Never heard of password evaluation as stupid as this at the website of the CXO magazin. An article uses a picture with passwords evaluated by the Gmail Password Strength Meter. It rates passwords as enzoferrari, ggecko and ncc1701 as “good” passwords. Even better: The rating for the password deathknight55 is “strong”. Good Luck!
This time it was the Israeli Blogger Aviv Raff, who disclosed a new vulnerability in Adobes Download Manager. According to his post it is possible to install any software via malicious websites. The vulnerability has been confirmed by Adobes PSIRT-Blog . A Security Bulletin isn’t available yet.
Two Chinese schools have become implicated as suspects in the Aurora attacks against Google and at least 33 other companies. The schools have links to the armed forces, The Register reports.
According to New York Times some NSA experts and others know about the attacks from April last year on. Google called in the NSA to help in its investigation. Especially the involvement of Chinese government was discussed, even if it is possible that hackers from outside China carried out the attack.
The New York Times reports, that the investigation is focusing on two Chinese computer science facilities now: Shanghai Jiaotong University and Lanxiang Vocational School. A unnamed source told that Lanxiang school is involved in training some military computer scientists. An unnamed professor at Jiaotong’s school told that students sometimes hack western websites.
You will find a detailed technical analysis of the attacks at the website of cyber-security services firm HBGary.
My blog “Klipper on Security” is bilingual now: German and English. I will try to offer all posts in both languages. Chose the language via the language selector at the top right corner of the site.
Until all elements of the site will be shown in English, there is still some time to go. Until then, only the German version is fully displayed in German. Visit the English version at http://blog.psi2.de/en.
Please post problems with the presentation, RSS-feeds or whatever as a comment on this post.
The problem is a vulnerability in the new trash function in Version 2.9 where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, the wordpress guys recommend to upgrade to 2.9.2.
Overall, the update fixes 8 problem tickets. One of them removes the possibility for users with tools like Firebug or Web Developer, to post comments by manipulating the comment_post_ID field. With Web Developer it looks like this:
A few tests showed that also visitors of the web site are able to comment on posts by changing the comment_post_ID. However, this is a little useless, because they can comment on this posts completely regularly. For articles in the trash and articles which are closed for comments this won’t work. The violated security paradigm: “Never trust client-data!” The comment_post_ID field must not be filled by the browser.
In some vulnerable web shops you can set prices this way. So customers can adjust the price according to their own needs (which is obviously not allowed).
According to an article at The Register the last year’s cyber attacks on Georgia that brought internet traffic to a standstill were carried out by two Russian crime gangs. In some cases with the unwitting help of websites and software companies located in the US. The article relates to a report by the non-profit research group US Cyber Consequences Unit (US-CCU). Thees cyber attacks in August 2008 demonstrated how information warfare looks like.
said the cyber attacks, which coincided with the Russian military’s invasion of Georgia in August 2008, were carried out by two separate groups. The attacks were significant because they made it almost impossible for citizens and officials alike to communicate about what was happening on the ground during the military operation. In all, 11 government websites were attacked by servers and botnets. An additional 43 websites were attacked by civilians that willingly installed the software that spread out its payload. Most civilians came from Rusia, but Ukraine and Latvia were involved as well.
New in this attack was the wider circle of people that take part. It was not only reduced on a few ambitious hackers.
“The report went on to say that the cyber attacks were carried out with little or no direct involvement from the Russian government or military. While there is no evidence computers or networks belonging to the military or government were used in any of the attacks, the report acknowledges that the timing of the attacks, which launched within hours of the Russian military’s invasion, could only have come with a fair amount of cooperation from Russian officials,” is one of the interesting estimates of the article.
This case shows how dificult it is to draw a line between civilians and governments at cyber war. IP traffic is not wearing uniforms. It’s barely possible to assign who stands behind the attack.
This year’s Black Hat conference in Las Vegas is over – time to sum up. On the documents page you can download 109 files with 620 MB of content about hacking, attacking and vulnerabilities. Who should read all this? I will give you some hints on interesting topics, although it is hard to find none interesting ones.
Let’s start with the anti-forensic speech of Bill Blunden. He gave a very good overview on tactics and countermeasures against forensic analysis: Anti-Forensics: The Rootkit Connection. Interesting for Mac OS user: Advanced Mac OS X Rootkits. What was really new is, that there are rootkits for keyboards. In the slides Reversing and Exploiting an Apple® Firmware Update you can find the details. A first approach on getting rid of rootkits was presented by Anibal Sacco and Alfredo A. Ortega in their speech Deactivate the Rootkit.
My this year’s favorite is the speech on sniffing keystrokes with lasers and voltmeters via side channel attacks. It’s one of the oldest computer security topics, but it’s often fallen into oblivion. Because this is a technique every intelligence unit worldwide is able to do blindfolded. This comes close – few text, many pictures: Lockpicking Forensics. Here is a video out of my personal bookmarks on how lockpicking works: Lockpicking Demo.
Another very interesting Speech was on Embedded Management Interfaces: Emerging Massive Insecurity. The authors attacked more than 20 embedded management interfaces, such as in switches or VoIP telephones. They found more than 50 vulnerabilities within the analyzed interfaces.
One of my most common topics is Business Case Information Security. Of major interest is the Black Hat part of cash-flow. One speech was on the Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way. Some nice views on cybercrime economics were presented here: How Economics and Information Security Affects Cyber Crime.
I like the speech of 18 year old Peter Kleissner about Stoned Bootkit and how to break TrueCrypt. Black Hat 2009 was also very productive in defeating security of certificates: More Tricks For Defeating SSL and Breaking the security myths of Extended Validation SSL Certificates
These are the speeches I like most, but there could be more interesting ones. I didn’t had the time to go through all the documents by detail.
Search this blog with the most used words in this year’s document-headlines (Most of my Articles are written in German):
Security Attack Rootkit Exploit Metasploit Crime Phone Money Network SSL Malware XSS Forensic
Dino Dai Zovi
Advanced Mac OS X Rootkits
Security vendors doing their best to keep their product signatures up-to-date. The earlier they know about new threats the earlier they are able to update signatures for their security products. If they don’t know about at an early state of – for example – a virus-infection, they are losing not only time but effectiveness.
While researching the code behind a crimeware-toolkit the security-vendor Finjan found the following code:
Code extract
Overall, there were a few thousand IP addresses of security vendors in the industry on that list. Obviously the hacker blacklisted the IP addresses with the intention to minimize the risk of being researched by the vendors and – somehow – blacklisted by them. This approach prolongs the time of not being detected by security products and – in fact – it allows them to stay effective for a longer time. This shows the necessity of real-time code inspection to deal with threats like thees.
