Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Sarah Gordon | 31 Oct 2006 08:00:00 GMT | 0 comments

This week will find me at the Santa Fe Institute. Wednesday morning kicks off with the Adaptive and Resilient Computing Workshop, and if last year's workshop is any indicator, this one should be very interesting indeed. Meeting with colleagues who work outside the computer security space is extremely informative and helps us to prepare for the many new faces of computing. Although, that only makes sense if you know ahead of time where some technologies are likely to exist and only then can you begin to shape ideas on how you might protect the assets those technologies hold.

For example, let's say that within the next two years, all deep water canals in the state of Florida will be protected against alligator infestation by computerized swimming sharks that work together to form a sort of "canal IDS." We need to make sure the sharks stay up and running to keep those annoying alligators...

Sarah Gordon | 31 Oct 2006 08:00:00 GMT | 0 comments

"People behind the programs" is a topic that has held public interest for many years now. Although, when it comes right down to it, the people behind most of the programs have been the same sort for decades. Yes, it's true that the risk of identity theft is growing. And, it's also true that risks from phishing have increased. And, it is undeniably true that bots are a huge problem, and they weren't twenty years ago.

So, how can I say that the types of people behind most of the programs has not changed in over two decades? Easy. It's true. "But, how can this be?" you ask.

Stay tuned. I'll be writing more about this soon.

Ollie Whitehouse | 30 Oct 2006 08:00:00 GMT | 0 comments

The University of Santa Barbara's software group released the source code for their proof of concept 'Feakk' worm that was developed by Paul Haas in March 2005. The worm uses SMS to send a hyperlink to its target. The targeted user then has to visit the hyperlink and download and acknowledge three sets of prompts in order for the worm to install, at which point it will immediately start to run in the background. It will scan the user's contact list and send a message to each contact (including the recipients' names) and will also scan for new contacts at certain intervals.

Upon installation, the worm checks for a contact with the first name "HACKME." If this isn't found the worm will exit. If it is found, then the worm sends itself to every mobile number it finds in the user's contact list. The author did not write a payload because this was for demonstration purposes only and it should be noted that it can be removed via the "...

Yazan Gable | 27 Oct 2006 07:00:00 GMT | 0 comments

It is pretty much an accepted fact thatvulnerabilities are everywhere these days. They can affect every pieceof software available, whether it is from major vendors (Microsoft,Cisco, etc.) or if it has been written by hobbyist programmers (thosebuilding a Web app, for example). These vulnerabilities can surface onthe public landscape in a wide range of situations; from zero-dayattacks, all the way over to the other side of the spectrum withresponsible disclosure. However, the responsibility does not restsolely on the shoulders of the vulnerability researchers—vendors should(and do, in most cases) have an obligation to be responsible as well.The bottom line is, software vendors should hold some responsibilityfor their customer’s computer security. If a vendor’s software somehowthreatens a user’s security by containing a vulnerability, the vendorshould take responsibility for it and do what they can to protect theuser.

In light of this, I believe that Apple Computer’s...

Zulfikar Ramzan | 26 Oct 2006 07:00:00 GMT | 0 comments

Back in August, I attended the CRYPTO 2006conference in Santa Barbara, where Daniel Bleichenbacher gave aneye-opening talk that highlighted a very common implementation mistakepeople make with the RSA cryptosystem. Since my own background is incryptography I thought I would try to describe not only this commonmistake and its implications, but also some details regarding why thismistake leads to vulnerabilities, in a way that’s hopefully suitablefor a wide audience. For those who don’t recognize the name, Daniel isa well-known and brilliant cryptographer who, among other things, foundcryptographic flaws in SSL v3.0 and also the random number generatorassociated with the Digital Signature Algorithm. Well, he is at itagain!

Before going any further I want to emphasize thatthe flaw Daniel found is not one that is inherent in the RSA algorithmitself; rather, it deals with a specific...

Robert Keith | 25 Oct 2006 07:00:00 GMT | 0 comments

This year has seen a mass influx of reportson remote file-include vulnerabilities. On the same note, it has alsoseen a mass number of invalid vulnerability reports. Thetrend, it seems, is for reporters to grep as much source code aspossible, looking for that special phrase: include($variable). However,the reporters either neglect to read the entire source prior to thatline, or perhaps choose to ignore it. As is often the case for falsereports, within five lines of the include() call is a declaration forthe very variable assumed to be vulnerable.

This naturally makes my job all the more complicated. Our teamprides itself on having the most comprehensive vulnerability databaseavailable. We also want to make sure it’s accurate and doesn’t containinvalid entries. We try to verify all the issues reported to us,usually by inspecting the source code, but it is frustrating to spendtime scrutinizing reports on “issues” that are clearly not vulnerable.This, in turn,...

James O'Connor | 24 Oct 2006 07:00:00 GMT | 0 comments

A few months ago, my boss plonked a box on my desk and said "see what you can do with that." That's how I was introduced to the Blackberry. I've been interested in all kinds of PDAs and mobile phones for years now, but I'd never come across a Blackberry. I suppose that up until recently, it has been the preserve of key government and corporate employees, not average-Joe software engineers like me. However, the Blackberry is emerging as an ever more popular platform for the general public. In the next few weeks that followed, I noticed a common thread in the architecture and features of the device: security first and functionality second.

What do I mean?
Well, take Bluetooth for example. When you're looking at the box of your shiny new Blackberry and you see that it has Bluetooth support, you might think "great, I can use it with my laptop to go online while on the move." Bzzzt—wrong. Although the Blackberry does have Bluetooth...

Josh Harriman | 23 Oct 2006 07:00:00 GMT | 0 comments

Privacy is a big concern when surfing the Internet. One major application has attempted to make Internet activities somewhat anonymous. “Tor” is an anonymous Internet communication system that allows users to surf the Web, send email, and use IM; all the while attempting to avoid network surveillance, traffic analysis, and state security. Tor users’ IP addresses (a computer’s basic identity) and exact locations are kept secret as the users read important stories on the Web, send their grandmother an email, or chat with their new best friend.

Unfortunately, Tor also opens up other avenues of attack and one must be aware of the risk, in return for the benefit of being partly anonymous. The way Tor works is that packets sent from your computer actually go to someone else’s computer, then to someone else’s computer, and so on. Eventually, your data reaches what is known as an...

Patrick Fitzgerald | 20 Oct 2006 07:00:00 GMT | 0 comments

Many of the new threats seen today aren’t advancements in their own right; rather, they just take advantage of advancements in technology. For example, VBScript enables programs to be written quickly, but also makes writing malware extremely easy. Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This was a mass-mailing worm that ultimately ended up causing millions of dollars worth of damage because of crashed servers, not to mention the punitive damages caused by files being overwritten. While VBScripts gave administrators the ability to perform more robust tasks via scripting, developers need to be aware of the possible detrimental effects of these new technologies. For example, after VBS worms became widespread, Microsoft forced user consent before a script could harness Microsoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful to some malware writers. The advent of NTFS brought...

Patrick Fitzgerald | 20 Oct 2006 07:00:00 GMT | 0 comments

Many of the new threats seen today aren’tadvancements in their own right; rather, they just take advantage ofadvancements in technology. For example, VBScript enables programs tobe written quickly, but also makes writing malware extremely easy.Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This wasa mass-mailing worm that ultimately ended up causing millions ofdollars worth of damage because of crashed servers, not to mention thepunitive damages caused by files being overwritten. While VBScriptsgave administrators the ability to perform more robust tasks viascripting, developers need to be aware of the possible detrimentaleffects of these new technologies. For example, after VBS worms becamewidespread, Microsoft forced user consent before a script could harnessMicrosoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful tosome malware writers. The advent of NTFS brought with it the...