General: November 2006 Archives

Why buy a NAS?

The XP hardening settings that were pushed out to my test group have found their first potentially major casualty. The NAS server from Buffalo Tech is not accessible when the client is set to the LM compatibility level 4; use NTLM refuse LM. Sniffing the network connection shows that the TeraStation is using a SAMBA server from 4/3/2003. A quick google finds that this device does not support Lanman and everybody's "fix" is to lower the security level of windows and allow lanman.

While I question the wisdom of a bunch of ad hoc, non-backed up, consumer level NAS servers, this may still be a problem for me. I don't see Buffalo releasing firmware with a newer version of SAMBA any time soon.

The setting that I am trying to enforce on my computers is the default in Vista.

By Roger on November 30, 2006 7:06 PM | | Comments (0) | TrackBacks (0)

So this is how I have fun now

While Googling for more information on exploits of the SYM06-010 vulnerability, I got side tracked looking at the Information Security Office website at Carnegie Mellon University. They've put together an EXE that checks for all vulnerable versions of Symantec Antivirus version 10 and applies the appropriate patches.

Most companies have only deployed one specific build of each major version of SAV so they don't need to go to so much trouble. I for example had been running 10.0.2.2000 when this came out. So it was a simple matter to upgrade to apply the patch. I thought it would be interesting to look at the language they used to create this EXE and apply the patch to a more heterogeneous SAV environment.

Looking at their executable, I quickly found that the EXE could not be opened with WinZip or Unrar.

Upon further investigation I found that the EXE unpacked itself to a temp directory \7zSA9.tmp. In that directory I found another exe and a folder containing all of the MSP patches needed for this vulnerability. This new EXE also could not be opened with WinZip or Unrar. A closer examination with 'strings' (I used the former Sysinternals program now available through Technet) revealed this file was packed with UPX. I used UPX to decompress, but did not make further progress.

Moving back up a step, I found that the version tab indicated that this file was created with AutoIT version 3. AutoIT is a basic scripting language. AutoIT has a utility for converting EXEs back to script format, but I found that a password was required. Strings did not find anything that worked as a password.

Further investigation led to a suggestion that a breakpoint could be set with a debugger pointing to the location of the password in the stack. I must have skipped reading that chapter in my forensics class. It was about this time, that I decided its pretty late and I'm going to call it a night. I'm not very good at this. :)

By Roger on November 27, 2006 11:53 PM | | Comments (0) | TrackBacks (0)

Requests for Gambling Websites Surges in October

The shuttering of BetOnSports in the U.S. and the signing of the "Unlawful Internet Gambling Enforcement Act" have served as advertisement for the on-line gambling industry. According to ScanSafe's Global Threat Report for October, they saw a 40% increase in U.S. based requests for gambling related pages.

By Roger on November 17, 2006 2:50 PM | | Comments (0) | TrackBacks (0)

HTTP Header Injection Vulnerabilities in Adobe Flash Player

Right on schedule a new Adobe Flash vulnerability was announced today. Version 9.0.28.0 is available to fix the problem.

This allows an attacker to perform cross-site scripting, cache poisoning, or session hijacking.

By Roger on November 14, 2006 9:38 PM | | Comments (0) | TrackBacks (0)

Banking is getting too complicated

My Credit Union was purchased by a larger credit union earlier this year, and they implemented a hard cutover on November 1st so the old account was no longer valid on that date. To make it a really hard cutover the new account wasn't available until that date as well. As a result, it was impossible to pre-arrange the new account information on all my bills. But enough about their poor transition plans, this is an infosec blog.

I had heard that with the new bank, we would now be able to use Microsoft Money to automatically download account information just as I would do with a credit card account. But after getting my new account information, I didn't see anything about the Microsoft Money access.

I asked the customer service and they replied with the following:

In regards to Microsoft Money, we recently upgraded the security and login procedures for our Online Account Access system. These procedures comply with the new security guidelines recommended by the Federal Financial Institutions Examination Council (FFIEC) at the beginning of 2006. All financial institutions are required to meet these guidelines before the end of 2006.

Quicken and Microsoft Moneys current automatic update interface asks you for a user ID and password to allow them to access your xxxxxxxxxx FCU accounts. According to the FFIEC guidelines, that information alone is no longer sufficient to allow Quicken or Money to gain access to your xxxxxxxxx FCU account information. Our Online Access provider is currently working with Quicken, Microsoft and other providers who include an automatic update feature in their products in a forum called the OFX working group to find a universal solution to this issue.

You may still download your xxxxxxxxx FCU account information into Quicken or Microsoft Money from inside Online Account Access. To do so, click on the "Account Access" tab and click the "export" link.

If you have any questions or concerns, please feel free to let us know.

Very stringent requirements.

By Roger on November 8, 2006 3:19 PM | | Comments (0) | TrackBacks (0)

Firefox Remote Code Execution Vulnerability

Mozilla has announced a multiple remote code execution vulnerabilities in Firefox.

These vulnerabilities allow attackers to:

- - execute arbitrary machine code in the context of the vulnerable application
- - crash affected applications
- - run arbitrary script code with elevated privileges

Other attacks may also be possible.

References
- ----------
Web Page:Mozilla Foundation Security Advisory 2006-65 (Mozilla) Mozilla
http://www.mozilla.org/security/announce/2006/mfsa2006-65.html

Web Page:Mozilla Foundation Security Advisory 2006-67 (Mozilla) Mozilla
http://www.mozilla.org/security/announce/2006/mfsa2006-67.html

Fixed in: Firefox 1.5.0.8
Thunderbird 1.5.0.8
SeaMonkey 1.0.6

By Roger on November 8, 2006 10:37 AM | | Comments (0) | TrackBacks (0)

Picking the Lock for Fun and Profit

Article originally from the Wall Street Journal on lockpicking as a growing hobby and how the locksmith union and lock manufacturers want that knowledge to remain secret.

Obvious parallels to the disclosure debate with computer software vulnerabilities.

By Roger on November 7, 2006 8:01 PM | | Comments (0) | TrackBacks (0)

Tuning Adobe

I'm working on using the Installshield Tuner for Adobe Acrobat to prepare an Adobe Reader install.

There are a lot of variables to test.
1. What will happen if an earlier version of 7 is installed.
2. What will happen if 3,4,5 or 6 is installed.
3. What about if there is a weird combination of the versions installed.
4. What happens when professional is installed and you update reader.

I thought I was in pretty good shape until I noted that my custom settings weren't getting applied. It seems that when I just ran setup, everything was cool. But then when I ran the command line setup.exe /s /v"/qb" it ran without including the Windows Installer Template file that contained the customization. I edited settings.ini to change the line CmdLine to TRANSFORMS="Adobe Reader 7.0.8.mst" /qb. That way I don't have to figure out what the problem is with passing my setup command line. Seems to be working now.

By Roger on November 2, 2006 9:05 PM | | Comments (0) | TrackBacks (0)
« General: October 2006 | Main Index | Archives | General: December 2006 »

Search