• blackhat 5 your laptop tracer is an insecured rootkit

    There is a general rule in secure that the more the layer of security is on the outside, the safer and harder it has to be and the more you will have to presume that it will be the first to be attacked and the first to crack.

    So when you develop something that loads up before the OS and the security tools it has to be as secure and well thought as any other security process at the outside of your prime defenses.

    THis seems not to be the case for the popular and already installed rootkit that the firm Computrace installed on millions of laptops worldwide. This software will send an signal if the laptop is registered as stolen and will destruct data on the laptop.

    According to some security researchers at Blackhat who are specialists in rootkits, it is not difficult to change the website it sends a signal to nor other characteristics. The configuration information is in fact on the PC self and not very protected and there is no authentification/control process between the rootkit and the server (other malicious botnet server ?) it connects to.

    How are they going to upgrade that ? It is a rootkit that is launched before the BIOS. This is a real big vulnerability for secured laptops.

    source

  • Ebay and skype at war : where will it end ?

    Skype is now used by half a billion users worldwide and is the absolute marketleader in consumer VOIP. It has been bought by Ebay for some billions of dollars during the second internethype. But those people with more money than brains forgot to get hold (ownership) of all the code from A to Z and find themselves in a very daring situation.

    Because according to the Skypeversion Ebay has not done enough to integrate Skype into Ebay (which was the Ebay-Skype-Paypal hype) or because according to the Ebayversion Skype was not ready and good enough to make the money it needed (or was expected) and to fulfill the functions that were planned the minds and people of Ebay and Skype parted.

    As divorces have a tendency to become a legal battleground Ebay is now finding itself in court to try to get hold of the code that is the P2P basis of SKype. The founders of Skype built Napster before and used the same code to construct this very fast VOIP application. Without it Skype wouldn't work the way it does and wouldn't be so competitive. What the people of Ebay didn't understand was that the P2P code is the real routing basis of the Skype application and without out Skype wouldn't be worth a penny. Not getting hold of the code is the same as buying an empty bag. This goes well as long as all the parties go along but can bring everything down when war breaks out between the parties.

    Ebay has more to lose as they are on the stock market and need to valorize their Skype investment to keep their investors happy. It is naturally a pitty for the sellers on Ebay that their leadership got so distracted by these big dreams that they now have less time and money to give them a better service in daring times.

    source bloomberg

  • why cloud security first defense line is the next new layer

    Security is laying layers before the goal that the 'others' want to reach and compromise or copy. Each layer (isp filtering, routerfiltering, firewalls, IPS,  internal routerfiltering, hostbased security, dataprotection) has its own functionalities and defects. Building your onion of defense of depth layers is a hard thing to do in which you need to take care not to have two layers filtering the same things and to be able to monitor each layer or have a dashboard.

    It is now not possible anymore to filter all the antivirus and malware and zerodays attacks from your own antivirus appliances (network based) nor on the workstations or servers. Another layer of defence will need to be added for highsecure networks (or ISP's ?) the Cloud malware filtering. This won't replace your desktop or networkfiltering because if you place the cloud malware filtering too strict you will lose too much time and files (false positives). But it will need to filter out the oldest, typical and send others to the check box for the security people of the network or client.

    There seems no other way because even the oldest viruses seem active somewhere on the net because the workposts aren't updated, patched and secured enough. Maybe ISP's will need to install such cloudware securityservices or develop for business secure pipe services.

    len24

  • blackhat 4 Is your parking meter hackable ?

    Well we already had the hackable RFID enabled public transport chips and the blocked talk about the US hackable toll tax system and now we have hackable parking meters

    If you read the documents and presentation than it is just a problem of process. The firm has never thought that people could be interested in hacking or abusing their system. Well, people buy cracked satellite cards and download free music and films, so why wouldn't they reset their parking card (especially as everyone hates paying (so much) for just parking their car. So it seems incredible that a firm that publicizes its ISO9001 norm (for quality certainly not security but what does quality without security mean ?) and its blablabla we are secure propaganda on its website. You can find out here if there are firms selling their products in your country and than you will have to find out where these machines (and if they are the same) are installed. And if you are lucky and a bit technical (or knows somebody who is) You can read this article and presentation and do nothing :).

    It stays illegal. It is not because the front door is open of a house that you have the right to steal something or even to go in. It is even expected that you phone the owner or the police to say that the door is open. This is more or less what they have done.

    if you change the security of a human presence by something digital or electronic you will have to secure and count those costs into your product from the start. Otherwise you are not comparing the same costs. And it could be that those costs are more expensive (to digitalize) if you take everything into account including the social security costs for paying those lowincome people that have lost their jobs to a machine that isn't secure.

  • do you use an embedded search tool and are exploitable

    MI5 the British Spy agency has a website with a search engine. They made headlines because they were vulnerable to XSS and iframe injection through their search engine.

    "The MI5 site uses an embedded Google search engine, said a spokesperson for the agency, who also confirmed that the site had been vulnerable through the search tool.
    http://news.zdnet.co.uk/security/0,1000000189,39700487,00.htm"

    The code for the XSS attack that was injected in the search engine was

    http://search.mi5.gov.uk/search?q=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E&ie=&site=mi5&output=xml_no_dtd&client=mi5&lr=&proxystylesheet=mi5&oe=&x=23&y=9
    http://nemesis.te-home.net/Forum/3100_Bad_Settings/31000_XSS/20090721_MI5__Military_Intelligence__Section_5____XSS.html

    and for the Iframe injection

    http://search.mi5.gov.uk/search?q=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fnemesis.te-home.net%3E%3C%2Fiframe%3E&ie=&site=mi5&output=xml_no_dtd&client=mi5&lr=&proxystylesheet=mi5&oe=&x=23&y=17

    to test you have to change it to your site and to another site than theirs.

    All those embedded things will one day become embedded vulnerabilities.

     

  • blackhat 3 the Mac hack

    The third presentation that is making the rounds is about the hacking of a Mac Lap.

    But sometimes the details are more important than the titles.

    Detail number 1 the Mac has to be already compromised with another virus or hack before this hack could work. THis could be done (and has already been done) by malicious or infected downloads. But this makes it in fact a second attack, not the first one because the laptop is already compromised.

    Detail number 2 the Mac has to use Safari to surf which many users have let to rot on their machines because it is buggy and unsecure. You can better close down your Mac and your surfing security by installing Firefox with the necessary addons. (noscript for example)

    The hackers explain for the rest that Mac is a really interesting platform for hacking because there is so much code under the hood and so on. But that we did already knew. Even more interesting is that the  Mac Users think they are safe because there are no viruses for Mac. They think.

  • blackhat 2 the Iphone and mobile hack

    Yesterday we had the diclosure by Apple that the software that controls the transmission towers is not very secure which is the reason it wants to close down the IPHone (and make lots of money with its exclusive deals). 

    At the same time at Blackhat security researchers were showing how to crack smart mobile phones going from iphone over MS enabled phones to Google's androids.

    The security of mobile phones is only starting and some products are on the market, but there is no guarantee at all that the networks an sich and the providers have a security infrastructre for the defense and monitoring that equals that of a professional ISP. There is no official obligation to do so and the number of incidents in Western Europe isn't high and dramatic enough to change that. The situation is different in China and Asia, but maybe this is because in such countries the internet is for most lower-income groups only affordable by mobile. The number of internet-enabled mobiles is  higher than the number of internetconnected computers.So it is normal that attackers do more research on mobile malware and phishing.

    This doesn't mean that this situation couldn't be exported to Europe and the US.

    But contrary to the computer and the internet, there is no security awareness with the general public and the executives about mobile security and mobile malware and some of that awareness is so commercialised and hyped that it has no credibility. It also depends on how you see it. If you look at the general numbers  you can say that even in Asia malicious SMS and mobile traffic is so limited that it is not worth the millions that should be invested by the operators and producers to secure the network, the traffic and the mobiles.

    But as more and more people have only a mobile connection, the mobile networks have become strategically more important. And for this reason a securisation is important.

    The Iphone and other hacks that were demonstrated have to be placed in this context. The firms will have to adapt the internet security strategies to their networks, users and mobiles. And the users will have to do the same. The problem is that if the industry follows the Apple ideology they won't patch and they won't communicate and so they won't be ready and have no credibility. If the industry follows the Microsoft ideology of security today they have big investements and communication plans before them but their networks, users and mobiles will be more secure. In the article it is clear that iphone didn't do a thing since a month while Microsoft has already provided an upgrade.

    So if you have an iphone, you should be more on your guard and only open things that are expected and logic and destroy everything that seems 'strange' or 'too good to be true'.

    You are on your own.

  • Blackhat 1 the SSL phishing

    After the serious DNS bug but that didn't bring down the system (even is many of the DNS servers aren't patched yet) Daminsky presented at Black hat a new phishing or social engineering tric that could be closed very easily if some institution like ICANN could have the guts to do it.

    When you use a website to transfer money or personal information, the website secures this with an encrypted SSL certificate (which most forget to manage professionally). This makes the HttpS connection and certifies that fortis.be is really belonging to fortis and not to some crook in Russia. The websites have to ask such a certitificate for each domain or subdomain. This means that if they want to secure secure.fortis.be and invest.fortis.be they have to ask a certificate for each of them seperately.

    Daminsky has shown that when he had a certificate for mydomain.com he could ask one for the subdomain fortis.be/mydomain.com. Well this doesn't surprise me much.

    Many anti-phishing organisations and antivirus firms and myself (with DNS.Be) want that an international blacklist is set-up with tradenames and their variations that can't be registrered with any domainextension without the explicit approval of the owner of that tradename. Most urgently this should be the case for banks, online payment systems, credit companies and big retail firms. Later on this system could be extended.

    This system would not only protect the surfers against phishing by socalled phishing domains, but also for such SSL-phishing or social network tradename hijacking.

  • DNS spoof attacks and others underway in Belgium

    According to Arbor Networks DNS spoof attacks are underway in Belgium and for this reason Belgium is again in the top 5 of the most insecure networks it is monitoring.It is the only network where such attacks are occuring. And in Belgium it is mostly on Belgacom networks.

    More details

    1. DNS SPOOF query response with TTL of 1 min. and no authority  0.39   +100.0 %        23.8%

    DNS spoof attacks are increasing with about 100% in 24h and are now the most important attack on Belgian networks monitored by Arbor.

    2.They use mostly the port UDP 1024 for this

    3.     195.238.2.22 (dnspool042.isp.belgacom.be)     0.23    
            195.238.2.21 (dnspool041.isp.belgacom.be)     0.16

    4.   DNS scanning on port 53 is for the moment very intensive in Belgium

    BE (Belgium)     9.52 kB     39.3%
        ZA (South Africa)     4.87 kB     20.1%
        CN (China)     4.84 kB     20.0%
        US (United States)     2.48 kB

    And according to networks

        ASN     Bytes per subnet     Percentage
        AS5432 (BELGACOM-SKYNET-AS)     8.75 kB     36.1%
        AS4134 (CHINANET-BACKBONE)     4.46 kB     18.4%
        AS3741 (IS)     2.61 kB     10.8%

    And according to servers

        195.13.1.13     1.73 kB     7.1%
        195.13.2.13     1.16 kB     4.8%
        91.181.91.72     663.45 B     2.7%
        41.245.210.64     623.92 B     2.6%
        217.117.32.3 (ns.nrb.be)     603.70 B     2.5%
        194.78.200.245 (mail.voltis.be)     568.18 B    2.3%
        91.183.49.181     543.72 B     2.2%
        196.211.30.190     522.05 B     2.2%
        41.195.74.152     488.16 B     2.0%
        116.5.55.173     467.96 B

    We would also like to remind Belgacom that it also has still according to Arbor a Botnet command and control center running on its network.

    Telenet shouldn't think that it has cleaned up all of its attacks that were happening the last days because it still is responsable for about 18% of all attack traffic in Belgium according to Arbor Networks.The incoming DDOS attacks have been stopped.

    They have now an increase in Solaris attack and exploit attacks.

     

     

  • urgent Updates Flash and shockwave, adobe to come

    Security Updates available for Adobe Flash Player

    Security Update available for Shockwave Player

    It is a pity that Adobe isn't ready with the Adobe acrobat reader security update so that firms could distribute the different updates in one package across their networks.

     

  • skype to be monitored in Belgium by police soon

    The Belgian police and intelligence services are using more phone taps than ever before according to an answer to a parliamentary question. But the police forces are saying they are losing out because they can't intercept skype conversations yet, what some criminals seem to use.

    The minister of Justice is working at a solution to force 'internet service providers' such as skype to work with the police.

    This changes nothing at the process in which the police has to get the benidiction of a judge or prosecutor before being able to intercept and use those conversations.

    But what will they ask when they are confronted with encryption ? Ask for the encryption key ?

  • Belgian gaming (control) commission has 4 agents

    De Standaard had a big article about the plague of illegal pokergames (forgetting the pokerculture that is being pushed by all media and even toy shops as if it is a normal game) that are organized in Belguim.

    The biggest problem said the president of the Gaming Commission who is responsable for the control and licensing of legal organizers and pursuing illegal organizers of all kinds of casino"s and games-for-money is that he has only 4 agents for the whole of Belgium.

    But we also use the internet to track those illegal organizers.

    As if that is going to replace the 10 agents at least they would need to work more effectively.

  • workaround for problems with active x TIFF cutting patch of Internet Explorer

    The announced but not explained dramatich urgency patch that Microsoft had put on Internet Explorer can have dramatic impacts in professional environments and for several webservices. Programmers and software have become to rely on the functionality of opening all kinds of files from applications in their browser with active x and didn't foresee that anything could happen to that function.

    But what is safe today can be insecure tomorrow and just as our Operating Systems and servers have gone through radical changes to secure them, our browsers and applications will be losing more functions than they will add in the following months. A browser can not be all things to all people and it should go back to its main function, which is surfing the internet or the computer. It is not built as a secure interface between the user and the applications, servers and whatever one imagines. It is maybe a interface but it is not necessary secure enough to withstand the ever increasing possibilities of attack and compromise.

    So many applications and online webservices lose some of their functions after this patch. The patch breaks the possibility of opening now TIFF (but what file next) from within the browser. What you should do if the pc or user still needs to go on the internet and the pc can't be a dedicated internal pc is look if you (or the developer) can't link the files that were opened with Internet Explorer with another tool (faxviewer) or browser on the computer.

    The second option is an interesting challenge to hackers. Write a TIFF attack file for Firefox and get from there to IE. After cross platform to cross browser attacks.

  • scribd.com first big victim of new DDOS attack on BIND servers (upgrade)

    Yesterday scribd.com a ebookhosting web2.0 service we use around here was out of reach or not reachable at all. On their blog they said that their small ISP was being DDOSSED on their DNS server.

    It happens that there is a big securityhole in Bind 9 and that you should upgrade whatsoever if you have configured it the way the exploit needs to use it. This is the securityposting

    "Urgent: this exploit is public. Please upgrade immediately.

    Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

    This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

    dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

    db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
    exiting (due to assertion failure)
    .

    Workarounds:  None.

    (Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)

    Active exploits:  An active remote exploit is in wide circulation at this time.

    Solution:

    Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:

    http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz

    http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz

    http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

    source https://www.isc.org/node/474

  • skynetblogs was out and it is their fault

    We couldn't access our blogs for more than one day and this is the mistake of Skynetblogs. It is an architectural mistake and a securiy mishap they will have to correct next year if they still want to claim that they are the biggest Belgian bloggers- community.

    The fundamental mistake is that they had no back-up with the last working version or a fail-over or deduplication or something like that. The second mistake is that they don't seem to monitor their processes every so many minutes (look for example at ipcheck which is quite cheap and which can monitor 5 steps of a process (login, post, change something,.....) every so many minutes.

    Stop playing and fooling around. This is serious and you should start taking this as seriously as people take their blogs seriously around here. If you want to be professional, act professional and it is not because it is free that it should be broken.

  • we passed the half a million visitors here

    yeah half a million people came here and read maybe something

    can't imagine that

    thanx anyway

    there is a lot of stuff around here, so take your time and wander around

    I hope you found something useful

    makes my effort a bit worthwhile

  • the best security joke from Apple in years

    Let's see we have

    2. Apple is safe and you don't need anti-virus because there are no viruses for Apple. Apple doesn't even need a security awareness page and campaign.

    3. you are not going to speak about securityproblems with apple software or we are going to sue you into bankruptcy (a favourite tactic to silence people and journalists)

    But the number one is the latest one that Apple uses to defend its colonizing of the iphone and keeping jailbreaking (using it with other networks than the monopolies they have created) illegal in the uS. In the US you can protest against this and for example ask that the software that makes jailbraking easy becomes legal.

    In the public debate before the different parties and the interested parties have to publicize their arguments (gets better all the time don't you think fellow Europeans, a public debate with public documents in an open process )

    " Apple's filing explained that jailbreaking could allow hackers to altering the iPhone’s BBP — the “baseband processor” software, which enables a connection to cell phone towers.

    By tinkering with this code, “a local or international hacker could potentially initiate commands (such as a denial of service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data,” Apple wrote the government. “Taking control of the BBP software would be much the equivalent of getting inside the firewall of a corporate computer — to potentially catastrophic result."

    http://www.wired.com/threatlevel/2009/07/jailbreak

    It could also make phone calls with an iphone totally anonymous..... Also good for terrorists and drugdealers. Maybe we should send thousands of those jailbroken iphones to Iran.

    What makes me wonder. The BBP software is thus the achilles of the mobile network. Hack, crack or attack it and all goes down. And as many people and business are totally dependent on those networks, chaos is the result. Imagine no mobile phones that work.... I hope you still have a fixed line as backup. And that mobile extra towers are present if that is the case. Maybe an idea for blackhat next week in Las Vegas. It already promises to be a very hard blackhat, but maybe they could throw in a hack of a mobile tower, just for the fun of it. :)

    Or what Apple says is true and than the mobile infrastructure has to be defended and re-organised at the highest urgency or it is crap. And if it is true, be sure that you have a fixed line and that all your mobile data and contacts are also usable and present on your fixed line. 

    A company that says it is secure from a - to z and that says it is professional and only says professional things, can't say such things without any proof. And if it can proof it, it is a national emergency without any precedence. If it ain't true, it is apologize and retract.

  • scrap Yahoo : only Microsoft and Google are relevant

    After they refused the 40 billion plus from Microsoft, Yahoo has gone under and in its frantic search for a way out that was not there, they have just given up and are nothing more than one (scrappy) social site among others with some salespeople. Luckily their mailservice is still excellent although becoming somewhat dated. I hope they don't mess that one up. But on search, they are out and Bing is IN.

    "The data on computer users' online search and buying habits would ultimately reside on Microsoft's computers, thereby improving its ability to automatically serve up the most relevant ads. "If Microsoft is running the underlying ad technology, it doesn't matter who is selling the ads," Sullivan says. "In the end, Microsoft will hold all the cards."
    http://www.businessweek.com/technology/content/jul2009/tc20090728_826397.htm

    Now, the real battle with real money and maybe real new inventions and functions may start. Luckily for us Google is no Netscape but you shouldn't underestimate Microsoft and neglect Google's overconfidence.

  • how we paid the speculators to become stinking rich again

    "The taxpayer is paying for the chips in the casino," the head of the German operations of an international investment bank says quite openly, but anonymously nevertheless. "It doesn't get any better." The government, he says, provided guarantees for banks like Munich's Hypo Real Estate, whose securities are now being traded on the market at a huge discount. Investment banks, for their part, have bought the securities with money they borrowed from central banks at ridiculously low rates.

    According to the anonymous bank executive, these investment banks, as well as hedge funds and major investors, expected that governments, in the wake of the Lehman Brothers bankruptcy in September, would ultimately bail out all major banks.

    Indeed, rates for bank bonds soon began rising again, and the first aggressive players in the market collected exorbitant profits. "Unfortunately, the bad bonds of the bankruptcy candidates are now sold out," says the bank executive

    http://www.spiegel.de/international/business/0,1518,638732,00.html

    Shouldn't we act on that ? Shouldn't they be heavily taxed on that ? Those guarantees and investments in failing banks are now the reason the social states have not enough money to pay for the social security costs and to help failing industries with real jobs.