Video Screencast Help
Security Response
Showing posts in English
Elias Levy | 01 Aug 2007 07:00:00 GMT | 0 comments

t has been almost 14 years since Scott Chasin began BugTraq to discuss computer security vulnerabilities in detail. Since then, it has grown from a small email list to become a top industry source for vulnerability information and, along the way, helped advanced many of the changes in the industry through its full disclosure policy. What a long and strange trip it has been since then. But one thing remains the same, the constant struggle to do what is right in a field full of moral landmines.

Any field that deals in issues of security and safety, from medicine and insurance to airport screening and immigration, will contain many difficult moral dilemmas. Often these problems are rooted in finance and the different ways money incentivizes or disincentivizes people and organizations. Ideally, monetary and other incentives would be aligned with the moral thing to do. Often, though, this is not the case. Just as often, what the moral or right thing to do is not altogether...

Hon Lau | 31 Jul 2007 07:00:00 GMT | 0 comments

In the (legitimate!) business world,Management Information Systems (MIS) are typically used by managers andkey decision makers of a business to see at a glance how well abusiness is doing in its various key performance areas. They typicallysummarize masses of transactional data through tables and reports; andalso allow for more advanced analysis and drill-down to detailed data.The advantage of such systems in business is considerable, becausehaving such information available on hand allows these individuals tomake key decisions that affect the future of a business.

Moving over to the malware criminal world, we are seeing more andmore parallels to the world of legitimate business. As online criminalsget increasingly organized, we are seeing them employ more of the toolsand techniques that would be employed in running a normal business.Such is the amount of money to be made in online crime, it has reallybecome a sort of gold rush: just like in the traditional gold rush...

Andrea DelMiglio | 31 Jul 2007 07:00:00 GMT | 0 comments

Since May, phishing attacks against Italian banks have been a visiblebut rather limited phenomenon. Most financial institutions reactedquickly, setting-up proper fraud management processes, educationcampaigns for end users and technical countermeasures since early 2006.But in the last three months, Italian mailboxes have been flooded bymillions of phishing emails, moving the problem to the next level.

Number of single URLs per month (July 07 data includes attacks until July 27th)
(Click image for larger view)

As the graph illustrates, the number of attacks grew 14 times since the2006 peak (127 in August) to the current 2007 peak (1735 last May).Attack source analysis shows...

Masaki Suenaga | 30 Jul 2007 07:00:00 GMT | 0 comments

Some file formats are more vulnerable toexploits than others. Document and spreadsheet programs, for example,are often exploited, possibly as much because of their prevalence ondesktops as from any other reason. That said, updating them is ofteneasier precisely because of their widespread use, since updates areoften automatic or are otherwise easily obtained.

Less pervasive programs, though, are often harder to keep current. Aprime example of this is the archive format, with extensions such, .rar, etc. There are a wide number of different programsavailable for different platforms; more importantly, they havehistorically been quite vulnerable to exploits.

When security vendors discuss a newly-identified vulnerability in aprogram, there is always the hope that users have the latest version orthat they will quickly upgrade. As we all know, though, the reality isquite different. Even at the enterprise level, employees of any givencompany are often using...

John McDonald | 27 Jul 2007 07:00:00 GMT | 0 comments

One of our team members received anunsolicited but interesting email recently confirming his new accountat a certain website, and containing the login username and password.The email was addressed to him personally using his full name soundoubtedly his details were mined from somewhere on the Internet.

Using a secure computer he investigated by going first to the rootdirectory of the domain in the email, and found that it appeared to bea legitimate site. However upon then moving to the directory which waspart of the login URL contained in the email, he discovered exploitcode targeting the Microsoft Windows Media Player Plugin BufferOverflow Vulnerability (BID 16644).

The page contains shell code that downloads and runs an executable filewhich in turn drops other malware onto the computer. This malware isinjected into the explorer.exe process and scans all directories...

Ollie Whitehouse | 27 Jul 2007 07:00:00 GMT | 0 comments

One of my colleagues, Orlando Padilla,recently ran across a tool by Linchpin Labs & OSR, which allowedunsigned drivers to be loaded on Vista 64-bit. The tool, Atsiv,is interesting since one of the big security features advertised byMicrosoft for Vista 64-bit was the fact that no unsigned code could beloaded into the kernel in order to help mitigate malicious kerneldrivers typically used by rootkits.

When looking at how it did its magic the original .exe contains two resource sections:


These are actually signed 32-bit and 64-bit drivers. The command linetool loads the appropriate driver, which then in turn allows loading ofunsigned drivers due to the implementation of their own PE loader. Aside effect of using their own load is noted by the authors in theirdesign documentation:...

Aaron Adams | 27 Jul 2007 07:00:00 GMT | 0 comments

The hacking scene is definitely not what it used to be. Though it seems hard to remember, there was a time before vulnerabilities were posted to mailing lists every day, you could sell exploits to corporations and hacking groups were being turned into security companies. There were few established laws restricting hacking and a simple Internet search returned a massive amount of detail on how to hack. It was a time when a few small groups of elite technology enthusiasts, driven largely by curiosity and mischief (vs. malicious) became some of the most notorious and powerful hackers of all time.

This was the era of groups like the Legion of Doom, the Cult of the Dead Cow, the Masters of Deception, the Chaos Computer Club, the P.H.I.R.M., the genesis of zines like Phrack and 2600, and the days when blowing a whistle found in a cereal box into a telephone receiver gave you control of a phone line.

In those days, communication between hackers was mostly...

Symantec Security Response | 26 Jul 2007 07:00:00 GMT | 0 comments

In the June 2007 edition of RSA Security Phishing Newsreleased on July 5th, RSA’s Anti-Fraud Command Center uncovered a newtype of phishing kit, which is “actually a single file which creates anentire phishing site on a compromised server when double-clicked on,similar to .exe installation files.” According to the report,traditional phishing kits include all of the relevant files which mustbe installed one by one in the appropriate directories on the serverthat is controlled by the phisher. The new kit instead, “saves thephishers time and effort, by automating the site installation process.”

This news received quite a bit of press coverage, but does it reallychange the rules of the game? Our feeling is that it doesn’t: mostphishing sites are currently hosted on compromised Web servers, wherephishers have been able to upload files using one of the (many)unpatched vulnerabilities lying in the Web application code. Phishingkit configuration is usually done on a phisher...

Marc Fossi | 25 Jul 2007 07:00:00 GMT | 0 comments

Hacking has existed in one form or another for quite some time. Just as the Internet grew by leaps and bounds in the '90s, so did the hacking community. While the dot-com bubble thrust the Internet into the general public’s conscience, it also brought hacking into the limelight. Web site defacements and denial of service attacks quickly became commonplace. Naturally, with the rapid growth of the Internet population, a rise in the number of people looking to take advantage of neophyte users also took place.

More hacking groups began forming in the '90s, such as the L0pht. In 1998 members of the L0pht testified before congress that they could shut down the Internet in 30 minutes. In 1992, five members of the Masters of Deception group were indicted in federal court and later plead guilty...

Jim Hoagland | 24 Jul 2007 07:00:00 GMT | 0 comments

I recently made a discovery that shows theimportance of anchoring the input when trying to match a password. Bythis I mean that there should be no extra characters accepted eitherbefore or after the password (i.e., no extra characters that could bepart of the password). Unanchored matching greatly weakens the defenseagainst brute forcing the password.

My wife and I were driving back from dinner when we decided to trythe remote message check feature of our new home phone answeringmachine. I had set the two digit password (let's pretend it is "54")but we hadn't read the directions on how to check messages remotely. Itold my wife our code and she tried just entering the two digits "5-4"and it worked. I had expected that we'd at least have to enter "#"first. That the machine was just listening to the incoming call for thepasscode made me wonder. Playing a hunch, I had my wife call back andenter "1-5-4-0", a four digit passcode with our actual passcode in themiddle. To her...