Thursday, December 7, 2006
Monday, December 4, 2006
Monday, November 27, 2006
Friday, November 17, 2006
Wednesday, November 1, 2006
Monday, August 14, 2006
Tuesday, August 8, 2006
2 - Can the vulnerability be exploited when the crafted RRs are inside the "additional" field?
3 - When using recursive queries, additional responses sent by a server are forwarded to the initial source of the query?Depending on the answers for these questions, the severity level of the vulnerability changes. In the worst case any DNS server and a HTML e-mail can be enough to exploit it.Another problem can be Windows servers that resolve names (or IPs into names) when logging requests (like webservers and proxys). The malicious guy access the server, that tries to resolve his IP to a name to put it in the log. The answer comes with additional fields carrying the exploit. Bingo! Owned. Wow. While in doubt, folks, patch ASAP.
Wednesday, August 2, 2006
Wednesday, July 19, 2006
Tuesday, July 18, 2006
Vulnerability researchers have the right weapon in their hands to push vendors on faster response times for security issues. I think that the best sample of how this should be done is David Litchfield. He does responsible disclosure, and uses gradually public advisories to push vendors (in his case, Oracle) to a more responsible attitude. HD Moore is being a bit selfish on this IE case, IMHO.
Instant disclosure brings too few benefits to victims (most cases don't have usable workarounds) and huge benefits to a very broad black hat community. I think that the fact that there could be people exploiting the undisclosed vulnerability doesn't mean the rest of the bad guys should also know it.
A mixed approach, with instant announcement of an open issue, without further details (only the product affected and the date when the vendor was informed) is the best option. Public disclosure can be used later if the vendor refuses to fix the hole.
Wednesday, July 12, 2006
Monday, July 10, 2006
Thursday, July 6, 2006
Thursday, June 22, 2006
Monday, June 19, 2006
Thursday, May 25, 2006
overflow in SMB for Windows 2000. It's available now to Immunity
Partners, but it will be in the June Immunity CANVAS release, which
will be interesting. Essentially it's the first remote kernel overflow
I've ever seen - maybe someone knows of one I don't?"It's related to the MS05-011 vulnerability. One interesting thing is to see a "remote kernel overflow" in a micro kernel OS, Windows 2000. Linux and its fat kernel has never suffered from something like that. I think that it proves how good concepts can suck with bad implementation and how bad concepts can work with good implementation.More ammo for Mr. Torvalds against Tanenbaum :-)
Saturday, May 20, 2006
Thursday, May 18, 2006
Monday, May 15, 2006
Friday, May 12, 2006
- Trojans and backdoors targeted to specific companies and organizations
- Trojans that instead of stealing credentials just perform funds transfers after the user is authenticated (I made a PoC presentation about it last year in CNASI). I was impressed to know that there are real cases now
- 0-days usage more common every day
- Internal attacks issues, one of the biggest motivators of my Master Thesis.He used these facts to drain conclusions, some right, some wrong. I agree that there is a raising complexity that makes security harder to do, that the cost of security controls is too high and that our "best practices" don't solve the problem. This last one is one if my favorites, I have been saying that for some time.I have a friend that is a penetration test specialist. His approach gives him almost 100% success rate, even in companies that have advanced security programs. What is happening is that the main sources of information for the CSO, with their indications about most common threats, don't drive to solutions that could stop my friend's approach. The "by the book" CSO will be a easy prey for him. I believe that we need a deeper technical discussion about what we understand as "best practices", making them more effective and clear. When I say technical discussion I mean "bring the good guys!", specially those that are not related to off-the-shelf products vendors. Have you ever noticed that the "next biggest threat" always fit in the features description of those just released blackboxes? Wow, so every new threat can be avoided just by buying them?Back to the article, I think that its qualities end here. The author does not remember that our goal is not reaching 100% security, but the security level needed to allow the business to keep going. The "it just need one single vulnerability to fail entirely" approach is counting that defense in depth and compartmentalization are not being applied. It's over reacting.I also think that there too much confusion about "home user" security and corporate security. Really, we need to improve a lot the security for the common home user, it's very hard to a non technical person to keep a computer secure. But we can't forget that we are not dealing with a common home appliance, like a refrigerator or a TV. There is two-way communication, there are new features being deployed on the fly, from different sources. The user has part of the responsibility to decide which features and which sources are safe, we can't deny that. If you want to drive your car in the streets you need to know that your safety depends not only on roads conditions or on your car safety features, but also on decisions and skills from you and other drivers. It's the same thing with the Internet and computers in general.There are still more deaths in car accidents than in wars!! I don't think we are terribly failing in infosec as we are with traffic safety.There is another thing. Those numbers, increasing losses, frauds, etc. I can't say for sure as I haven't made a extensive research, but I bet that when paper money or checks were introduced, the frauds grown wild. As technology is gradually dominated the ways of making it secure evolve. However, if the technology is evolving too fast there is not time to security to evolve. It's natural. Security systems created 10 years ago are not very effective today, but if we apply their current versions in the same problem for which they were created to, they would be almost perfect.Let's try to imagine if the weapons evolution had happen in a much more accelerated form. We should have spears, swords 6 months later, muskets in two years and grenades after 3. If we compare this with the infosec we would be trying to make hand shields stronger and complaining that they were not protecting us from the grenades.So what Augusto, will you do exactly like him and don't tell us how to solve it?First, it's necessary to make people in charge of security to know about it. They know about products, not about security. They think that they just need to build the lego with firewall+ids+ips+av blocks and everything is ok. We need education, make them skilled professionals. It can be dome with better training (SANS!), certifications, standards, code of practices, etc.Second, user awareness. Sorry Ranum, but I think it's more than necessary if our intention is to keep the flexibility and power in their hands. We can replace all our cars by a public transportation system and drastically reduce the accidents. Do anybody think this is possible? :-)Third, product intelligence. Keep running behind attacks, virus and Trojan signatures?? This is too archaic. The advantage of more frauds is that there will be more investments in security technology, bringing more money and brains to the research field too. With this investment we can reduce the gap between state of art technology and the security tools available.Fourth, demystify insecurity. This not black or white, all or nothing, but the gray tone that each person or company can live with. When you go out to the streets there is a risk of being robbed, murdered, victim of an accident. These risks are, usually, getting higher every day. Have you give up going out of your house because of that? Maybe you have changed some habits (mitigating risk), but you accept that there is risk to keep doing what you need to do. You go to the bank, there is the risk of someone who saw you withdrawing following you later to rob you. You use the Internet banking, there is the risk of someone taking advantage of this. Nothing changes. People only need to be conscious that the problem exists in any situation, be it "real" or "virtual". That's it.
Monday, May 8, 2006
Thursday, May 4, 2006
Thursday, April 27, 2006
Monday, April 24, 2006
Wednesday, April 19, 2006
Tuesday, April 18, 2006
Monday, April 17, 2006
Monday, April 10, 2006
Thursday, April 6, 2006
Thursday, March 30, 2006
Postbank to begin attaching electronic signature to all e-mail correspondence with customersBy John Blau, IDG News ServiceMarch 30, 2006German retail banking giant Postbank AG, the target of several phishing attacks, aims to curb the theft of online personal information with the help of electronic signatures.The bank will begin attaching electronic signatures to all e-mail correspondence with customers, Postbank spokesman JÃ¼rgen Ebert said Thursday.It's a very good measure, specially when the bank sends messages with links to account balances and other private information. However, they need to be aware that this will not be enough to avoid problems with authentication data theft. In Brazil we've had a large number of phishing scams pretending to be from the Banks a couple of years ago. But now the fraudsters realize that people are already aware that these are fake. They are using a different approach now, sending trojan horses to capture the same information when the users are accessing the real bank website. It's easier to make people click on messages that appear to be from apparently innocent or not related to banking sources, like virtual cards websites or government agencies (saying that you have problems with your tax report, for example). Banks need to protect their communication with their clients, but it won't be enough to ensure that credentials will not be stealed. They need to use additional measures to avoid that, like One Time Passwords cards or tokens like SecureID.
Tuesday, March 28, 2006
There were projects when our evaluation results literally made people cry and beg to buy their products. One vendor even offered a 100K product for free, so they could add the company logo to the list of their customers. Remember, you are choosing the product to protect your assets and if it fails and expose your data - you are the one who will be in trouble."Some vendors look at me like furious animals after arguing with me about their products security features. I just can't hear things like "We have an assymetric 198 bits 3DES encryption" (yeah, it was exactly like that) without complaining.What makes me feel uneasy is that if vendors are used to give answers like that (or just saying "don't worry, the data is encrypted") it means that people are not doing the right questions and neither they understand the answers.
Monday, March 27, 2006
Friday, March 24, 2006
Yesterday I was looking the access log from this blog and noticed a sudden increase on the number of visits. I thought about what could have caused this and today my hypothesis was confirmed.
Thanks Martin McKeay for mentioning the blog in the Network Security Podcast of this week! It was the starting push I was hoping to find.
Martin showed, as all English native speakers, how hard is to say my name when you don’t know Portuguese (Spanish is similar). You can hear how to pronounce it right in http://www.oddcast.com/sitepal/, where you can use the SitePal demo. There is a Portuguese (female Brazilian) voice there that can read anything you type, it’s interesting to play with.
Thursday, March 23, 2006
There are lots of news in the last days about trojans targeting bank customers. Although they are making noise because of their ability to capture authentication data, I still think this is nothing very different from what was being predicted for a long time.
My main concern is with code that still has not appeared. Last year I made a presentation with a PoC about a code that installs itself as a BHO (Browser Helper Object). It is not a trojan that steals information, it changes information. A user can access his Internet Banking website with two factor authentication (like a SecureID) and authenticate again when doing a transaction, but the trojan will not save any information. It just changes the target account. It does not need to be able to send information back to its creator, it fullfills the fraud alone, while being authenticated by the user.
Internet Banking security won’t be safe until the endpoint security problem is not solved. You can build fraud detection and prevention process to live with the risk, but if you want to solve the problem you will need to provide endpoint security.
I usually don’t like to spread FUD by asking people to leave IE and migrate to this or that browser. However, I must admit that today it’s more secure to NOT use IE.
I think there’s a difference that comes from the market share and from the amount of “haters” that MS has. People with intention to do harm will focus on looking for vulnerabilities that can provide them a bigger return, and “MS haters” tend to not follow responsible disclosure guidelines when dealing with MS products. This, even if unrelated to the software quality, will make IE more insecure. I use Firefox and really like it. Making more people adopt it, if my line of thinking is correct, can even make IE more secure as they start to share the focus of attackers.
I believe that all of them have vulnerabilities, and with equal conditions (vuln research focus and responsible disclosure) a well oriented user will be able to use any with acceptable security.
"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein
Monday, March 20, 2006
Security Through Begging
Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems -- so that the next time this happens, there won't be anyone on the network to download such documents.
Even if their begging works, it solves the wrong problem. Sad.
Is it a joke? Why does Ellison keep ignoring everything David Litchfield is showing about their products.?
(I never thought I would say something like this:) It's time for Oracle to learn a bit about dealing with security issues from Microsoft. Yes, they have a lot of them, but at least they are taking the matter seriously.
Friday, March 17, 2006