Swedish spy authorities have taken legal action against a Brussels-based blogger who published a classified document purporting to prove they snooped on individual Swedes more than a decade ago.
20:09 Article: Traditional vs. Non-Traditional Database AuditingTraditional native audit tools and methods are useful for diagnosing problems at a given point in time, but they typically do not scale across the enterprise. The auditing holes that are left in their... >>>
18:22 Fortify warns of configuration weaknesses in SOA deploymentsSecurity code review specialists Fortify Software has issued a warning about major configuration weaknesses affecting SOA (service oriented architecture) deployments from IBM, Microsoft and Apache.
According to Fortify, certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.1, Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF) can open doors to [...] >>>
Cybercrooks are becoming faster at utilising newly-discovered browser exploits. More than nine in ten of all browser-related exploits occurred within 24 hours of an official vulnerability disclosure, according to a survey by IBM's X-Force security division.
Apple has come under fire for failing to patch the critical Domain Name System (DNS) flaw which prompted a (rest of) industry wide response earlier this month.
17:27 The Neosploit cybercrime group abandons its web malware exploitation kitThe end of the Neosploit web malware exploitation kit? RSA’s FraudAction Research Labs recent monitoring of ongoing communications between Neosploit team members and their potential customers indicates so. The Neosploit malware kit has been around since the middle of 2007, with prices varying between $1000 and $3000, whose main differentiation factors next to its popular [...] >>>
17:02 Passports worth 2.5 million stolen in van hijackGraham Tibbetts of the UK Telegraph is reporting that the British Foreign Office has admitted to losing around 3,000 passports and visa stickers, which were stolen on their way from Manchester to RAF Northolt in London, where they were to be sent to British embassies. From the article:
Officials claimed the chip technology incorporated in the [...] >>>
15:19 Neosploit exploit kit shutters operations?The distributors of Neosploit, one of the more dangerous drive-by download exploit kits on the Internet, have shut down operations because of financial problems, according to malware researchers at RSA FraudAction Research Labs.
In a blog entry, the company said it found evidence that Neosploit will no longer be supported (yes, the do-it-yourself malware installation kit [...] >>>
13:36 Measuring malware infections in the Chinese InternetGuest editorial by Oliver Day
In June 2008, StopBadware published a report with statistics (.pdf) based on our sample of infected website data from Google. In those statistics we noted that over half of the infections came from addresses originating in China. We’ve received some attention for these statistics and I’d like to delve a little [...] >>>
13:24 DNS cache poisoning attacks exploited in the wildNumerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the “recent” DNS cache poisoning vulnerability :
” client 143.215.143.11 query (cache) ‘www.ebay.com/ANY/IN’ denied: 31
Time(s)
client 143.215.143.11 query (cache) ‘www.facebook.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.gmail.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 [...] >>>
A consignment of 3,000 "useless" blank biometric passports has been stolen on its way to British embassies throughout the world. Or at least, the Identity & Passport Service says they're useless.
11:22 Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam KingsIt used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetiziation of what used to be commodity goods and services.
"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."
Murky until now? I can barely see in the room due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their apparance online, which made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.
"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"
What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.
08:15 Katie Moussouris on HOPE 2008: HOPE Springs EternalGuest Editorial by Katie Moussouris of Microsoft
If cyberspace is a mass, consensual hallucination, as William Gibson characterized it, then HOPE was a dream manifested in meatspace that would not die. While Hackers On Planet Earth has been running every other year since 1994, it was my first journey to the con. It was, [...] >>>
07:06 Security World: Motorola to acquire AirDefenseMotorola has signed a definitive agreement to acquire privately held AirDefense, a leading wireless LAN (WLAN) security provider. Terms of the transaction were not disclosed.
AirDefense is a priv... >>>
05:03 Oracle ships emergency workaround for zero-day exploitFor the first time since the introduction of its quarterly Critical Patch Update process, Oracle has released an emergency alert to offer mitigation for a zero-day exploit that’s been posted on the Internet.
The emergency workaround, available here, addresses an unpatched vulnerability that’s remotely exploitable without authentication ( it may be exploited over the network without [...] >>>
04:41 Safari browser flaw: Session fixation attacks possibleAnother day, another unpatched Safari browser vulnerability.
According to this flaw warning found on the NVD (National Vulnerability Database), Apple’s flagship browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains.
[ SEE: Microsoft issues Safari-to-IE blended threat warning ]
Heise Security breaks down the attack vector:
Apple’s Safari web browser, [...] >>>
Despite the best efforts of the security community, the details of a critical internet vulnerability discovered by Dan Kaminsky about six months ago have leaked. Hackers are racing to produce exploit code, and network operators who haven't already patched the hole are scrambling to catch up. The whole mess is a good illustration of the problems with researching and disclosing flaws like this.
The details of the vulnerability aren't important, but basically it's a form of DNS cache poisoning. The DNS system is what translates domain names people understand, like www.schneier.com, to IP addresses computers understand: 204.11.246.1. There is a whole family of vulnerabilities where the DNS system on your computer is fooled into thinking that the IP address for www.badsite.com is really the IP address for www.goodsite.com -- there's no way for you to tell the difference -- and that allows the criminals at www.badsite.com to trick you into doing all sorts of things, like giving up your bank account details. Kaminsky discovered a particularly nasty variant of this cache-poisoning attack.
Here's the way the timeline was supposed to work: Kaminsky discovered the vulnerability about six months ago, and quietly worked with vendors to patch it. (There's a fairly straightforward fix, although the implementation nuances are complicated.) Of course, this meant describing the vulnerability to them; why would companies like Microsoft and Cisco believe him otherwise? On July 8, he held a press conference to announce the vulnerability -- but not the details -- and reveal that a patch was available from a long list of vendors. We would all have a month to patch, and Kaminsky would release details of the vulnerability at the BlackHat conference early next month.
Of course, the details leaked. How isn't important; it could have leaked a zillion different ways. Too many people knew about it for it to remain secret. Others who knew the general idea were too smart not to speculate on the details. I'm kind of amazed the details remained secret for this long; undoubtedly it had leaked into the underground community before the public leak two days ago. So now everyone who back-burnered the problem is rushing to patch, while the hacker community is racing to produce working exploits.
What's the moral here? It's easy to condemn Kaminsky: If he had shut up about the problem, we wouldn't be in this mess. But that's just wrong. Kaminsky found the vulnerability by accident. There's no reason to believe he was the first one to find it, and it's ridiculous to believe he would be the last. Don't shoot the messenger. The problem is with the DNS protocol; it's insecure.
The real lesson is that the patch treadmill doesn't work, and it hasn't for years. This cycle of finding security holes and rushing to patch them before the bad guys exploit those vulnerabilities is expensive, inefficient and incomplete. We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design. This process won't prevent every vulnerability, but it's much more secure -- and cheaper -- than the patch treadmill we're all on now.
What a security engineer brings to the problem is a particular mindset. He thinks about systems from a security perspective. It's not that he discovers all possible attacks before the bad guys do; it's more that he anticipates potential types of attacks, and defends against them even if he doesn't know their details. I see this all the time in good cryptographic designs. It's over-engineering based on intuition, but if the security engineer has good intuition, it generally works.
Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.
That's what a good design looks like. It's not just secure against known attacks; it's also secure against unknown attacks. We need more of this, not just on the internet but in voting machines, ID cards, transportation payment cards ... everywhere. Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely.
Great security story from an obituary of former OSS agent Roger Hall:
One of his favorite OSS stories involved a colleague sent to occupied France to destroy a seemingly impenetrable German tank at a key crossroads. The French resistance found that grenades were no use.
The OSS man, fluent in German and dressed like a French peasant, walked up to the tank and yelled, "Mail!"
One of the problems that's plagued netizens since the inception of the world wide web that their browsers have a habit of leaking every site they've visited in the recent past. A quick stop at Blowupdolls.com, Mysecretbusinessproject.net or any other site is available to any webmaster with rudimentary coding skills.
00:18 Security World: New modular 3-phase UPS systemsTripp Lite, a manufacturer of power protection and connectivity equipment, has launched its latest range of Modular 3-Phase UPS Systems. The four new models, which include SU20KX, SU40KX, SU60KX and S... >>>
