Listening to Security Now a few weeks ago they had a couple of podcasts (sn153 and sn151 about isp's using software such as phorm or nebuad to track the surfing habits of their users. Thanks to LightBulb Interactive, who just happens to be a local blogger, I have discovered a list of isps that have admitted to this over at Silicon Alley Insider.
Time Warner was not on the list but WOW cable was (which is a bit worrying) - I'll pass this information on to a couple of my work colleagues.
Recently in Security Category
So Microsoft update a patch today to do with Adobe flash player and I quote "Caveats: This bulletin is for customers using Macromedia Flash Player version 6 from Adobe. Customers that have followed the guidance in Adobe Security Bulletin APSB06-11, issued September 12, 2006, are not at risk from these vulnerabilities. Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition."
Now XP sp3 has only been out a couple of weeks, if that, Adobe released their bulleting in September 2006 so how on earth is WindowsXP sp3 vulnerable - surely flash should have been updated in the xpsp3 release! This seems to make a mockery of the security focus that Microsoft are meant to be working hard on and coming on the heels of the recent snafu's with Windows updates and genuine advantage, it's no wonder people are not very happy with patching.
I was using my paypal fob to sign into my MovableType 4 test installation and I entered the 6 digit code. I was surprised to see that Verisign rejected it. "That's odd" I thought until I realised I was holding the fob upside down and the numbers just happened to be readable that way up too! It is obviously too early in the morning to be debugging css code - so sorry Neil!
We all know that you should have good secure passwords and you can enforce this in Active Directory, but it is the other applications on the network that might raise a concern.
I got a helpdesk ticket saying that the password for a Peachtree database was not the normal one....the password that was the same as the company name! After trying password, no password I then discovered that a google search for Peachtree password removers comes up with tons of hits but no free ones. The shareware ones were about 60 bucks for a corporate licence but about $30 for personal use. However, one of them would demonstrate that it could actually break the password by revealing the first two characters of the password. I thought this might give me and the user a clue as to what the password could be. When the first two characters were revealed to be 12 it didn't take the user long to realise what the password was and they got it on the first attempt.
Sometimes it is really hard to demonstrate the reasons that passwords should be used and you would have thought that the importance of security and a good password for company financial data would be recognised...
I wonder what will happen if at the next Board meeting I do a demonstration of insecurity with LIVE data.....
The US Post office are doing some free Fraud Prevention DVD's with free shipping. There are 7 titles available covering topics such as work at home fraud and fraud on the internet etc.
I've ordered 2 copies of each - 1 for my own use and one for clients. Thanks to Security Catalyst
There's a new zero day exploit for firefox and internet explorer which involves javascript. So if you are running firefox, then installing NoScript will give you added protection. If you are running IE - then ooooooops :-)
Having said that, it doesn't look that malicious - you would have to be tricked into entering data into one page, which can then be sent to the malicious site at the same time, so you are probably only at risk if you do random surfing or surf in dodgy web site areas in the first place - and if you are doing that then I really hope you are not running internet explorer (or as an admin!)
I had the misfortune to have to deal with a user who had received an email after their data was stolen from the University of Texas. The email mentioned that their username and email address had been divulged to unauthorised users.
Unfortunately the way the email was sent out to the user, it looked just like a phishing scam. The email contained references to http://www.mccombs.utexas.edu/datatheft/ but if you looked at where the link would take you, it actually went to a convio.com address.
As this is a typical phishing mechanism I did a bit of digging. A whois lookup on convio.com provided an IT contact and the fact that the domain had been registered for 6 years which therefore implied that their server might have been hacked.
I contacted the Convio and received a return phone call where I was told that a lot more data had been revealed (depending on what data was stored on the server) and that the email was genuine.
After that I received two phonecalls from a call center that was set up to answer queries about the data theft. The scary thing is that their records show I requested contact about the problem but they didn't update the records that someone had already contacted me. It would also make sense to ensure that the users who are manning the call center can actually pronounce the names of the companies involved in the whole farce!
I was also amazed to see that the University are not offering free credit monitoring or any other form of compensation to the affected users - instead they are just given (more redirected) links to a reduced fee.
All the above makes a mockery of the comments on the University website that can be found on google and the REALLY scary thing is that the server was hacked more than a month ago (April 11th), they announced it on the April 23rd and they didn't contact the user until May 25th (see Attrition for details.
Oh - and there are another 197,000 users also affected - still thats small change in the amount of 81,822,769 that have been affected since the Choicepoint breach in Feb 05
I forgot to blog that we fixed the problem with not being able to use Ctrl-P to print in internet explorer with a kiosk group policy on a machine. The solution which sort of makes sense was to enable the File menu again. We had restricted this but for some reason this also restricts ctrl-p, ctrl-s and other shortcuts on some sites. By enabling the File Menu in the group policy everything worked 100% of the time. Further details in the extended entry
Continue reading Printing now works in the kiosk mode.
A couple of useful pages on troubleshooting accounts that have been locked after the password has been changed. Normally I find that leaving it 10 minutes normally cures the problem (due to user mistyping the password) but the tools from microsoft with the article on how to use the tools will come in handy. Thanks to Victors posting on Friends in Tech for the hints.
My tip on passwords was published in redmond magazine the other week and is available online. Shouldn't be too hard to work out which tip I posted. Note to current employers - doesn't mean that I'm using this function now - especially as Symantec Antivirus is crazy enough to think that certain tools are virus's and deletes them!
DansGuardian is a linux based web content filtering package that I've never heard of until two blogs just posted about it. Although I'm unlikely to use it for the near future, I'm blogging it now just in case as I do have some people who need web filtering appliances.
Microsoft released 2 more patches yesterday - the day after I manage to schedule a lot of reboots for my customers for the wmf patch. Thankfully it looks like the machines may not need rebooting judging on my xp desktop experience. Hopefully the same will hold true for the server.
I had one customer box not reboot overnight because the boot.ini had been mysteriously changed to boot to a (non-existent) windows 2000 installation. Fortunately the customer mentioned (when I rang them early this morning) that the problem of not finding ntkernel.exe is solved by selecting the other option in the boot sequence....I'm glad they told me this but it would have been better if they had mentioned the problem before so I wouldn't have had to get up early this morning in case I needed to make an emergency stop at their site.....so instead I'm catching up on some blogging.
I must be the only person in the world who wasn't pleased that Microsoft released the wmf patch early on Thursday last week. Everyone else seems to be so grateful that this happened but it was a nightmare for me. Thursday night I was doing a software audit on a lan and I left it scanning the machines overnight. I came in the next morning expecting to sit down and start analyzing only to find that the machine had downloaded the new patch and automatically rebooted - loosing all the scanning results so I had to start again - not so happy. Before you tell me that you can set automatic updates to not do the reboot - I know - this was on a machine outside of my control AND Microsoft had also previously announced that the patch would not be ready until Tuesday.
The flaw in the processing of (yet another) graphics file - the wmf file is actively being exploited to load spyware and other nasties. At the moment there is no patch available and the workaround on the above site is to disable the Windows Picture and Fax Viewer engine by doing the following. (I wish the unregistration was silent as I could then deploy it in a login script) By adding a /s before the %windir% it becomes silent so I *can* deploy. I'll make a check to see it has already been deployed and then unregister it if it hasn't)
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1.Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
Had an interesting problem today with a user who suddenly couldn't connect to one of the servers on the network. It turns out they had recently changed their password and had previously managed to save the password in XP. Following the instructions I was able to remove the stored passwords from the machine and when they next logged on all the network drives were connected ok. I managed to get to this point by following the trail from eventid 14 in the system logs with a source id of kerberos and looking this up at eventid.net and then following the link to the stored passwords page.
I must say this is the first time I've ever seen this problem and it had me baffled for a while.
"rundll32.exe keymgr.dll,KRShowKeyMgr" will allow you to delete the obsolete entry.
There is a great tool for integrating Microsoft Baseline Security Analyzer (MBSA) into Visio network diagrams but this is almost useless for the consulting side of things. MBSA requires that it is run as a user with credentials on the domain which is not possible to do on a consultants laptop as it is unlikely that it is going to be a member of the customers domain. Therefore MBSA will not scan the machines and the benefit is lost. It would work if the customer had a copy of visio, but this is unlikely for most of my customers.
I don't have admin rights on the network back in the office so I can't even try it out on my office network either :-(
However, if you are not a consultant and have visio, then this tool is well worth checking out as it will give you colour coded status for each server on the network within visio. From first impressions it does look like you need to have your servers in visio as a server object - you can't use one of your own objects like a dell rack mount object.
hmmm - I got an email this morning stating that they were going to change my skype password in the next 24 hours due to a upgrade of their software. Why they can't tell me that they have changed it now, instead of me waiting until I can't log into skype and then changing it myself I don't know. This also sounds suspiciously like one of the websites was hacked or compromised. I really can't see any other reason that they would need to change passwords for so many people. There is more information at SkypeJournal and it seems like a lot of people share my concerns AND have trouble trying to get the password changed.
The funny thing is that they try to convince you that this is not a hoax by saying that there is a copy of the email on the share.skype.com website...Now if I was a scammer with a website such as share.5kype.com it wouldn't be difficult to host a copy of a phishing email that I am sending out to all my target customers would it?
On some new machines that I've been building I've had major issues with SYSTEM dsn's not working properly and getting the "DSNNAMEis not an existing data source name" when trying to configure a dsn.... Eventually I found an answer.....
Continue reading "is not an existing data source name" errors with odbc.
The Coppermine thread has the details. It's a fairly easy edit of one file to make the changes quickly, or you can download a new installation.
There has been an important fix to coppermine to prevent a Cross Site Scripting hack. The patch and discussion can be found at the Coppermine forums. I am surprised that they do not have a (working) announcement mailing list to find out when patches such as this are released. Update A workaround is to go to the forums and click the notify button. You will probably need to be logged in though.
KB article 896358 shows the steps on re-enabling this ability on intranet/lan locations.
I've reinstalled greasemonkey following the Greaseblog: Mandatory Greasemonkey Update by installing version 0.3.5 from greasemonkey.mozdev.org
Apparently there is a major security hole that allows any website to view the contents of any file on your harddisk if you have greasemonkey installed (see greasemoney mailing list post for information. I can't reproduce the problem with their proof of concept code, but its a pretty scary possibility. Annoyingly, turning off greasemonkey will reduce the functionality on my flickr/geocaching pages :-( Thanks to Pip for the tipoff
MBSA (Microsoft's Baseline Security Analyzer) tool is now available. I'll be downloading to play with it later.
Microsoft have released a beta of Shared Computer Toolkit for Windows XP that is suitable for computers in shared access such as libraries etc. It has features such as resetting the boot partition back to the administrator saved configuration each time the machine is rebooted (unless the administrator specifies that changes should be saved), Windows restrictions, policies etc. Looks like it could be handy (although I'd need another machine to try this out on). The local library had a copy of limewire installed on their desktop machine the other day that managed to persist after a reboot. Seeing as though this machine is *meant* to be locked down I'd like to know how that managed to get installed on the machine.
I've stopped (hopefully) people using my bandwidth to host their forum signatures by preventing hotlinking on this site. Hopefully that will reduce the amount of people requesting images without affecting anything else weird on the site. If you spot anything that is wrong then please let me know!
I was looking at xetrade (online currency conversion from GB pounds to US dollars and there are a few security issues I'm not happy about. Looking at Loosewires post on phishing they have the same issues - they will ring you back to confirm some bank details (which could be open to interception/spoofing.)
They then have some more worrying security issues.
- They require you to fax or email copies of your passport/social security number/birth certificate to an email address (which is stored on an exchange public folder). The fact that email is not secure is drummed into people yet they are using this method of communication to verify data. Surely a secure upload facility should be enabled on the website (the rest of the login procedure is ssl encrypted).
- Their SSL certificate expires in 3 days time - this makes me nervous.
- The "contact us if you have any security questions" link at https://www.xe.com/fx/background.htm is broken, tells you to inform the webmaster but doesn't have a link to the webmaster for this site (it assumes the referring link comes from another site.
I've put these questions in an email to xetrade - will be interesting to see what they say.
Update
xetrade reply, answering all the questions I posed (phew!)
1) We do offer a secure upload service which can be found at:https://www.xe.com/sft/
As you can see from the address (https) this is located on our secure server and will upload the files directly to our system with no public exposure.
2) The security certificate has of course been renewed and is already on our server. However, in order to complete the process we need to re-start the web server which is something we do not like to do without preparation. For your information, the new certificate should be uploaded within the next 24 hours, and most likely some time later this afternoon. Please feel free to check back at any stage to see the new certificate.
I have reported the broken link and this has now been updated. We are very careful to ensure that all of our links work correctly and I am very sorry that this link was broken. Thank you for bringing this to our attention.
3) We do understand this concern. Generally, we initiate the call to you using the supplied telephone numbers which helps us to ensure we are dealing with the person who signed up for the account. Once we have initiated the call and spoken to you, we are happy for you to call back to us to continue the conversation on our contact numbers in order for you to cross reference and check that the person you are speaking to is part of our organization.
Once again, we do fully understand your concerns, Andy, and are happy to work with you as necessary so that you are confident you are dealing with the correct people. We must however do this from within the frameworks that we are provided to ensure that we are not helping clients to launder money or fund terrorism.
I hope that this helps answer your questions but if you require anything else do not hesitate to contact us.
Information Improvisation
Before deciding to work at home, one should be well aware of certain home business facts. Not every home business opportunity is bound to succeed. And working from home does not always mean huge bucks. Just like other business opportunities there is a fifty fifty risk involved.
Whoppix is a customised knoppix bootcd for security testing (and hacking) and the main website also has some very good video tutorials on how to use some of the tools. One of them shows how to crack wep in 10 minutes (although the wep they crack is a 64 bit code and if you are using wep then you *are* using a longer key aren't you????). As an aside, my firefox seems to hang at the end of the camtasia show but it does eventually get back to my control.
Security Forest also contains some information too.
I sat through the Social engineering webcast from the Digital Blackbelt website which had some interesting ideas about how successful social engineering hacks can be. I had actually read/heard about most of them from various sites but it did have some good ideas. (Google Hacking for penetration testers is a great source for things like this and a very interesting read. Written by Johnny-I-Hack-Stuff)
The weird thing is that it was aimed at developers, but none of the things discussed were really aimed at developer accounts, more at physical security, passwords etc. I was really expecting things on how to code to avoid possible social engineering attempts - such as when providing "forgotten password" functions on the page, don't insist that users have to use your secret questions as often mothers maiden names are not actually that secret. (I'm the Andy that gets quoted at the end of the talk (twice))
Don't get shocked or excited! I went to look at my site at the library yesterday and found that it was blocked. This is the first time that I am aware of that my site has made the filtering engines and been classified. Apparently it was blocked as it is on a server that hosts pornography or free sites. I know for a fact that it doesn't host free pages and there may be some sites on the server that have adult content. However, blocking by ip address seems pretty drastic as using ip to get to the server fails as it relies on the hostheaders to direct you to the appropriate virtual server/directory on the machine - instead you get a "no website exists at this site" message.
I've contacted the library and SecureComputing.com who make the filter to see if I can be removed. (The library assistant didn't have the correct password to temporarily override the filter when I asked)
There's a patch available for Mambo, where Tar.php is exposed to XSS injection. I've upgraded our installation (and also upgraded the mambo installation to the version prior to this update too
There's a work around for the idn flaw which involves creating a file on the local machine. Looks complicated for a non-techie to install but works by only allowing alphanumeric (a-z and 1-9) as characters in a url. I guess it won't be long before an official patch comes along though.
I'm amazed that some of Microsoft's MVP's on Security are 14 and 17 years old. Just how do they manage to know all this stuff and get all those qualifications by their age?
We're doing some messy migration testing at the moment to get users from our existing windows2000 domain into a brand new 2003 domain. As I'm logging on as a different user I need to still run my daytoday admin apps when a phone call comes in. Unfortunately I was having problems trying to run my customised mmc console that has all my admin tools built in.
When running Runas /user:domain\username andys.msc Iwas getting the error message "RUNAS ERROR: Unable to run - andys.msc 193: Not a very useful error.
After some trial and error, running runas /user:domain\username "mmc c:\pathname\andys.msc" it worked. You must include the full path (.\andys.msc doesn't work)
On a side note, bloggar (which I'm using to post this file) can be run using runas /profile /user:domain\username wbloggar.exe" from the c:\program files\bloggar directory. You don't need the full path in this instance but you do need the /profile switch otherwise it will ask you to setup a blog account.
I've finally heard back from Sonic about the jpg security flaw and this is what they said - which is what I expected....
Continue reading Sonic reply to my support request.
Apparently there are vulnerabilities in Wordpress which was announced yesterday. Thankfully I'm not running wordpress but I know other people are.
Now before you start saying "now there's an oxymoron", just hang on about two sentences :-)
Adam has posted about free security training which sounds good. Unfortunately clicking the link in firefox warns you that the ssl certificate is invalid.
I'm not sure whether this is a bug with firefox or with their choice of certificate authoritys but I would have thought they should have at least checked it before publishing. (needless to say it works ok with no prompts in internet explorer)
I was hoping this would get tracked back to Adam's site but it doesnt seem to have worked for some reason.
This new "critical" jpg vulnerability seems to be a bit of a nightmare. Microsoft's patch page gives all sorts of hints about how to detect it and make sure it works. The annoying thing is that they do not recommend you deploy the detection routine via Software Update Services. I guess I am going to have to install it manually on a couple of pc's here and see what happens.
Update The patch has been pulled from Software Update Services overnight but it does look like its still available from standard Windows Update.
According to the popfile mailing list a vulnerability has been discovered in the way it handles graphic files in certain conditions. Check the posting for details and a fix coming in the next couple of days. In the meantime, a quick google search for open popfile servers only came up with one, running an old version of the software, and password protected.
A very handy tool for cracking cisco passwords. Only of real use if you have a config of the router printed out but forgotten the password. As it turns out a little bit of intelligent guesswork would have got the password I needed for a customer, but this tool made it a lot quicker and also confirmed another password used in the configuration.
There are three security vulnerabilites in RealOne player so if you have this installed you may want to use the autoupdate to get the patches. Not sure how this works with the free bbc version - i'll check this out soon.....
Update BBC player installed and the update program finds at least 3 updates to install - one to upgrade from version 2 to version 10, one for the security update and another for Realpix. I only bothered to download the second one.
The long awaited patch for ie is now available that will break the standard http://user:pass@domain functionality but will prevent a lot of the phishing attacks that have gone on. To check whether you are still vulnerable or not, visit my initial page on the phishing problem. This update is actually one of three vulnerabilities that has been patched in the cumaltive update.
There are more details in the February 2004 security bulletin
There is a new kb article about ie address spoofing. KB834489, which details how MS are going to address the address bar spoofing that hit the headlines several months ago and which I demonstrated here. Basically they are fixing it by disabling internet explorer from accepting urls in the format of http://username:password@domain This sounds like its breaking the WWW agreed format for urls and could stop bookmarks (and other applications?) from storing usernames/passwords etc. I'm not convinced this is a good workaround as it means some urls will work in mozilla, opera etc but not in ie. Will be interesting to see if this also breaks ie wrappers such as Myie.
Theres been a Vulnerability reported in Gaim (my cross platform Instant Messaging client. Apparently its fixed in the GAIM CVS files but there is no mention of it on the Gaim news page which incidentally has a RSS news feed so I've subscribed to that to get the latest news.
Apparently the Bat! (my email client at home) has a memory corruption problem although my latest, christmas, edition is apparently not vulnerable.
If your password is on the Default Password List you really are asking for trouble and should be shot! Thanks to Lost Olive
"Disable pop up blockers; Disable firewalls blocking streaming media/audio; Adjust your cookie settings to receive Broadcast.com media." Does anyone see any problems with this considering its a security related presentation?
Password safe for Windows and pocketpc sounds good. I've not tried it yet but its on the eternally long list of things to do.
NFO has a quick article about building a Network Monitoring Centre, although he calls it a NOC (operating/Monitoring) including EtherApe which draws a pretty picture of network traffic. I'll be trying that when the laptop gets back from it's repair.
Chris blogged about his spam for an IPOD that he hadn't ordered and how he checked google before ringing. Another link I found on bugtraq tells that the police were receiving 500 calls an hour. The official statement from the Cambridgeshire police is here
There has been an exploit posted with problems in Internet explorer where it looks like you are at one site (by looking at the address URL) but in actual fact you are somewhere else. Steve has an example exploit, which shows how easy it is do it, for example, click to see how I've done it for this page.
Absoblogginlutely.net to see how I've done it for this page.
This seems a pretty drastic flaw as that is often the only way you can check you really are where you think you are - Microsoft will probably have a patch out soon (I hope). For more details check out Security Focus or Secunia or the person who discovered it, Zap The Dingbat
After installing Spyware Guard on the new XP machine I had to download the missing file patch which cures the problem with a missing MSCOMCTL.OCX file. I've also installed their spyware blaster program which apparently sets a kill bit on certain ocx's that are used for installing spyware and various other ad programs such as lop to stop you getting infected by a driveby installation. Will be interesting to see how well this protects this machine.
Apparently Dell will not advise on removing spyware software but this guy has written some simple tips on protecting your pc
Microsoft have a short url for their protection page - just go to www.microsoft.com/protect for advice on protecting your pc with firewalls, updates and anti-virus software. Useful link, for beginners, because one of the options is "how do I know what operating system I have" - as so many times I hear I am running Word, or Microsoft or Windows. The advice on firewall's links to the new ComputerAssociates firewall that I blogged about earlier too.
Its bargain hunt day today! Foundstone's list of security related tools
Thanks to a tip off from Kase it is possible to use a Microsoft page to search security and hotfixes to see what patches are available for a particular product/platform.
Alan Sugano writes an article on checking a server for the Backdoor.Beasty Virus and details checking various autorun locations in the registry - the last one I wouldn't have checked (and neither did he first time round).
HKLM\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKCU\Software\ Microsoft\ Windows\ CurrentVersion\ Run
If the machine is running Windows Server 2003, Windows XP, Win2K, or Windows NT, you should also check
HKLM\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ Run
Microsoft have certainly been busy overnight with 15 new updates and 20 updated updates to our SUS server downloaded overnight. Thats going to take a while to roll out around the network. It does make me wonder how you are meant to test all of these first though!
Open office 1.1 has only been out a few days and already theres been a security vulnerability in Uno which I always thought was a card game?
Found a very useful way of providing users the ability to run administrative tasks without providing passwords to the users. By using the runas command you can launch programs with different credentials, however you need to enter a password. If you provide the user with the password then they could use it to do a lot of other things. Providing a user with a batch file helps, but it doesn't take much brainpower to read the batch file and obtain the password. However, thanks to techtarget they suggest the use of Microsoft Script Encoder. This takes an existing vbs batch file and encodes the output. Although not pgp strength encryption it would be strong enough to deter the casual browser of your hard disk/batch files. (the only downside is providing a new file when the password to the account changes.)
Incidentally I've had to investigate this as one of our users can not admin our iis server settings despite being listed on the operators tab.
Out of the Top 75 Network Security Tools listed on the page I have only NOT heard of 8 of the top 50. I've used probably half of the ones listed, the ones that I haven't used are mainly the linux based ones but that will change over the next few months. (I've downloaded and played with Nmap recently - the front end to this makes light work of scanning a network although I still prefer GFI's Scanner.
Network Ice have a list of ports and exploits. Although not exhaustive, it seems to be fairly complete from the other selections I saw at Google. Now I know that someone was trying to probe us for BattleNet - the port Diablo runs on. (Bekkoame also has a good list)
Microsoft have released a Toolkit for Combating the Slammer Worm that contains sql critical updates, a sql scanner and registry checkers and deployment tools for the patches.
Yet another Critical fix is available from Microsoft TechNet. I was tipped off to the existence of this one yesterday when attending the SANS security webcase which by the way was excellent. They showed you the tools to check/hack a web application complete with a walkthrough of how they had pentested a bank site and with no clever tricks managed to view users credit card numbers, bank information, log on AS the user and change the users passwords.....quite scary stuff! Needless to say the bank was anonymous!
I'm currently waiting for the SANS Web conference, "Is Your Web App Secure? How Do You Know?" , and they are playing "hold music" until it starts...and at a low quality stream it sounds awful. On a brighter note, the conference is advertised as featuring Ed Skoudis (whoever he is) with a "Exploiting Web Applications-Live Demo" featuring Caleb Sima so it should be interesting. Hope I don't get a heartattack at all the weaknesses in my/our webpages!
Fired up Miranda (Instant Messenger software) and got a message from Microsoft saying I needed aRequired Messenger Upgrade but when you click on this, it doesn't have any information about third party clients.
Its all very well Microsoft and other companies offering a MS03-026 scanning tool to check for vulnerable computers, but they've all identified one Windows98 pc on my network that is vulnerable, yet 98 is not affected according to their sites. This is a bit annoying when doing a double check scan of the local network.
At first glance, the Security Readiness Kit sounds great, with a copy of the latest service packs and bug fixes all in one place. However, its not available until Early August 2003 (erm - its 3 days from September) - I guess this is Early August in Microsoft Terminology just like Copying files only ever takes two minutes to run - and the blurb says it will have patches up to June '03. Not very helpful with all the patches that have been released since then and all the virus hassles we've had in the past couple of weeks!
If you've ever needed to give an email to a website that you don't trust just to download a file or register on a bulletin board then there are several options. I've already covered SpamGourmet which has emails that hides the email and times out after a certain number of emails received at the address, spammotel which provides random email address's to mask your real address, and I discovered a new one called mailinator where you can pick an address at random and a mailbox is created automatically at the mailinator domain but *anyone* can access the mailbox so treat it as a throwaway, insecure address
I wouldn't have thought that organising an adsl modem to work in conjunction with a hardware firewall would be that difficult. But I've been receiving conflicting advise over what routers/functionality needs to be installed. All I need is an router/modem that is effectively invisible to the firewall so it thinks it is connected to the internet and can get on with its filtering,vpn's and protection. However I am being ignored by BT, the company we are probably going to buy Broadband from (yet another reason to not use them - if they are this bad when we *want* to spend some money with them I hate to think what they will be like when we have a problem), our existing firewall support won't help unless we buy one particular make of router and get broadband from one particular supplier, and the firewall company won't help as they say its the resellers problem - so back to square one.....Almost makes me want to go to dialup modem! The fact that we can't order broadband until the physical line is installed and live also makes a mockery of the whole broadband ordering process.
Wired ran an article about electronic device searches at airports. I've had a laptop through baggage before with no questions asked and I don't think the goons on security would even know what a laptop *should* look like when it boots up and whats to stop someone replacing the removable hard disk/cd etc with something a bit less electronic? (careful choice of words here!) The PC would still boot and it wouldn't be obvious it had been tampered with. The last couple of lines say that certain types of playing cards are also suspicious as they can have sharp edges....that is really going to please Kristen as she loves her playing cards and its the only thing that keeps her sane now they've banned sewing needles as she used to cross stitch on the plane. Having said that, it was the only thing that kept me sane the time we had to wait 5 hours whilst they cancelled the plane when she flew back to the states all those years ago! (Tomorrow is our 4th anniversary!)
Researchers Crack Windows Passwords in 13 Seconds. now that is scary, although I think it would depend on the password - I could crack windows passwords if they are set to "password" are blank or the same as the username in lot less than 13 seconds!
And within 30 minutes they've sent me the patch necessary to fix the router.....It will be fun installing the patch....that will be a job to do tomorrow.
Seeing as though demon have still not provided me with the patch to our cisco router for the Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packets, I've sent their TAC email address our details so it will be interesting to see how long they take.
The annoying thing is that demon sent an advisory around over the weekend urging people to get their routers patched, so I sent a snotty email back to their support (and the md of demon) saying that I would actually like to do this!
Its all very well Cisco announcing there is a major flaw, but when you need a valid support contract to get an upgrade thats pretty naff.
Neil links to an article about blocking the RIAA access to your website. Although it makes interesting reading, I am not convinced it is the way forward. Blocking access to the site from known RIAA ip's is not that efficient or effective as can be demonstrated from the several additions to the file that has already been done. One poster says he blocks 6million ip address's - now that will be blocking lots of legitimate users. All the RIAA would have to do is realise they are being blocked - either by realising they are not getting anything back from the server, reading the blocked page they are returned to or googling the site and reading the content on google. Then to get round the ban just dial up using any isp such as juno/aol etc. AOL would be most effective as blocking aol from your website would kill thousands (or millions if you read their pr papers) of users from accessing your website.
An alternative way would possibly be to use a policy used by dodgy bbs's in the past in conjunction with laws such as the Misuse of Computer Act 1994 (i think). By preventing deeplinking (ie linking to pages which are not the home page) you could force everyone to come through the front door. On the front door you have a message stating that access to this site is not available to LEO's (law enforcement officers) - thats the bbs side of things - or the RIAA. Unauthorised access is strictly prohibited and against the Computer Misuse Act. Then if the RIAA uses details then you have got them hacking your computer.....mind you with some of the proposed bills allowing them to sabatage pc's (as opposed to just reading data) I'm not sure how effective this would be.
Also, all of the above doesn't actually stop the RIAA gaining access via p2p methods to the mp3s that are being shared on your local pc - this just stops them reading about your attempts to stop them reading - which is probably the main reason most people want to stop the riaa!
The company hosting my website took it down for 5 minutes today to apply a fix to their cisco routers.Has your ISP done the same? This looks like it could be a major problem to services if they are not patched. Thanks Hasweb for protecting and responding quickly.
Following up from my post about Radio Frequency tracking, the Register has an article about it detailing that the organisation aiming to promote the privacy and confidentiality of RFID has had some of its own documents leaked....If they cant ensure confidentiality on their own material, how on earth can they ensure privacy of everyone else?
My hosting company, news.com and the british tv news are talking about a rise in hacking this weekend. Channel4 showed a picture of the website that was organising it, but showing a "page has been removed" type error message. They showed the url so a quick search in google shows the cached version!. However, looking at the real site shows a welcome page which just links to itself.
It turns out there is a bug in Symantecs online security scanner with a buffer overflow. They have released a new activex component without the fix so if you visit the website, the new component will be downloaded and you will be safe. Alternatively you can download the cleanup tool without going to the original site.
Will sent me a link to a register article about RFID tracking which goes into quite a bit of detail about what companies are rf tracking and what aren't. There's quite a lot of privacy information floating around out there for companies to find out about where you are and what you are doing. Having said that I'm sure there are a few sites about how to stop it!
I hope no-one who has a vodaphone is not relying on the security of the pin number on the voicemail as part of the protection in case your phone gets pinched. I managed to mistype my pin in when listening to my voicemail (I was doing other stuff at the time and mistyped the number) and was asked if I wanted to have the pin number changed and then the new one sms'd to me. I hit 1 to say yes and a couple of seconds later I had a new pin number to the phone. Now if I'd nicked the phone (or wanted to play a prank on someone) I've managed to get into the voicemail system and also denied the original owner access... Having said all that if your phone's nicked then it should be reported asap so it can be barred on all networks anyway.
I posted a response to the Security focus mailing list yesterday and the message got through - to at least most of the subscribers. I had two out of the office auto replies (unfortunately too far away from here so I can't burgle them) , one undeliverable and two challenge/response prompts from subscribers with spamarrest. What amazes me is that if someone is of enough techie calibre to belong to a Security mailing list but they don't have the knowledge to disable Out of Office replies (which tells the person that they are unavailable for a long period of time - probably on holiday at this time of year, therefore their home is vacant and their account might well be open for dialin/ras access and sometimes they give internal phone numbers which might be useful for social engineering purposes),or the user has used an email address that is "protected" by spamarrest. Whats the point of signing up