Black Hat USA 2008 is still months away, but some of the presentation topics are already beginning to make news. Sherri Sparks and Shawn Embleton are scheduled to demonstrate a new type of rootkit that hides itself in System Management Mode, currently out of reach of the AV products.


The presentation is already sparking interest in places like
Slashdot and
PC World.

To read their abstract go to the Black Hat USA 2008 Speakers Page.

Last week, Adobe released security updates that should be deployed as a part of your normal patch procedures. The updates available at Adobe.com address vulnerabilities which could cause Adobe Reader or Acrobat applications to crash or even allow an attacker to take control of the affected system. More details about this set of updates is available at http://www.adobe.com/support/security/bulletins/apsb08-13.html.
I recommend that this update be added into the mix of testing and deployment along with the Windows Updates to be released on Tuesday. MacOSX users should also update to either Acrobat 7.1.0 or version 8.1.2 at the earliest convenience as well.

Greetings everyone. Just a bit of a reminder that many colleges and universities are done for the spring semester, and the K12s are right around the corner. As most of you already realize, this means that a number of very intelligent kids and young adults are soon to have far more free time on their hands (and less adult supervision during the normal working hours for their parents). So I expect that there will be a bit of an increase of attacks and other general noise from outside of corporate or campus network as we have observed in prior years.

In that frame of mind, there has been a significant amount of brute force scanning reported by some of our readers and on other mailing lists. And there does appear to be a bit of a spike reflected in the port 22/tcp sources in the past week in the Dshield data.

Jim Owens and Jeanna Matthews of Clarkson University released a paper at the Usenix LEET 08 conference which investigates current methods and dictionaries used by attackers of SSH in the past several months. The paper shows some evaluations of common techniques used to defend against brute force attacks that are worth reading to some.

From the most recent reports I have seen, the attackers have been using either low and slow style attacks to avoid locking out accounts and/or being detected by IDS/IPS systems. Some attackers seem to be using botnets to do a distributed style attack which also is not likely to exceed thresholds common on the network.

So be warned that there does appear to be a bit more activity involving SSH and weak or otherwise guessable passwords. This would be a great time to do some investigation on your local network to see what servers have SSH open to the world on the default port, and may need to have its security posture reassessed. You might want to try using a few of the techniques discussed in the paper by Owens and Matthews such as

Using the host based security tools of DenyHosts, fail2ban, or BlockHosts in conjunction with TCP-Wrappers to block access to servers across your organization.
Disable direct access to the root account.
Avoid using easily guessed user names such as only a first name or a last name. (Side Note: Academia will need to look into the age old policy of publishing an online directory of account holders before this one will have much of an effect.)
Enforce strong passwords or use public key authentication in place of passwords (multi-factor or public key is the preferred method especially for systems which contain sensitive data) .
Generally reduce the number of publicly accessible services through iptables or similar host based security measures in addition to network firewalls. (think defense in depth.)

You might note that there is one defense technique that was not even mentioned in the paper, or was not recommended by me. That technique is to lock accounts after X number of failed login attempts. As I work in a similar environment as the authors, I can tell you that this technique has numerous issues when working with academia. First and foremost, the potential for creating a denial of service issue must be weighed against the potential of attackers guessing the right password before IT Security notices. The likelyhood of having a student take out their frustration for a non-IT related issue on a professor or an ex-boyfriend or girlfriend is actually very significant. Additionally, having a single sign-on infrastructure used from Web Applications, Unix based apps and interface, and windows based services mean you have to do significant synchronization of information to make this technique effective against distributed and/or slow attacks. Your mileage for using this technique may vary and could be more valid in your environment.
Thanks to all of the readers who have already sent in their observations to us today. :-)

Via PRNewswire.com.

Three defendants have been charged in a federal grand jury indictment and complaint with illegally accessing the computer systems of a national restaurant chain and stealing credit and debit card numbers from that system, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney for the Eastern District of New York Benton J. Campbell announced today.

The 27-count indictment, returned on March 12, 2008, and unsealed today in Central Islip, N.Y., charges Maksym Yastremskiy, of Kharkov, Ukraine, and Aleksandr Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications. A one-count complaint unsealed today in Central Islip charges Albert Gonzalez of Miami with wire fraud conspiracy related to the scheme.

According to the indictment and complaint, Maksym Yastremskiy, a/k/a "Maksik," Aleksandr Suvorov, a/k/a "JonnyHell," and Albert Gonzales, a/k/a "Segvec," engaged in a scheme in which they hacked into cash register terminals at 11 Dave & Buster's Inc. (D&B) restaurants at various locations around the United States in order to acquire "track 2" credit and debit card information. The defendants then sold the stolen data to others who used it to make fraudulent purchases or re-sold it to make such purchases, causing losses to financial institutions that issued the credit and debit cards. Track 2 data includes the customer's account number and expiration date, but not the cardholder's name or other personally identifiable information.

More here.

Hat-tip: Pogo Was Right

UPDATE: 15:15 PDT: Additional details via Threat Level here. -ferg

Hi Everyone,

I'm Marisa and I am the new product manager for Errata's ProtoDev line of products. If you have feature requests for Ferret/Hamster, LookingGlass, or AxBan you can contact me at marisa@erratasec.com.

I'll also be contributing to the blog from time to time about the latest ProtoDev news and updates. It's really great to be a part of the Errata team, and I look forward to hearing from you all!

-marisa

The Wall Street Journal, Shape of Things to Come: "On Jan. 8, the U.S. Patent and Trademark Office granted Apple Inc. a trademark for the three-dimensional shape of its iPod media player. This was more than a recognition of an innovative product design. It also was Apple's capping piece in a multiyear marketing and legal campaign that pushed intellectual-property rights to new competitive advantage for the company." US TM registration #3365816: "Color is not claimed as a feature of the mark. The mark consists of the design of a portable and handheld digital electronic media device comprised of a rectangular casing displaying circular and rectangular shapes therein arranged in an aesthetically pleasing manner. The matter shown in broken lines, indicating the location of device connectors, is not part of the mark."

Eye-Fi today announced that its new 2GB Eye-Fi Explore ($129) includes unlimited Wi-Fi-based geotagging compliments of Skyhook Wireless and one year of free hotspot access at Wayport locations.

Cell phones interfere with brain waves? I often write about studies that show no connection between electromagnetic radiation and health, so it's only fair I highlight credible ones that suggest a connection. In what appears to be two well-conducted and well-controlled studies, cell phones appeared to affect alpha waves (related to one's focus on external v. internal stimulus and sleep), and delta waves (related to deep sleep). While no particular health result was measured, both studies, Scientific American explains, demonstrate a connection between EMF and mental behavior.

Zipit gives away text messaging for a year, changes prices, options: The Zipit Wireless Messenger 2 (Z2) was introduced in Dec. 2007 with a number of interesting features for a messaging appliance targeted at teens--and their fretting parents. With no Web portal, the $150 device included unlimited Wi-Fi on Wayport's McDonald's network (now nearly 10,000 locations), and support for popular IM clients. It also included SMS with major cell carries, charging $5 per month for 1,500 incoming and 1,500 outgoing messages. Uptake must have been poor, as the manufacturer announced today that purchases until 31-July-2008 would include a year of free text messages. The company also modified its plan without noting that fact, increasing messages to a "reasonable personal usage" of 5,000 incoming and 5,000 outgoing messages per month. There are no overage charges. The service will now cost $30 per year instead of $5 per month for new purchasers starting 1-August-2008. That's a 50-percent price reduction (over $5 times 12), but it's often much cheaper to bill annually in advance.

Wi-Fi Alliance cited in WSJ as model for multipartner alliance: An interesting analysis in the Wall Street Journal's Business Insight section points to the Wi-Fi Alliance standards based, no-company-on-top approach as one that led it to win out through both technology and organization over other standards that might have taken precedence. I've been stunned over the years how a group that has a board comprised of the most powerful and competitive interests in this market segment, and which has hundreds of much smaller members, has managed to keep alive the notion of interoperability for the greater good of the industry and customers. 802.11n's long delay certainly threatened harmony--especially with some ugly proprietary slap-ons to 802.11g--but the alliance continues to keep the technology in equilibrium, while still allowing individual companies to differentiate their products with little difficulty.

Copyright ©2008 Glenn Fleishman. All rights reserved. Please notify us if you find this content anywhere but at wifinetnews.com or wimaxnetnews.com. Reproduction of full articles from RSS feeds is prohibited without permission.

Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

Via Reuters.

Hackers attacked the website of Zimbabwe's state-owned Herald newspaper and shut it down for three days, the newspaper said on Monday.

The Herald is widely seen as the official mouthpiece of President Robert Mugabe's ruling ZANU-PF party and has been critical of the opposition Movement for Democratic Change (MDC) which won the country's disputed March 29 elections.

The website www.herald.co.za has been unavailable since Saturday after it was hacked by someone calling himself "r4b00f". Visitors were redirected to the website of a state-owned Sunday newspaper.

Headlines on the site were replaced by the word Gukurahundi, referring to a campaign of atrocities the government has been accused of committing after independence.

More here.

Note: It appears to be back online at this time. -ferg

Leo King writes on Computerworld UK:

British Gas has served a writ on Accenture for £182 million, over a billing system which it said had “fundamental errors”.

The utility said the Jupiter system, which cost £300 million and which rolled out in 2006 to 2007, was problematic and resulted in issues that “severely impacted” on its customer service department.

In a statement, it said: “In 2001 British Gas employed Accenture to undertake the design and implementation of a new customer billing system. However, when this new system was rolled out during 2006 to 2007 it became apparent that there were problems with the system which severely impacted on British Gas’ customer service operations.”

More here.

Col. Charles W. Williamson III writes on Armed Forces Journal:

As much as some think the information age is revolutionary, local networks and the Internet are conceptually similar to the ancient model of roads and towns: Things are produced in one place and moved to another place where they have more value. The road-and-town model works well between cooperating states, but states also compete, and when they do, they sometimes have to defend themselves from attack. In today’s Internet, network “towns” are “fortified” with firewalls, gateways, passwords, port blocking, intrusion detection devices and law enforcement.

This approach uses the same strategy as the medieval castle with its walls, moat, drawbridge, guards, alarms and a sheriff. While castles worked more or less for hundreds of years, they are now abandoned as completely ineffective except against the most anemic attack.

The time for fortresses on the Internet also has passed, even though America has not recognized it. Now, the only consequence for an adversary who intrudes into or attacks our networks is to get kicked out — if we can find him and if he has not installed a hidden back door. That is not enough. America must have a powerful, flexible deterrent that can reach far outside our fortresses and strike the enemy while he is still on the move.

More here.

Note: I love Kevin Poulsen's commentary on this issue over at Threat Level. -ferg

The Novell eDirectory's eMBox utility is vulnerable to unauthenticated attacks. Successful exploit of this vulnerability could result in DoS or access to local files.

Call of Duty 4 (CoD4) is "the most recent and played game of the homonym series created by Infinity Ward with over 15000 internet servers". A vulnerability in the CoD game allows remote attackers to cause the game to crash by sending it malform data.

[security bulletin] HPSBUX02334 SSRT071403 rev.1 - HP-UX Running ftp, Remote Denial of Service (DoS)

A vulnerability in Novell's eDirectory allows Connection: HTTP headers to be used to cause dhost.exe to consume 100% of a CPU. Multiple requests submitted can comsume time on all CPUs.

Reuters - Three people have been charged with stealing credit and debit card numbers from customers at U.S. restaurant chain Dave & Buster's Inc by hacking into cash register terminals, the Department of Justice said on Monday.

Wayport expands into Trump properties; Tritton releases new Bluetooth car kit "smaller than a dollar"; Motorola tests WiMAX in Thailand; Cisco sponsors Webcast on "21st Century Learning Environments."

Scammers want your IRS refund checks and have devised at least one phishing scheme to get it, according to the FBI.

Hiding under the radar Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems.… Read more…

Market leader, Cisco, has reached a major milestone: it has shipped its five millionth Aironet AP, which began shipping in 2000. AP #5,000,000 had the distinction of being part of the prestigious Mayo Clinic’s WLAN.

Filed under: macs hacks

XBMC (formerly Xbox Media Center) has always been a popular choice for retiring an original Xbox. Maybe people install it for lack of something better to do or maybe it's the pride in having better media support than the 360. The XBMC team has found another device that has a pretty weak television experience, the Mac. Lifehacker took the latest XBMC for OSX beta build for a run now that it supports remote controls. It seems like a much more functional than Apple's built in Front Row. There are a few things that don't quite work yet, which you can find in the FAQ. We're definitely going to try this on our old Mac mini... once we upgrade it to Leopard, which is an unfortunate caveat that might prevent people from running XBMC on legacy hardware. There is no Apple TV support planned because of limited horsepower and the hacking hurdles that might be required. If you're interested in repurposing your old Xbox with XBMC, check out Lifehacker's install guide.

Read | Permalink | Email this | Linking Blogs | Comments

Hiding under the radar

Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems.…

A different kind of insurgency Malware infected bootleg DVDs bought from Iraqi souks are causing US troops all sorts of problems.… Read more…

Two critical vulnerabilities exist in the javascript API of Adobe Acrobat Professional 7. A remote attacker who successfully exploits these vulnerabilities can execute restricted functions and arbitrary codes on the affected system.

Last Friday, the New York Times published an article about counterfeit Cisco products that have been sold as if they were genuine and are widely used throughout the U.S. government.  The article also raised the concern that these counterfeits could well be engineered with malicious intent, but that this appears not to have been the case. There was an immediate Slashdot thread as well, but a number of issues are still worth commenting on.

First things first: the facts, as best we understand them.  The New York Times reports that approximately 3500 counterfeit Cisco components (worth $3.5M) have been discovered as a result of a two-year FBI investigation.  A Cisco spokesman is quoted saying that they found “no evidence of re-engineering.”  In other words, we’re talking about faithful knock-offs of legitimate products.

If you go to the FBI’s unclassified PowerPoint presentation (dated January 11, 2008), you’ll see all the actual information.  This is a fascinating read.  For starters, let’s talk about the cost.  The slides claim you can get a counterfeit router for approximately 1/6 the cost of a genuine router.  (You can do similarly well buying used gear on eBay.)  The counterfeit gear looks an awful lot like the genuine article.  Detecting differences here is as difficult as detecting counterfeit money, counterfeit Rolex watches, or counterfeit signatures from sports stars.  Given the apparent discrepancy between component cost and street value, we should be no more surprised to find knock-off Cisco gear than we are to find knock-off everything else.

It’s claimed that these counterfeits are built to lower manufacturing standards than the original equipment, causing higher failure rates. One even caught fire due to a faulty power supply.  Likewise, the fakers are making stupid errors, like building multiple components with the same MAC address.  (MAC addresses, by design, are meant to be unique — no two ever the same.)

The really interesting story is all about the supply chain. Consider how you might buy yourself a new Mac.  You could go to your local Apple store.  Or you could get it from any of a variety of other stores, who in turn may have gotten it from Apple directly or may have gone through a distributor.  Apparently, for Cisco gear, it’s much more complicated than that.  The U.S. government buys from “approved” vendors, who might then buy from multiple tiers of sub-contractors.  In one case, one person bought shady gear from eBay and resold it to the government, moving a total of $1M in gear before he was caught.  In a more complicated case, Lockheed Martin won a bid for a U.S. Navy project.  They contracted with an unauthorized Cisco reseller who in turn contracted with somebody else, who used a sub-contractor, who then directly shipped the counterfeit gear to the Navy. (The slides say that $250K worth of counterfeit gear was sold; duplicate serial numbers were discovered.)

Why is this happening?  The Government wants to save money, so they look for contractors who can give them the best price, and their contracts allow for subcontracts, direct third-party shipping, and so forth.  There is no serious vetting of this supply chain by either Cisco or the government. Apparently, Cisco doesn’t do direct sales except for high-end, specialized gear.  You’d think Cisco would follow the lead of the airline industry, among others, and cut out the distributors to keep the profit for themselves.

Okay, on to the speculation.  Both the New York Times and the FBI presentation concern themselves with Trojan Horses.  Even though there’s no evidence that any of this counterfeit gear was actually malicious, the weak controls in the supply chain make it awfully easy for such compromised gear to be sold into sensitive parts of the government, raising all the obvious concerns.

Consider a recent paper by U. Illinois’s Sam King et al. where they built a “malicious processor”.  The idea is pretty clever.  You send along a “secret knock” (e.g., a network packet with a particular header) which triggers a sensor that enables “shadow code” to start running alongside the real operating system.  The Illinois team built shadow code that compromised the Linux login program, adding a backdoor password.  After the backdoor was tripped, it would disable the shadow code, thus going back to “normal” operation.

The military is awfully worried about this sort of threat, as well they should be.  For that matter, so are voting machine critics. It’s awfully easy for “stealth” malicious behavior to exist in legitimate systems, regardless of how carefully you might analyze or test it. Ken Thompson’s classic paper, Reflections on Trusting Trust, shows how he designed a clever Trojan Horse for Unix.  [Edit: it's unclear that it ever got released into the wild.]

Okay everybody, let’s put on our evil hats.  If your goal was to get a Trojan Horse router into a sensitive military environment, how would you do it and how would it behave?  Clearly, the weak supply chain is an excellent vector for getting the gear into place.  Given the resources of a nation-state intelligence agency, you could afford to buy genuine Cisco parts and modify them, rather than using low-cost, counterfeit gear.  Nobody would detect you; you wouldn’t screw up and ship multiple boxes with the same serial number.

How will you implement your Trojan Horse logic?  Pretty much any gear you’ll ever find of any modest complexity will have software running inside it.  Even line cards have embedded processors of some sort.  For all that hardware, there’s software, and that’s what you’d go to install your logic bomb.  The increasing use of FPGAs in industrial designs means you could also “rewire” those parts to behave arbitrarily, much like the Illinois hack; you’d really want to get a hold of the original VHDL “source code”, leveraging your aforementioned spying prowess, to simplify the design and implementation of your malicious behavior.  Hacking the raw netlists (the FPGA-equivalent of machine code) would be possible, but would be far more painful. [See Sidebar.]

What sort of behavior would you build in?  The New York Times raises the idea of a kill switch.  I send your router a magic packet and it dies.  That’s too easy.  How about I send your router a magic packet, it then forwards it on to all of its peers, repeatedly, and then they all die a few seconds later?  That’s a pretty good denial of service attack (nevermind a plot device that was the basis of a popular science fiction television series). Alternatively, following the Illinois idea, we could imagine that the magic packet turns on a monitoring feature, allowing our intelligence agency to gather all kinds of information, reconfigure the router, and so forth.  If they don’t want to generate extra traffic, which might be detected, they could instead weaken the encryption of a VPN tunnel, perhaps publishing the session key through a subliminal channel of some sort, acquiring the ciphertext through “other” means.

In summary, it’s probably a good thing, from the perspective of the U.S. military, to discover that their supply chain is allowing counterfeit gear into production.  This will help them clean up the supply chain, and will also provide an extra push to consider just how much they trust the sources of their equipment to ship clean software and hardware.

[Sidebar: Xilinx supports a notion of "encrypting" a netlist.  Broadly speaking, the idea behind the technology is to encrypt the description of your FPGA configuration with a crypto key, such that anybody who reads the file out of your board gets encrypted garbage.  However, the FPGA has the key material to decrypt the configuration and then initialize itself normally.  This sort of technology is meant to serve an anti-piracy / anti-reverse-engineering purpose.  It could ostensibly also serve an anti-Trojan Horse purpose, although at that point it's really no more or less secure, semantically, than Microsoft's Authenticode.  This technology, more broadly, is also an active research area (see, for example, Roy et al.'s EPIC: Ending Piracy of Integrated Circuits).  Again, if we've got a nation-state intelligence service tampering with the system, none of this is going to provide meaningful protection for the end-user against Trojan Horses.]

Dear me. Just because I recently talked about Windows XP SP3's virtues and vices, some people seem to think I've turned away from my beloved Linux systems. Nope, I'm still a rock-solid Linux desktop user.

read more

Via TopNews.in.

A government investigation was underway Friday after it was revealed that confidential files from the Immigration Department had been mistakenly leaked on to the internet.

The list, which contained a list of the names of people for officers to watch, plus travel document information and travel records, has been available on the internet since Monday through a file-sharing programme called "Foxy."

The blunder occurred after a newly-recruited immigration officer working at the Lok Ma Chau border point took home some old classified files to study without authorisation.

His computer contained the "Foxy" programme and when he connected to the internet, the files were distributed without his knowledge.

The security blunder is the latest in a series in Hong Kong in the last week.

More here.

Hat-tip: InfoSec News

A different kind of insurgency

Malware infected bootleg DVDs bought from Iraqi souks are causing US troops all sorts of problems.…

Not sure exactly how I missed this, but...

Mimi Hall writes on U.S. Today:

Nobel Peace Prize winner and international symbol of freedom Nelson Mandela is flagged on U.S. terrorist watch lists and needs special permission to visit the USA. Secretary of State Condoleezza Rice calls the situation "embarrassing," and some members of Congress vow to fix it.

The requirement applies to former South African leader Mandela and other members of South Africa's governing African National Congress (ANC), the once-banned anti-Apartheid organization. In the 1970s and '80s, the ANC was officially designated a terrorist group by the country's ruling white minority. Other countries, including the United States, followed suit.

Because of this, Rice told a Senate committee recently, her department has to issue waivers for ANC members to travel to the USA.

More here.

[SECURITY] [DSA 1574-1] New icedove packages fix several vulnerabilities

While reading through some of the code of System.IdentityModel, I noticed that there is some diagnostics tracing going on. Just add a trace listener for the source 'System.IdentityModel' to your config file.

HTH

This interesting story comes from COL. CHARLES W. WILLIAMSON III, in the Armed Forces Journal, the only real question is when will this go live, and if they use other than military computers, how would you feel about hosting a military botnet on your links.

Vulnerability Summary for the Week of May 5, 2008

[ GLSA 200805-10 ] Pngcrush: User-assisted execution of arbitrary code

Joomla Component xsstream-dm 0.01 Beta SQL Injection

[SECURITY] [DSA 1573-1] New php5 packages fix several vulnerabilities

To construct the interfaces, such as interfaces between technologies and interfaces between architectural layers and make them available in the Production Laboratory . The purpose of these infrastruct...

What is the future of spamming next to managed spamming appliances, like the ones already offered for use on demand? It’s targeted spamming going beyond the segmentation of the already harvested...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, "Shifting focus: Aligning security with risk management."

I liked the opener, about what it's like for executives to talk to security professionals, and the difference between what might happen and what's likely to happen. The screenshot is from a discussion of how to play Russian Roulette.

I also like the way he critiqued best practices (you'll have to watch). It's a little hard for me to assess his risk management methodology from a podcast, but it's a very worthwhile 45 minutes.

(Now only if he had some Kandinsky in there, I'd have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the "New School.")

[SECURITY] [DSA 1573-1] New rdesktop packages fix several vulnerabilities

[ GLSA 200805-09 ] MoinMoin: Privilege escalation

[ MDVSA-2008:100 ] - Updated perl packages fix denial of service vulnerability

Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

We now have vulnerability descriptions available from www.f-secure.com/vulnerabilities.

Here's an example of one:

First discovered on March 26th, Mozilla Thunderbird reported cross-site scripting and security bypass vulnerabilities which can be exploited by remote attackers. Mozilla recently (May 1st) released version 2.0.0.14 to mitigate these vulnerabilities.



For more information, read Security Advisory SA29548.

You can use Health Check to determine if you have vulnerable software installed.

And you can update to the latest version of Mozilla Thunderbird from here.

On 12/05/08 At 11:40 AM

Hackers now have their own social network, backed by GnuCitizen, a high-profile "ethical hacking" group.

For those reading through PlanetPostgreSQL RSS feed: the current Planet code has a bug which prevents ITToolBox blogs from feeding correctly. The bug has been reported.

Mildly interesting (albeit fairly basic) 10-minute presentation by Matt Cutts of Google on blackhat SEO, splogging, etc.

(If you're having trouble seeing the embedded image, the direct link is here.)

More here at Matt’s blog.

Alex Eckelberry

I’ve ranted before about how insecure web browsers are, because they trust themselves, their libraries and user-added plug-ins too much. At a very high level, they have responsibilities that can be likened to those of operating systems, because they run potentially dangerous code from different sources (users vs web sites) and need to do [...]

oCERT takes shape, but not every big open source vendor is directly involved.

Hole in the Jet database considered the most severe, since it affects so many Microsoft and third-party apps.

To prepare a plan that includes the information needed to achieve the objective of training customer staff who will use or support the system. The plan defines the scope, types of training, approach,...

I thought everyone would enjoy this mini-case from reader CK. I'm a huge fan of the work that my readers do - so continue to email details of your endeavors to chiefmonkey AT gmail.com. It just might get posted here!

---

“So much for curbing my addiction.” I thought as I trashed my second empty can of Starbucks Doubleshot Espresso. My brain had been

The final in a three part series about reducing the Linux bloat.

Despite new instructions forbidding insecure data transmission, staff at the Department for Work and Pensions still appear to be sending passwords with encrypted data.

A vulnerability in Solaris could let an attacker execute arbitrary code or perform a denial of service. Users are advised to update immediately.

Gentoo has acknowledged some vulnerabilities within the ltsp package, which can be exploited by malicious, local users to disclose potentially sensitive information, cause a DoS (Denial of Service), and gain escalated privileges, and by malicious people to cause a DoS or compromise a vulnerable system.


Be sure to check if your system is missing security updates or have insecure applications installed:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

If you answered "Yes", you already know what I'm going to blog about today and hopefully you're also already following me on Twitter. However, if you are part of the vast majority that don't know about Twitter (or maybe would rather not know about Twitter, or maybe have just had it with people trying to get you into social computing), you may

I told you it was insecure

A hacker with a point to prove posted personal details on 6m Chileans on the internet after lifting the information from government websites.…