Video Screencast Help
Security Response
Showing posts in English
Jim Hoagland | 24 Jul 2007 07:00:00 GMT | 0 comments

I recently made a discovery that shows theimportance of anchoring the input when trying to match a password. Bythis I mean that there should be no extra characters accepted eitherbefore or after the password (i.e., no extra characters that could bepart of the password). Unanchored matching greatly weakens the defenseagainst brute forcing the password.

My wife and I were driving back from dinner when we decided to trythe remote message check feature of our new home phone answeringmachine. I had set the two digit password (let's pretend it is "54")but we hadn't read the directions on how to check messages remotely. Itold my wife our code and she tried just entering the two digits "5-4"and it worked. I had expected that we'd at least have to enter "#"first. That the machine was just listening to the incoming call for thepasscode made me wonder. Playing a hunch, I had my wife call back andenter "1-5-4-0", a four digit passcode with our actual passcode in themiddle. To her...

Darren Kemp | 23 Jul 2007 07:00:00 GMT | 0 comments

Attacks targeting vulnerabilities in the Java Runtime Environmentare anything but new. Several researchers have previously visited thistopic and the results have been some fantastic research. However, inrecent weeks the DeepSight Threat Analyst Team has been investigatingseveral Java issues resulting from a notable increase invulnerabilities reported affecting the Java Runtime Environment and itsassociated components.

The threat landscape has seen a dramatic increase in attackstargeting client-side vulnerabilities in recent years. Vulnerabilitieshave been exposed in a variety of applications including media players,Web browsers, ActiveX controls and mail clients, to name just a few.The ubiquitous nature of the Java Runtime Environment makes it a primecandidate for attackers. With this in mind, it is not surprising to seemuch of the preliminary research into exploitation of environments likethe Java Virtual Machine manifest itself both in recently disclosedvulnerabilities...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Ollie Whitehouse | 20 Jul 2007 07:00:00 GMT | 0 comments

On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:




10 Download executable compactor

20 Pass existing malicious code through it

30 Release on Internet

40 Wait for signature to be added to antivirus

50 GOTO 10


This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Peter Ferrie | 19 Jul 2007 07:00:00 GMT | 0 comments

It's not often that we get a proof-of-concept (PoC) virus, but toreceive four in two weeks is completely unprecedented. The first one,which we call MEL.Odorousis a virus for the Maya 3D scripting language. It searches in thecurrent directory for uninfected files, and prepends itself to them.After infecting files, it runs the host as usual.

The second virus, which we call WHS.Vred isa virus for the WinHex scripting language. Like MEL.Odorous, Vredsearches in the current directory for uninfected files, and prependsitself to them. Unlike MEL.Odorous, however, Vred does not run the hostcode after infecting files.

The third and fourth viruses, which we named...

Dave Cole | 18 Jul 2007 07:00:00 GMT | 0 comments

A while back we took a look at how securityalerting was being done across the industry and noticed that there wasplenty of room for improvement. We started out with our own ThreatCon.It was easy to see that it wasn’t very effective for helping lesstech-savvy consumers to protect themselves online. On the humorousside, we did a little survey on customer perception and effectivenessof the ThreatCon and one of the respondents thought it was related tosomething on StarTrek. Ouch! The feedback we got gave us a clearpicture of where to begin our journey to improve our alerting systems.

Old threatcon

We began the overhaul of our security alerting systems early last spring by introducing the Internet Threat Meter(ITM) for consumers. The idea was to make the...

Orlando Padilla | 17 Jul 2007 07:00:00 GMT | 0 comments

Earlier this year, I saw some screenshots of the Zunker bot and itscontrolling interface. I became curious about the existence of othersimilar interfaces and began paying a bit more attention to the spamcoming into my inbox on a personal account. After a few weeks ofwandering through IP blocks referenced by the spam, I ran across anopen directory containing a few screen shots of what looked likeanother interface actively spamming multiple products.

The following screen shot shows a statistics screen for a botnetthey are currently using. Similar to the Zunker interface, thisinterface also has the ability to group by country. It looks like thefeature is broken though, as you can only see one bot, which isoriginating from Poland. Given that, it is tempting to presume theowner is Polish; however, the interface's text is entirely in Englishand the screen shot was found on a Russian server. It could, however,mean that the person leasing this interface is controlling it from...

Ollie Whitehouse | 16 Jul 2007 07:00:00 GMT | 0 comments

With the advent of Symbian 9 came a new capabilities model that could be seen as akin to mandatory access control, or MAC, which I’ve touched on briefly in the past . If you’re interested more in the Symbian 9 capabilities model, I recommend you go read the Embeddec.com article or purchase a copy of Symbian Platform Security Development Architecture from Symbian Press.

FlexiSpy is spyware program...