Archive for September, 2006
2006.09.29 Daily Security Reading
by Rodney Campbell on Sep.29, 2006, under Security
I’m going to be away on holidays for the next two weeks so this may be my last blog entry for a little while – I’ll see you all when I get back 🙂
Testing for Security in the Age of Ajax Programming
Ajax programming is one of the most exciting new technologies in recent history. Ajax (Asynchronous Javascript and XML) allows a web page to refresh a small portion of its data from a web server, rather than being forced to reload and redraw the entire page as in traditional web programming.
Another zero-day exploit for MS
Business users are being encouraged to be more cautious when opening PowerPoint files following the discovery of an as yet unpatched flaw in Microsoft’s office application.
2006.09.28 Daily Security Reading
by Rodney Campbell on Sep.28, 2006, under Security
The Metasploit Project is one of the most popular penetration testing suites available. If you’re responsible for the security of networked systems, you’ll want to become familiar with Metasploit Framework, so you can test your client PCs before someone with malicious intent does it for you. I’ll walk you through an example exploit of a Windows XP system to show you how effortlessly Metasploit can penetrate remote systems.
Microsoft admits WGA failures "coming up more commonly now"
Scrolling through the posts on Microsoft’s official WGA Validation Problems forum is like reading accident reports from a multiple-car pileup on Interstate 5. Many of the victims are completely innocent and have no idea what hit them, and cleaning up the mess can be a nightmare. Even a casual reading of the posts at the WGA Validation Problems forum makes it clear that WGA has serious problems. But Microsoft refuses to share any hard data about WGA installations, making it impossible for independent observers to quantify the extent of the problems. Until now, that is.
With a Trojan horse on one compromised computer, you would be able to do whatever you wanted. That computer
would be as good as your own. You would own it. Now imagine that you owned 100,000 such computers, scattered
all over the world, each one running and being looked after in someone’s home, office, or school. Imagine that with just one command, you could tell all of these computers to do whatever you wanted.
Three-year-old buys pink convertible on Internet
This illustrates that although we have not worked out identity too well in the real world, much less the online world, I am fairly sure that this is one issue that may have been detected.
We’re proud to announce the official birth of http://www.freerainbowtables.com. This website is dedicated to offer free rainbow tables (based on rainbowcrack) a complete set of MD5 tables alpha-numeric – lowercase – up to 8
characters is available for free download.
2006.09.27 Daily Security Reading
by Rodney Campbell on Sep.27, 2006, under Security
Apple Security Not Yet Cause for Alarm
There’s a persistent perception that because Apple is moving to the Intel platform and now allows Macs to boot to Microsoft’s Windows, the potential for more security mischief rooted in Windows could raise a ruckus on the Mac. However, when you install Windows on a Mac via Boot Camp, all the viruses and Trojans you’d rather not encounter on Windows attack only Windows.
Hackers are intensifying their attacks on Internet Explorer users, increasing the chances that Microsoft will patch a critical flaw in the software ahead of its regularly scheduled October 10 security update. Update: Our wish has been fulfilled as Microsoft releases fast patch for IE flaw and Microsoft Security Bulletin MS06-055.
Does Your Web Browsing Create a Unique ‘Clickprint’? [pdf]
We address the question of whether humans have unique signatures – or clickprints – when they browse
the Web. In this paper we present a data mining approach to answer this “unique clickprint determination problem”.
2006.09.26 Daily Security Reading
by Rodney Campbell on Sep.26, 2006, under Security
Gartner forecasts security troubles
Security software is mandatory for companies facing an Internet community of aggressive hackers and criminals. But corporations shouldn’t feel locked into deals with their security vendors, a Gartner analyst said.
Life these days has become largely dependent on passwords – whether we’re checking our emails, tranferring funds or shopping online, passwords have their part to play. We’re constantly bombarded with horror stories of security breaches, fraud, and phising sites. Users are consistently told that a strong password is essential these days to protect private data. Why is it, then, that users on websites opt for the same, consistent, insecure passwords time after time?
Browser Vulnerability Study Unkind to Firefox
A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica’s coverage: ‘In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.’ Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability.
Spam trail uncovers junk empire
An investigation into a seemingly routine series of spam messages has revealed how sophisticated the business of online crime has become.
2006.09.25 Daily Security Reading
by Rodney Campbell on Sep.25, 2006, under Security
Well after being away at a Crossbeam and Checkpoint VSX training course all last week I’m back and trying to catch up on my security reading 🙂
Wireless Penetration Testing with OS X
When people think of attacking wireless networks, Linux is the first operating system that comes to mind. Although there are great tools and resources available for Linux, there are also several outstanding auditing tools available for the OS X wireless hacker. To perform a penetration test on a wireless network, you need first to find your target network. One good tool for discovering and attacking wireless networks is KisMAC.
Seven tips for optimizing shell script security
The shell script is ubiquitous on Linux hosts. Administrators use shell scripts to run backups, purge /tmp directories, monitor processes and create users, just to name a few tasks. Some applications are written in shell script also, and some users rely on shell scripts for installation or integration purposes.
Gartner highlights five high impact IT security risks
Gartner has advised businesses to plan for five increasingly prevalent cyber-threats that have the potential to inflict significant damage on organisations during the next two years. They are; targeted threats, identity theft, spyware, social engineering and viruses.
Zero-Day Response Team Launches with Emergency IE Patch
A high-profile group of computer security professionals scattered around the globe has created a third-party patch for the critical VML vulnerability as part of a broader effort to provide an emergency response system for
Bypassing Network Access Control Systems
This whitepaper examines the different strategies used to provide network access controls. The flaws associated with the different network access control (NAC) solutions are also presented. These flaws allow the complete bypass of each and every NAC mechanism currently offered on the market.
Metasploit 3.0 Automated Exploitation
Bank machine reprogramming made easy
OK, so we have all heard of the ATM giving money away in VB. This article gives a bit more info; a WAVY video and a link to a blog with additional info; ATM’s have passwords to access diagnostics (OK…), which, if not specially requested to be changed by buyers, is set to defualts which are found in the manual and More Vulnerable ATM Models Discovered and an ATM hack roundup.
Network Security: Be Afraid, Be Very Afraid
There’s a lot to be afraid of in the world of network security threats. That was the general consensus of a diverse panel at Interop that included vendors, an analyst and an enterprise user. Guarding against viruses? It’s like giving vaccine to a corpse.