Video Screencast Help
Security Response
Showing posts tagged with Security Risks
Showing posts in English
Jim Hoagland | 24 Jul 2007 07:00:00 GMT | 0 comments

I recently made a discovery that shows theimportance of anchoring the input when trying to match a password. Bythis I mean that there should be no extra characters accepted eitherbefore or after the password (i.e., no extra characters that could bepart of the password). Unanchored matching greatly weakens the defenseagainst brute forcing the password.

My wife and I were driving back from dinner when we decided to trythe remote message check feature of our new home phone answeringmachine. I had set the two digit password (let's pretend it is "54")but we hadn't read the directions on how to check messages remotely. Itold my wife our code and she tried just entering the two digits "5-4"and it worked. I had expected that we'd at least have to enter "#"first. That the machine was just listening to the incoming call for thepasscode made me wonder. Playing a hunch, I had my wife call back andenter "1-5-4-0", a four digit passcode with our actual passcode in themiddle. To her...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Dave Cole | 18 Jul 2007 07:00:00 GMT | 0 comments

A while back we took a look at how securityalerting was being done across the industry and noticed that there wasplenty of room for improvement. We started out with our own ThreatCon.It was easy to see that it wasn’t very effective for helping lesstech-savvy consumers to protect themselves online. On the humorousside, we did a little survey on customer perception and effectivenessof the ThreatCon and one of the respondents thought it was related tosomething on StarTrek. Ouch! The feedback we got gave us a clearpicture of where to begin our journey to improve our alerting systems.

Old threatcon

We began the overhaul of our security alerting systems early last spring by introducing the Internet Threat Meter(ITM) for consumers. The idea was to make the...

Yazan Gable | 06 Jul 2007 07:00:00 GMT | 0 comments

Symantec has observed an interesting trendin the world of Internet-based credit card fraud: fraudsters aredonating money to charity. How could this happen? In the world ofcarding, where stolen credit card information is bought and sold,carders need to know if the credit cards they are buying or selling canactually be used. It is sometimes difficult for them to verify thiswithout raising any alarm bells and risking that their cards will beidentified as stolen and disabled. As a consequence, a new trend isappearing.

Carders attempting to verify that a stolen credit card is legitimateand active have begun donating money to charity. By attempting to paysmall amounts of money to various charities, including well knowncharities such as the Red Cross, carders can determine if a stolencredit card is valid depending on the success or failure of thetransaction.

There are likely a number of reasons that this method may bebecoming more popular. For instance, bank behavior...

Ron Bowes | 22 Jun 2007 07:00:00 GMT | 0 comments

I recently stumbled upon a site that advertised an impossibleservice for Web sites: protecting a site's content from being copied,or "stolen." It's a service that is impossible. I know it's impossible,and that every Web developer knows is impossible. However, for only$37.99, this man offers to do it. At $37.99, it's a deal! And he hasall kinds of testimonials, not to mention snazzy clip-art on his site.

Of course, his solution, much like whitewashing over dirt, appearsto work. That is, until the paint starts peeling, or, in this case,until a user with any kind of experience realizes how easy it is tobypass these restrictions. I can think of a half-dozen waysimmediately, and none of them are difficult. Before long, the whitewashpeels off and the site administrator is left in the same situation theystarted in, only with $37.99 less.

Of course, there are no guarantees. You read the agreement, right?This type of service gives the site administrator a false sense...

Symantec Security Response | 21 Jun 2007 07:00:00 GMT | 0 comments

Earlier this year, NIST (National Institute of Standards and Technology),announced that they will be hosting an open competition to decide on anew secure cryptographic hash standard. Cryptographic hash functionsare a fundamental part of cryptography and computer security. Acryptographic hash function takes an input and returns a (practically)unique output, providing applications in authentication, encryption anddigital signatures.

The most commonly used hash functions right now have been aroundsince the mid-nineties and are beginning to show some serious cracks.One of the basic requirements of a cryptographic hash functions is thatit must be very hard to find two inputs that map to the same output.When two such inputs are found it is called a collision, and collisionsare a really bad thing for hash functions. The Message Digest 5 (MD5)algorithm was created in 1991 by Ron...

Ron Bowes | 12 Jun 2007 07:00:00 GMT | 0 comments

In today's computerized world, loss of confidential information is far too common. If you look at a good list of personal information data breaches , you will quickly see that a breach occurs almost every day, and that's just in the United States!

Almost everybody knows that databases get hacked and laptops getstolen, both of which can expose all kinds of information aboutcustomers and employees. Information is frequently lost due tomalicious intentions. So security is audited, laptops are encrypted,and a lot of companies take steps to ensure that this type of exposuredoesn't happen. Data is still exposed, but many companies actively tryto prevent it.

I'll start with a story. I know a company that sells acustomer-management solution that once had a demo site, with demo data,which potential customers could play with. After a software upgrade,the demo database was...

Eric Chien | 11 Jun 2007 07:00:00 GMT | 0 comments

Apple announced a variety of new technologies today at Apple'sWorldwide Developers Conference. A couple of interesting technologiesincluded the confirmation of third party applications on the iPhone andthe availability of the Safari web browser on Microsoft Windows.

In a previous blog article,we discussed how limiting third party applications on the iPhone wouldcurtail any malicious applications for the iPhone. Opening up theiPhone to third party applications now raises the risk of maliciousapplications for the mobile device. However, the ability to writemalicious applications for the iPhone still remains to be seen as thedevil is in the details.

According to the demonstration, applications will be written inJavaScript and executed within Safari. The applications will haveaccess to internal phone applications including the ability to...

Ollie Whitehouse | 08 Jun 2007 07:00:00 GMT | 0 comments

Time for the next installment in my enthralling series on ‘Watching Microsoft Patch Windows CE’ and remember kids:

There are currently no reported security vulnerabilities for Windows CE

In my previous entry on this subject [2] I covered up untilFebruary’s updates for Windows CE 5 (the base to Windows Mobile 5 and6) so I’ll start logically with March’s [3 Below is my commentary foreach of the fixes I feel has a security impact.

• 070310_KB934175 – Numerous bugs in the .NET 2.0 compactframework; some of the exceptions / access violation occur in nativecode.

• 070320_KB933434 – Remote denial of service condition in RNDIS

• 070320_KB933680 – This issue discusses how Internet Explorer willcrash when it receives a certain response for a web server. The updatepatches WININET.DLL – as we all know a crash is a pretty goodindication of something worth investigating which may yield arbitrarycode execution.

Moving on...

Aaron Adams | 01 Jun 2007 07:00:00 GMT | 0 comments

On May 14, 2007 a number of interesting heap-corruptionvulnerabilities were disclosed in Samba 3.0.25rc3 and earlier. On thesame day, Immunity released a private exploit for one of the issues on Solaris. A few days later, an exploit modulewas released for the Metasploit framework that reliably exploited theissue on a number of Linux distributions. The module specificallytargeted the flaw in the lsa_io_trans_names function.

Over the past few years, the discovery of high profilevulnerabilities in widespread Unix applications seems to be decreasing.Additionally, a variety of security mechanisms are more commonlydeployed on Linux distributions, such as non-executable stacks, stackcanaries, and secure heaps, all of which make the release of...