Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Software vendors and vulnerability policies
Yazan Gable | 27 Oct 2006 07:00:00 GMT | 0 comments

It is pretty much an accepted fact thatvulnerabilities are everywhere these days. They can affect every pieceof software available, whether it is from major vendors (Microsoft,Cisco, etc.) or if it has been written by hobbyist programmers (thosebuilding a Web app, for example). These vulnerabilities can surface onthe public landscape in a wide range of situations; from zero-dayattacks, all the way over to the other side of the spectrum withresponsible disclosure. However, the responsibility does not restsolely on the shoulders of the vulnerability researchers—vendors should(and do, in most cases) have an obligation to be responsible as well.The bottom line is, software vendors should hold some responsibilityfor their customer’s computer security. If a vendor’s software somehowthreatens a user’s security by containing a vulnerability, the vendorshould take responsibility for it and do what they can to protect theuser.

In light of this, I believe that Apple...

Read more
A common RSA implementation mistake explained
Zulfikar Ramzan | 26 Oct 2006 07:00:00 GMT | 0 comments

Back in August, I attended the CRYPTO 2006conference in Santa Barbara, where Daniel Bleichenbacher gave aneye-opening talk that highlighted a very common implementation mistakepeople make with the RSA cryptosystem. Since my own background is incryptography I thought I would try to describe not only this commonmistake and its implications, but also some details regarding why thismistake leads to vulnerabilities, in a way that’s hopefully suitablefor a wide audience. For those who don’t recognize the name, Daniel isa well-known and brilliant cryptographer who, among other things, foundcryptographic flaws in SSL v3.0 and also the random number generatorassociated with the Digital Signature Algorithm. Well, he is at itagain!

Before going any further I want to emphasize thatthe flaw Daniel found is not one that is inherent in the RSA algorithmitself; rather, it deals with a specific...

Read more
Invalid Reports
Robert Keith | 25 Oct 2006 07:00:00 GMT | 0 comments

This year has seen a mass influx of reportson remote file-include vulnerabilities. On the same note, it has alsoseen a mass number of invalid vulnerability reports. Thetrend, it seems, is for reporters to grep as much source code aspossible, looking for that special phrase: include($variable). However,the reporters either neglect to read the entire source prior to thatline, or perhaps choose to ignore it. As is often the case for falsereports, within five lines of the include() call is a declaration forthe very variable assumed to be vulnerable.

This naturally makes my job all the more complicated. Our teamprides itself on having the most comprehensive vulnerability databaseavailable. We also want to make sure it’s accurate and doesn’t containinvalid entries. We try to verify all the issues reported to us,usually by inspecting the source code, but it is frustrating to spendtime scrutinizing reports on “issues” that are clearly not vulnerable.This...

Read more
Hacking the Blackberry
James O'Connor | 24 Oct 2006 07:00:00 GMT | 0 comments

A few months ago, my boss plonked a box on my desk and said "see what you can do with that." That's how I was introduced to the Blackberry. I've been interested in all kinds of PDAs and mobile phones for years now, but I'd never come across a Blackberry. I suppose that up until recently, it has been the preserve of key government and corporate employees, not average-Joe software engineers like me. However, the Blackberry is emerging as an ever more popular platform for the general public. In the next few weeks that followed, I noticed a common thread in the architecture and features of the device: security first and functionality second.

What do I mean?
Well, take Bluetooth for example. When you're looking at the box of your shiny new Blackberry and you see that it has Bluetooth support, you might think "great, I can use it with my laptop to go online while on the move." Bzzzt—wrong. Although the Blackberry does...

Read more
You Can Hide, but You Can't Run
Josh Harriman | 23 Oct 2006 07:00:00 GMT | 0 comments

Privacy is a big concern when surfing the Internet. One major application has attempted to make Internet activities somewhat anonymous. “Tor” is an anonymous Internet communication system that allows users to surf the Web, send email, and use IM; all the while attempting to avoid network surveillance, traffic analysis, and state security. Tor users’ IP addresses (a computer’s basic identity) and exact locations are kept secret as the users read important stories on the Web, send their grandmother an email, or chat with their new best friend.

Unfortunately, Tor also opens up other avenues of attack and one must be aware of the risk, in return for the benefit of being partly anonymous. The way Tor works is that packets sent from your computer actually go to someone else’s computer, then to someone else’s computer, and so on. Eventually, your data reaches what is known as an “exit node...

Read more
Why didn't I think of that?!
Patrick Fitzgerald | 20 Oct 2006 07:00:00 GMT | 0 comments

Many of the new threats seen today aren’t advancements in their own right; rather, they just take advantage of advancements in technology. For example, VBScript enables programs to be written quickly, but also makes writing malware extremely easy. Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This was a mass-mailing worm that ultimately ended up causing millions of dollars worth of damage because of crashed servers, not to mention the punitive damages caused by files being overwritten. While VBScripts gave administrators the ability to perform more robust tasks via scripting, developers need to be aware of the possible detrimental effects of these new technologies. For example, after VBS worms became widespread, Microsoft forced user consent before a script could harness Microsoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful to some malware writers. The advent of...

Read more
Why didn't I think of that?!
Patrick Fitzgerald | 20 Oct 2006 07:00:00 GMT | 0 comments

Many of the new threats seen today aren’tadvancements in their own right; rather, they just take advantage ofadvancements in technology. For example, VBScript enables programs tobe written quickly, but also makes writing malware extremely easy.Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This wasa mass-mailing worm that ultimately ended up causing millions ofdollars worth of damage because of crashed servers, not to mention thepunitive damages caused by files being overwritten. While VBScriptsgave administrators the ability to perform more robust tasks viascripting, developers need to be aware of the possible detrimentaleffects of these new technologies. For example, after VBS worms becamewidespread, Microsoft forced user consent before a script could harnessMicrosoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful tosome malware writers. The advent of NTFS brought...

Read more
VB 2006 - One Week Later
Sarah Gordon | 20 Oct 2006 07:00:00 GMT | 0 comments

VB-Oct06_small.jpg

It's been a week since I finished my VB talk (almost on time). WhileI didn't get to the part of the talk exploring computer games and fun videosand their relevance to teaching people about security (and computerskills in general, and life skills, too!), I did get some interestingfeedback from some of the delegates. The one thing I've heard mostconsistently is that the ideas my talk put forth apply to technicalpeople, as well as not-quite-so-technical people. My first reactionwas—“wow”. I was hoping it would eventually get around to this. Onepurpose of the paper was to initiate bridge building between differentmindsets. The fact that I was able to get this across in the firstsegment of this research is just, well, unexpected.

People seemed...

Read more
Gromozon Evolution: From Spaghetti to Lasagna
Elia Florio | 19 Oct 2006 07:00:00 GMT | 0 comments

Since we last talked about Trojan.Linkoptimizer (a.k.a. Gromozon) and the Italian Spaghetti saga, there have been some significant developments. What we had originally dubbed "spaghetti threats" now look much more like multi-layered "lasagna threats". Several new features and improvements were integrated into the latest incarnation of this Trojan by the authors, who are probably getting paid well for all of their efforts.

How do users get infected with Linkoptimizer/Gromozon variants? We noticed that the complicated distribution scheme of Trojan.Linkoptimizer (shown in Figure 1) introduced a few significant changes, compared to the original scheme of the previous blog article. Here are the new...

Read more
Extending good and evil
Candid Wueest | 19 Oct 2006 07:00:00 GMT | 0 comments

ost users that have a computer spend a vast amount of time on the Internet, be it for work-related business, or just out of curiosity. Spending so much time browsing the Web should make it obvious that people will try to optimize and improve the user experience of surfing the Web. For instance, the Mozilla Firefox browser allows the user to extend the browser's feature set with extension add-ons. If you want to control script execution on a more granular basis, then the “No Script” extension might be the right thing for you to have a look at. If you get annoyed by ads while surfing, you can give AdBlock a try. These are only two of the many examples out there. There are hundreds of different extensions freely available on the Internet. Even if your idea has not yet been integrated into an extension, then you can simply make one yourself (in a short amount of time) using...

Read more