 05:13 PM CDT What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, *you* might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening. Webcasts, Podcasts, and Conferences:
Favorite Securosis Posts:
Favorite Outside Posts:
Top News:
Blog Comment of the Week: |
| Security Update for OS Microsoft Windows [mxlab - all about anti virus and anti spam] Posted: 10 Oct 2008 01:17 PM CDT MX lab intercepted emails with the subject “Security Update for OS Microsoft Windows” with a rather long email with the instructions to run the attached file named, in this case, KB934178.exe, which is a keylogger program that can capture all user keystrokes. It is known by Sophos as Mal/EncPk-CZ and F-Secure as Trojan-Spy.Win32.Goldun.bce. The message even includes a PGP sugnature to make it even more realistic. The author has some some basic home work. Steve Lipner is indeed working for Microsoft as Senior Director of Security Engineering Strategy in Trustworthy Computing (found it on the net - what a title by the way) and has published the book The Security Development Lifecycle. You can also read some blog articles from Steve Lipner, and other authors, at http://blogs.msdn.com/sdl/default.aspx.
Virus Total permalink and MD5: 1ffcb1ea024c228ade6d8dad681c6ed7. As a general rule, Windows only distributes patches and security update through Windows Update on your computer. Every other way of distribution by email is not recommended at all.       |
| Pwnage of World Bank [Donkey On A Waffle] Posted: 10 Oct 2008 12:23 PM CDT At a time when the financial crsis is taking the DOW below 8000pts and the world economy is starting to feel some of the repercussions, a high profile security breach is being reported. The World Bank has been under siege for at least a year and more information and details regarding the intrusions was published today by Fox News. The first breach of the bank's secrets was discovered in September, 2007, after the FBI .while at work on a different cybercrime case . notified the bank that something was wrong. The feds pointed to a part of the bank's network that led out of the Johannesburg hub of the International Finance Corp. (IFC), a bank arm that lends to the private sector. The second major breach . of the bank's treasury network in Washington . was discovered in April 2008. The World Bank's Treasury manages $70 billion in assets for 25 clients . including the central banks of some countries. It carries out substantial collaborations with the world's finance ministers on public wealth and debt management, runs an active bond-trading desk in Washington, and does everything from currency trading to capital markets financings. What really makes this particular breach interesting (besides the target) is that at least one portion of the intrusion was allegedly sourced from one of the largest outsourcing firms in India. Why does the government and major financial institutions insist on the outsourcing model when it is readily apparent that the security of these organizations just isn't there. To really bring this home, how much of our software development has companies like Cisco, Microsoft, and even security vendors like Symantec outsourced to India. Obviously any is too much. If we really must continue to outsource overseas there really needs to be a requirement for independent security assessment of all outsourced development. *GASP* who would have thunk it. NOTE: Fixed broken link. Thanks Scott. |
| We don’t need NASL - OpenVAS [GNUCITIZEN] Posted: 10 Oct 2008 11:35 AM CDT For those of you who are new to these things, NASL stands for Nessus Attack Scripting Language. NASL is part of the closed-source Nessus vulnerability scanner and its open-source form called OpenVAS (Open Vulnerability Assessment System).  Nessus plays big part in the hearts of many administrators, security consultants and scanning vendors. Nessus practically was the first stable and well maintained open-source security scanner until they closed the source. So, what about NASL? My point is that we don’t need it. Recently I had to work with OpenVas and Nessus in order to automate some trivial penetration testing practices. I’ve worked with both and I got fed up with NASL. I still cannot understand why on earth we need yet another general purpose scripting language which looks like some kind of a hybrid between PHP, C and JavaScript. Anyway, so since version 3 Nessus is closed source. Now we have OpenVAS, a 2.x fork of Nessus. The project is coming nice but still far from begin good enough for environments where stability is a must. At some point I decided to contribute since I am particularly interested in haviong a free Nessus clone with a good community behind it. As soon as I started putting down some code I realized that this is not what I want. Nessus’ code seems undeservingly complicated. In reality I do not need Nessus neither NASL. All I need are the tests. I believe that everybody feels the same. Perhaps the whole OpenVAS project should concentrate on writing the tests and let the user choose the engine. In my case Nessus was not a good engine due to license limitations. OpenVAS was not a good fit as well because of stability reasons. I am stuck! It occurred to me that because NASL is very close in syntax to PHP, JavaScript and C, it will be actually easy to rewrite the scripts in a more suitable language that has a better community around it. Of course everything needs to be done in an automatic fashion because I hardly doubt that anyone have the personal time to sit and rewrite boring NASL scripts, unless he is paid good money for. This is not how things work in the open-source world though. Unfortunately, I do not have the time to start such a project although I will most certainly contribute. I hope that someone is willing to take on the challenge. Any takers? ---
--- Brute force WIFI with NVidia |
| Kelvin Steele Made Me Do It [Vitalsecurity.org - A Revolution is the Solution] Posted: 10 Oct 2008 11:34 AM CDT  Spammers: Encouraging us to kill our significant others since 2008. |
| Posted: 09 Oct 2008 10:07 PM CDT Someone at Google has created Mail Goggles. It’s a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say … [snip] “Sometimes I send messages I shouldn’t send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together,” [/snip] And who hasn’t, really? It’s no wonder I am not smart enough to work at Google. I would never have thought this up, never mind actually coding it. I checked, and it’s really there, under the Lab’s section, along with a dozen or so other productivity tools. I really think they could be onto something here … just consider this from a “Reputational Risk” perspective; this could be a hot product for Postini. One too many Martinis with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your “spa day” executive retreat was cancelled? No problem, Google will quarantine your outbound email! And if you’re too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon … -Adrian |
| The State of American Government and Politics [The Falcon's View] Posted: 09 Oct 2008 09:09 PM CDT If you've read this blog before, you know I'm a wee bit vexed by the current state of corruption and lunacy in the US Government. Here I offer a few more examples of just how scary-crazy things are getting. Illegal... |
| Frame Injection Fun [GNUCITIZEN] Posted: 09 Oct 2008 07:01 PM CDT Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same.  Here is why:
The best way to explain what I mean is to show an example. Most frame injection issues occur in web applications because dynamic frameset/iframe insertion is not implemented with enough filtering. For instance, say that we have the following URL on the target site: A malicious user with intentions of launching a phishing attack will try tampering the I thought that showing a live example would help our readers get an idea of what frame injection looks in action. For that purpose, I prepared a rather not elegant proof of concept which takes advantage of the Google Images service. What’s neat is that although the legitimate URL would normally use the images.google.com domain, Google also allow us to use other google.com subdomains such as mail.google.com which is used by Gmail. This is ideal, as we’re trying to accomplish a frame injection attack which can be used to perform phishing attacks against Gmail users. The previous PoC URL will cause the entered credentials to be submitted to www.gnucitizen.org when clicking on Sign in, so please do NOT submit any real credentials! Needless to say, in real-life the attacker would most likely automate the process of obtaining the harvested credentials by using a tool such as our x.php data-theft script. ---
--- Brute force WIFI with NVidia |
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
| Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment