Since Friday the DEF CON 18 Archive Page is running! Currently, you will find all of the presentation slides, white papers and extras posted, as well as the DEF CON 18 Program in pdf format! In the next days you will find the contest results, press releases, and even a few early release videos, too.
This is one of the findings of a new study of vulnerability researcher Qualys. Qualys presented the study at this years BlackHat in Las Vegas. WordPress websites have been rated quite good. The whitepaper says that only 4% of the WordPress sites are affected by critical vulnerabilities:
Versions before 2.5 are affected by a Critical vulnerability. 4% of administrators have not updated to the patched versions.
According to The Register Sam Bowne said “IPv6 is a security nightmare” in large part because IT professionals haven’t worked out a large number of security threats facing those who rely on it to route traffic over the net. You will find slides and other materials from Bowne’s talk at his website.
There is work to do for the German chancellery which is the responsible authority for information services in Germany. Some retired Federal Information Service Agents (BND) were searching for new jobs at the social network XING. Now there is a fuss in German Press, because they revealed their former positions at the BND.
One XING user wrote that he made his professional education there. Another wrote that he was a z/OS programmer till the late nineties and one reported that he was “computer science”. That’s all you can find in their profiles.
Now a spokesman of the German chancellery was talking about severe punishment for all relevant persons. The Newspaper wrote about a possible imprisonment from six months up to ten years. I hope this is not the revenge for the Wikileaks cases of the last weeks. Perhaps they want to make an example out of this? I think imprisonment just for being a z/OS programmer is a bit to harsh. z/OS isn’t that bad.
Here are some screenshots of our state secrets:
The Google Hacking Diggity Project published version 0.1 of its security scanner GoogleDiggity. The command line tool brings 1623 automated queries to your desk and writes the answers to a txt file. Although the tool promises to stop after 64 queries (according to Googles terms and conditions) it made all 1623 queries in my test scan. This took about 10 minutes:
GoogleDiggity.exe -f "GHDB and FSDB - All.txt" -d example.com
After this the file output.txt should look like this:
GoogleDiggity - http://www.stachliu.com
Started GoogleDiggity Scan: 02.08.2010 13:13:06
Command Line: GoogleDiggity.exe -f GHDB and FSDB - All.txt -d example.com
Main Category Secondary Category Search String Title Content URL (...)
-> This line should be empty!
Finished GoogleDiggity Scan: 02.08.2010 13:23:49
If the red line is clear, everything is OK for the tested domain. This means: No news is good news! To make sure that the tool works correctly you can make the following scan on http://example.com/:
GoogleDiggity.exe -q "RFC 2606" -d example.com
output.txt should contain the following information :
Title: Example Web Page
Content: These domain names are reserved for use in documentation and are not available for registration. See <strong>RFC 2606</strong>, Section 3.
URL: http://www.example.com/
Google Cache URL: http://www.google.com/search?q=cache:oMLrRbSxI5MJ:www.example.com
The new list with the top 25 most dangerous software errors was published already two weeks ago. It is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are easy to make for programmers and as easy to be found and to be exploited by attackers to completely take over your software, steal your data, or just to spread out a denial of service.
According to the responsible ministry there will be no software patents in New Zealand the NZCS Blog reported today. The bill hasn’t passed into law, yet, but the big-budget lobbying effort by the pro-patent fraternity has failed its mission to stop it. Perhaps Germany and other countries should follow suit.
The Kaspersky-Blog Threatpost today reported, that Microsoft announced some interesting news on its Defensive Information Sharing Program (DISP) codenamed Omega. The Details came from Microsofts MSRC Ecosystem Strategy Team Blog, where Steve Adegbite, Senior Security Program Manager Lead, wrote some key issues out of his AusCERT 2010 conference speech “Engagement between National/Government CERTs and the vendor community; benefits and challenges”.
Microsoft is moving ahead with the offering of 2 programs aimed at sharing key technical information on Microsoft vulnerabilities and strategies to aid in securing critical infrastructure:
The Defensive Information Sharing Program (DISP) will offer governments entities at the national level who are part of both the Government Security Program (GSP) and Security Cooperation Program (SCP) with technical information on vulnerabilities that are being updated in our products. We will provide this information after our investigative & remediation cycle is completed to ensure that DISP members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles.
The Critical Infrastructure Partner Program (CIPP) will provide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures.
In the long run, Microsoft hopes that through these pilot programs we can gain valuable insight on ways to improve our collaboration efforts to aid in protecting the greater ecosystem at large.
The Anti Phishing Working Group (APWG) reported that the world’s most prolific phishing gang “Avalanche” accounted for two-thirds of all the phishing attacks seen during the second half of 2009. This is one of the main facts out of their Global Phishing Survey: Trends and Domain Name Use in 2H2009.
The Avalanche attacks were contained quickly due to the cooperation between affected banks, registrars and other service providers. According to APWG the average “uptime” of phishing attacks decreased from 50 hours to 32 hours in the time from early 2008 to the end of 2009. Avalanche’s activity was almost down to zero in April 2010.
This weeks outline:
The editorial “Below the Line” is up to highlight news and headlines of the past week. Actually it isn’t possible to draw the whole picture but I hope you will get a nice and handy outline.
Internal links to this blog are marked like this: ” 
“, external links like that: ” 
“.
Updates:
Tuesday: Mozilla disables insecure Java plugin in Firefox
Wednesday: Windows 2000 Server security update to be re-released
Wednesday: Google Chrome update has been released
Thursday: McAfee signature update takes down Windows systems
Friday: VLC media player version 1.0.6 release
Vulnerabilities and attack:
Tuesday: Attack on Google’s core (Aurora Update)
Tuesday: PDF-based Zeus attacks
Friday: Attack on Googles web-history 
Friday: The interesting case of the Induc virus
Crime, prosecution and law:
Tuesday: Bad news for inquiring neighbors
White-papers and reports:
Tuesday: SANS: Consensus Audit Guidelines
Tuesday: Report: Symantec says PDF readers and IE are biggest targets
Tuesday: Report: Russia as an origin of attacks
Wednesday: New OWASP top ten list
Saturday: Book: Review of “The Rootkit Arsenal” posted
