General: April 2008 Archives

No Fly List Bars some Air Marshals

The Washington Times reports today that "Some federal air marshals have been denied entry to flights they are assigned to protect when their names matched those on the terrorist no-fly list,"

By Roger on April 29, 2008 7:04 PM | | Comments (0) | TrackBacks (0)

Comcastic SMTP Servers

One of our users complained that they did not receive a highly critical piece of email sent from a Comcast user. Other addresses on the recipient list at our company did receive the message.

Checking the logs we see that the recipients on the TO line of the email did not receive the message but recipients that were CCed did receive the message.

One of the mail admins has comcast so he logged in and sent him self a couple of test messages. Sure enough he received an error code 4.1.1. He tried again this time sending putting the his address as a CC and another address in the TO field. He was able to reproduce the users problem.

From googling, I see that some users were getting that error message when sending to certain domains back in February. It turned out to be a temporary problem for them. Not sure what that's all about.

By Roger on April 25, 2008 4:52 PM | | Comments (0) | TrackBacks (0)

Yet Another Quicktime Vuln

The monthly Quicktime vulnerability is out.

By Roger on April 22, 2008 10:49 PM | | Comments (0) | TrackBacks (0)

Your Contact Info for a Chocolate Bar?

We've all gotten a chuckle over the drones who would give up their password for a chocolate bar. Are we as security professionals any better? We give up all of our contact information (name, address, phone number, email, company name, job title), information on our company (security initiatives, budget, size, locations), and sometimes even contact information for our co-workers. We give it up for half-baked white papers that may be helpful or may be marketing tripe that will be discarded immediately. We give it up for a one hour webinar that again may be useful or may be worthless. We give it up for a half day seminar that allows us to escape the office temporarily.

Its expected that disclosing this information will result in sales calls. Did you realize that these companies also may be selling your contact information or trading it with other companies? I've been thinking about this since a couple of sales people called, and when told I wasn't interested responded "but you downloaded our whitepaper."

Janis Rose has an article on this in the April 2008 ISSA Journal (membership required). She focuses on the ethical aspect of using disposable email addresses when registering for whitepapers.

When signing up for things online, know that there is no such thing as a free lunch. Even when its a reputable company, you need to be aware of the potential consequences of disclosing data.

I think companies should include choices for how your data will be used. They shouldn't hide it in the fine print of a privacy policy. When they don't do that, we're forced to use temporary email addresses and phone numbers that go straight to voicemail.

By Roger on April 20, 2008 12:15 PM | | Comments (0) | TrackBacks (0)

I can hear you now

Joshua Wright, author of the SANS Security Wireless course I took recently and presenter of one of the better talks a this years shmoocon has a 5 minute video on bluetooth phone earpiece hijacking.

As he says in the intro, as states require hands free devices more and more people are turning to bluetooth headsets. But what of the security? See his video below:

By Roger on April 18, 2008 9:41 PM | | Comments (0) | TrackBacks (0)

Subpoena in a Civil Case

The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.

The message is from subpoena@uscourts.com with a display From of United States District Court. It says

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.

It has a link to download a document on the matter. The website prompts to install a malicious activeX control.

The malware we received doesn't seem to be the same file the ISC is reporting.

By Roger on April 14, 2008 2:35 PM | | Comments (2) | TrackBacks (0)

The Case of the Backup Software DoS.

Our vulnerability scanner is causing the server backup software's we use on to crash.
After examining a crash dump, a developer for the backup software replied

"Looking at the logs it we are getting some corrupted packets and that is causing the to try to allocate huge memory and that is the reason for the failure.

Does this security scanner corrupt our packets to test some of its features? If yes then they will have to stop it."

While not sending corrupt packets would stop the crashing, I'm not sure a bad guy would be so kind as to respect at request. I also wonder if there is a remote exploit in this defect.

To take it out of the realm of the vulnerability scanner, I used nmap's service fingerprint option to crash the service. Reviewing the packets with wireshark shows that nmap with the -sV option set is also throwing a corrupt packet. The hardest part in reproducing this is the backup software not staying on a predictable port.

Vulnerabilities in backup software are frequently targeted. Backup software often runs with full admin or system rights. Exploiting vulnerabilities in backup software can lead to information disclosure or an attacker fully compromising import servers. SANS has backup software vulerabilities in the SANS Top 20 list.

By Roger on April 12, 2008 9:35 PM | | Comments (1) | TrackBacks (0)

Quicktime Update Goodness

I never thought I'd be happy to see a Quicktime update. A few more of them and I was planning to create a uninstall package for Quicktime, roll it to the enterprise and remove it from the Ghost load.

It seems that in addition to the eleven fixes in Quicktime 7.4.5, Apple has added some hardening to make further attacks more difficult.

David Maynor in February called for Apple to update Quicktime to take advantage of address space randomization or “ASLR”.

ASLR prevents hacker code from running because the code is unable to find stuff in memory. Quicktime disabled this feature, so I its layout is not randomized. Exploits for Quicktime vulnerabilities work because they know precisely where important bits are located. If Quicktime enabled ASLR, then most exploits for its vulnerabilities would not work.

According to Ryan Naraine at eWeek, Quicktime for Vista now supports ASLR.

"In addition to ASLR, QuickTime for Windows will also do stack buffer safety checking (Visual Studio 2005's /GS option) and support for hardware NX on Windows Vista."

This is really good news if you are running Vista (even if you're running a Mac you're getting improved protection). If you're still running XP, perhaps the NX will help (although the article only mentions Vista for some reason). I would suggest to you that there is more to Vista than having problems because your crappy peripherals are unsupported. There are security benefits to upgrading, particularly when the application supplier chooses to use them. Adobe you're at bat! How will you step up to improve Flash security?

update 4/9/08 David Maynor has written an update where he points out a couple of flaws in Apple's implementation. "Although most of the files are now marked as ASLR enabled there are still a few binaries that are not and could still provide an attacker a static location to utilize." As he said, its still a big step forward. Informative post, I'd suggest checking it out.

By Roger on April 8, 2008 2:07 PM | | Comments (0) | TrackBacks (0)
« General: March 2008 | Main Index | Archives | General: May 2008 »

Search