* You are viewing the archive for the ‘News’ Category

First Look at Windows 8

Wow. The security enhancements in Windows 8 look fantastic. Details are available here: http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx.

A few things spring to mind:
1). The changes to the Windows 8 heap will significantly raise the bar for exploit developers, and pentest tool vendors. The days of serious and widespread remotely exploitable buffer overflow bugs are mostly behind us. Most of those have been hunted to extinction over the past several years. Today’s cutting edge OS exploit development work is largely in the heap overflow arena, and things will get dramatically more difficult for heap exploit developers as the … Continue Reading

Share

Warning Before Using Most Common iPhone Passcodes Lists

Regarding this:
http://amitay.us/blog/files/most_common_iphone_passcodes.php

You have to be careful sharing this type of information if you support patrol officers or invesitigators who like to try a passcode or two on their own when they take a phone off a suspect. Some smart gangbangers have their phones already sitting with 9 invalid logins, and the 10th will wipe the phone. Units seized from suspects should be put through your organization’s normal seizure and lab procedures. Please avoid the temptation of trying a passcode or two on your own outside of those procedures.

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: … Continue Reading

Share

Scant Facts Regarding Lockheed’s VPN System Takedown

What we know at this point:

UPDATE 28 May 2011 – US DHS has confirmed that Lockheed has experienced a network intrusion (http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529).

UPDATE 07 June 2011 – RSA has confirmed that data stolen from them was a factor in the Lockheed instrusion. RSA is offering to replace tokens for certain types of customers according to this: http://www.rsa.com/node.aspx?id=3891.

1). Lockheed’s entire VPN system was intentionally taken down by Lockheed
2). This happened about a week ago, and has been down the entire week
3). Lockheed is recalling all remote workers to the closest Lockheed offices to continue their … Continue Reading

Share

Verizon Wireless’ Odd Use of Secure PDFs for eBilling Customers

 

I recently took a look at a suspected malicious email supposedly sent from Verizon Wireless.  Despite looking possibly malicious at first glance, it turns out that the email was legitimate.  Verizon Wireless is now offering a Secure eBill service that allows customers to elect to receive their bill in a secured PDF file.  The Verizon “Secure eBill” service is described here: http://www.verizonwireless.com/b2c/splash/secure_ebill.jsp.

If your organization are similarly considering using secure PDFs for any customer contacts, I would suggest not going down that path.  Some people might think this looks like a phishing attempt and might simply delete your emails.

Below are some screenshots of what this all looks … Continue Reading

Share

Signs of Life from ExploitHub

So, ExploitHub might just have a heartbeat after all. This just showed up in my inbox. Could be good news for exploit developers.

Want to get paid for your research? ExploitHub is now accepting exploits for sale to the community. It’s simple, just register to become a seller and begin contributing your work to the marketplace in three easy steps:

1. Submit your Metasploit exploit module via the Author Tools submission page.
2. Review the pre-populated information about your exploit that was extracted from the module and fill in any missing information such as price.
3. Submit the exploit … Continue Reading

Share

Saving Money on Antivirus Subscription Renewals

Brian Krebs has published a good article that is of value to millions of home users who are currently overpaying to renew their antivirus licenses every year. He discusses the new Renewal Buddy site (http://www.renewalbuddy.com/), whose purpose is to help home users save money purchasing or renewing licenses for their antivirus products.

That is good information, but Renewal Buddy makes some dubious recommendations at times for alternative antivirus solutions. For the most effective antivirus support currently in existence, typical home users of Windows should stick with either Avira Antivir if they prefer a free tool, or one of … Continue Reading

Share

CIA Front Sought Possible Stuxnet Development Help

Interesting reading from recent Anonymous/HBGary Federal email dumps:

January 2009 question from a very senior leader from a known CIA front company directed to HBGary CEO:

Suppose someone wanted some expert, never-before-seen malware written as part of legitimate testing of a priority target, would you be someone to talk to?

Response from HBGary CEO:

Well, HBGary can write that kind of stuff – but I will be up front in saying that me personally would not be the one coding on it, although I might weigh in on a design. I’ve got my hands full w/ our product dev team so this kind of … Continue Reading

Share

Sourceforge Site Hacked

The popular Sourceforge site has announced that they their servers have been breached. Until we learn more about the specifics, we should probably consider anything recently downloaded from Sourceforge as possibly compromised or tampered with.

References:
http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Good Example of IR Process for a Development Team’s Website

If you run or participate in such a project, you might want to give the Fedora team’s writeup of a recent intrusion a read. Kudos to the Fedora team for their resilient process, their advanced preparation for such an event, and their willingness to share their experiences publicly. The link is below.

References:
http://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Virginia HB 2271

Virginia HB 2271 is a proposal to not require PI license for computer or digital forensic services. This legislation might be of interest to you if you or your organization provide (or want to provide) computer or digital forensic services in the State of Virginia (USA).

Update 21 Mar 2011 – The governor of Virginia signed this into law. The change goes into effect 01 July 2011.

References:
http://leg1.state.va.us/cgi-bin/legp504.exe?111+ful+HB2271ER
http://leg1.state.va.us/cgi-bin/legp504.exe?ses=111&typ=bil&val=hb2271

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

DerbyCon

I think the nightly 5 hours of training (OR 5 hours of Bsides content) is an attractive feature. This might end up better than Shmoocon. It seems to be priced similarly.

References:
http://www.secmaniac.com/january-2011/derbycon-teaser-video-and-website-launch-date-announced/
http://www.derbycon.com

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Thoughts Around Wikileaks Cablegate and Internal State Department Security

What I haven’t seen in the current media coverage of the Wikileaks U.S. State Department cable leak incident is any discussion about what might be wrong with the controls used inside that agency or the internal politics that might have led to not being able to establish and enforce the controls that might have prevented or detected the original data leak.

For example, did you known that the State Department has reported:

2104 CIRT security incidents in FY2008
3124 CIRT security incidents in FY2009
and have 6000 CIRT security incidents projected for FY2010?

These sharp year-over-year increases in the IT security incident … Continue Reading

Share

Adobe Reader 10 = Better

The Adobe Reader GDI object leak described that I described at http://sharpesecurity.blogspot.com/2010/02/gdi-object-leak-in-adobe-reader-92-and.html isn’t fixed in the Adobe Reader versions up to and including 9.4.1. However, it appears that the new Adobe Reader X (i.e. Adobe Reader 10) leaks handle and memory resources FAR LESS than its last several 8.x and 9.x predecessors. I think there might be hope for Adobe Reader after all!

Whether or not the re-engineered security in Adobe Reader 10 improves anything on the security front remains to be seen. The next few months will tell the tale.

For more information about Adobe Reader X … Continue Reading

Share

New Vulns Used by Stuxnet Patched in Microsoft’s Sept 2010 Patches

Original article from Sept 2010:
According to this article by Symantec, it looks like the top countries affected Stuxnet (by infection count) were Iran and some of its closest neighbors geographically. To me, it looks like an intelligence service lost a couple of arrows out of its quiver here. Microsoft is closing one of the vulnerabilities used by Stuxnet in the September 2010 Microsoft monthly patches.

The smart money is on the U.S. or Israel, but I guess the public storyline will never tell us for sure. Nation-state intelligence services cannot wait for a time of war to … Continue Reading

Share

Lenovo’s www.lenovoservicetraining.com Training Site Spreading Malware

Lenovo’s www.lenovoservicetraining.com service and support training site was detected spreading malware recently. Hopefully none of your desktop support people were affected by this. The site appears to be clean now. See the link below for details.

References:
http://www.h-online.com/security/news/item/Trojan-trouble-at-Lenovo-1110581.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

New NBISE Infosec Certs

I am surprised to see supportive comments from SANS’ Alan Paller in the threatpost.com link below, given that SANS might lose a profitable revenue stream from its own GIAC certification program if NBISE is successful in its goal “to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups”. From the second and third links below, I see Alan Paller listed as a board member for NBISE.Are these proposed new NBISE certs intended to replace those from … Continue Reading

Share

RIM BlackBerry Security in India and the Middle East

The change in India might be a problem for some. If you have staff, offices, or contractors in any of the affected countries you might want to run these changes past your Legal/Compliance people.References:http://www.schneier.com/blog/archives/2010/08/uae_to_ban_blac.htmlhttp://www.reuters.com/article/idUSTRE67151F20100803http://www.ft.com/cms/s/0/38a8da8e-9d41-11df-a37c-00144feab49a.htmlhttp://finance.yahoo.com/news/UAE-says-BlackBerry-is-apf-959472235.html?x=0email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Major Oil Company Data Leaked By Service Provider at Black Hat USA 2010 Conference

At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company’s domain. According to the detailed, 39-page report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft … Continue Reading

Share

CFCE Forensics Cert Open to People Outside of Law Enforcement?

From http://www.iacis.com/news/view/33:”The IACIS Membership recently voted to open certification programs to non-members or those who do not qualify for membership. Therefore, the Certified Forensic Computer Examiner (CFCE) Certification will be available to applicants of the computer/digital forensics community who qualify. A comprehensive background check will be required, and we will provide more details as they become available. Please check back often as the program is unveiled”.email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Gregory Evans – Ligatt allowed to speak at HTCIA conference

As a HTCIA member, I think I am slightly ashamed of this.”Gregory Evans Why Cybercrime Pays from an Ex-Computer Hacker’s Perspective “UPDATE 29 July 2010 – HTCIA reports that LIGATT’s Gregory Evans has been removed from the speaker’s list. HTCIA (eventually) did the right thing. I am happy again.References:http://twitter.com/HTCIAhttp://www.htciaconference.org/speakers.shtmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Was Tavis Ormandy’s Disclosure Irresponsible?

Regarding Tavis Ormandy’s recent disclosure of a vulnerability in Windows Help and Support Center, my understanding is that there are five basic paths to take when you have a valid vulnerability to disclose. They are enumerated below. In short, I think Tavis Ormandy went down the RFPv2 path, and thus was within his rights to disclose when he did assuming that Microsoft didn’t in fact reply to him within the 5 days allowed.As a corporate defender, I would prefer that researchers not take such an aggressive stance with disclosure, but my point is that what he … Continue Reading

Share

U.S. Military Intelligence Analyst Arrested for Data Leakage

This Wired article discusses a U.S. Army intelligence analyst being arrested for leaking classified and other sensitive information to Wikileaks. A quote from the Wired article:“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga’, erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal … Continue Reading

Share

Restaurant Credit Card Skimming Alive and Well

From http://www.washingtonpost.com/wp-dyn/content/article/2010/05/23/AR2010052302921.html:”Three servers at the Cheesecake Factory restaurant on Wisconsin Avenue in the District allegedly stole credit card numbers from patrons as part of a scheme that racked up more than $117,000 in fraudulent charges between 2008 and last year, authorities say. Investigators with the U.S. Secret Service allege the servers were working for a larger fraud ring and were using electronic devices to “skim” the credit card numbers of customers they served at the restaurant. The devices were handed off to others, and the stolen numbers were used to make fake credit cards … Continue Reading

Share

New US Law Regarding CallerID Spoofing

The US Congress has passed a law making certain types of malicious use of CallerID spoofing a felony. Please refer to the text of the new law for the specifics.The law exempts law enforcement agencies, so the investigative technique described here remains valid for exempted US agencies. Below is the text describing the LE exemption:”LAW ENFORCEMENT EXCEPTION.— This section does not prohibit lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency … Continue Reading

Share

U.S. Secret Service Setting Data Sharing Example for Other Law Enforcement Agencies

According to this Verizon blog entry, we will see sanitized intrusion data from the U.S. Secret Service alongside Verizon Business Service’s own data in their next Data Breach Investigations Report (due later in 2010).Apparently the U.S. Secret Service started using Verizon’s VerIS framework and has decided to share at least some of their casework data. Very cool. Maybe this will set a precedent for others in the law enforcement world to start sharing real world data (where they can) so that system defenders everywhere can benefit from knowing more about the tactics and true … Continue Reading

Share

R.I.P. Dojosec

I really enjoyed the Dojosec series of monthly meetings that Marcus J Carey put together, and I am sad to see it has gone away. Dojosec was a security meetup in the southern Maryland area.  The last Dojosec that had speakers was in November 2009. Some of the videos from various Dojosecs are online, so you can still see some of those great presentations.Hopefully Dojosec will resurface again sometime in the future.UPDATE 24 August 2010 – Great news! It looks like Dojosec (and Dojocon) may be returning soon.email: david @ sharpesecurity.com website: … Continue Reading

Share

Interesting Article on Recent US Offensive Cyber Op

If there is any truth to this Washington Post article about the US military taking down a joint CIA-Saudi terrorist intelligence gathering website, it sounds like some serious policy and protocol work needs to be done to help guide our well-intentioned military and intelligence service decisions makers when similar situations arise in the future. If unintended collateral damage like what allegedly happened in this instance spread to another nation’s SCADA systems or systems at sensitive facilities, the blowback could be much worse.From the Washington Post article:”By early 2008, top U.S. military officials had … Continue Reading

Share