Computer Internet network security News

On September 21, Apple released two security patches that protect essentially every Mac that uses AirPort against malformed frames passed over 802.11b networks. That’s the vulnerability I wrote about last month, which may or may not have been a real threat to Mac users.

“So,” you say. “The problem’s been fixed, Wes. You usually put stuff like that in those inane little bullet-point links at the end of your column.”

I’m guilty as charged, readers. But this one was no ordinary security patch. Just as Apple was launching a brand-new ad campaign lauding the comparative security of its computers relative to its competitor product—Microsoft Windows—two security researchers claimed that a massive vulnerability in the AirPort drivers for OS X could lead to a root exploit—without the user even registering on a network. Rather than recap extensively here, I will point you again to my previous column, because I tried hard to be comprehensive. Better still is John Gruber’s summary.

What’s interesting is the fallout from all of this: did Apple patch this vulnerability—which sounds a lot like the one Jon Ellch and David Maynor described in August—in response to the demonstration, and did the demonstration show a vulnerability or was it staged?

First things first, I should note that Apple is claiming, unequivocally, that they found this vulnerability in-house. That jibes with what Glenn Fleishman and Jim Thompson, et al., said about the potential route of attack that this could have taken—in other words, as I read it, it’s possible that this demonstration was staged but happened to correspond closely enough with a possible exploit that Apple discovered and patched. Apple spokesman Anuj Nayar told Brian Krebs, the (rightly or wrongly) maligned Washington Post security columnist, just that:

[T]he company is not aware of any exploit code available to attack these flaws, and… SecureWorks to this day has not shared a working demonstration of how to exploit them.

“Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affec tthe (sic) wireless drivers on Macs, but they didn’t supply us with any information to allow us to identify a specific problem. So we initiated our own internal product audit, and in the course of doing so found these flaws.”

Computer security Systems apple, Computer security Systems, holes

“IN FOCUS: Rootkit Removal Tools
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about.
The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit.
Of the tools listed, I’ve used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I’m familiar with and trust to some extent or other.
A few of the tools [...]

Original post by info@liveammo.com (http://www.liveammo.com) and software by Elliott Back

Computer security Systems Computer security Systems

Remember the 4 Ps in marketing? Product, Price, Place and Promotion?
Well, successful vendors in the online crime community certainly remember their Ps. And when I say “vendors”, mind you, I’m not referring to security companies. I’m talking about those fraudsters who offer stolen credentials for sale, or “cash out” services, or the latest tools of the trade. “Vendors” is how the online crime community refers to these cornerstones of any healthy online fraud forum.
These vendors provide valuable Products, use a Price scheme [or revenue share] determined by market forces, and know the Place for doing business…

Original post by blog@rsa.com (Uri Rivner) and a wordpress plugin by Elliott

Computer security Systems Computer security Systems

“Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to ‘boot up’ the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra ‘throw away’ copies of the disk or image to create the virtual machine.
Live View is capable of booting
* Full disk raw images

* Bootable partition raw images

* Physical Disks (attached via a USB or Firewire bridge)
Containing the following operating systems
[...]

Original post by info@liveammo.com (http://www.liveammo.com) and software by Elliott Back

Computer security Systems Computer security Systems

Click here to listen/download (09:56).
Burt Kaliski, chief scientist, RSA Labs, shares highlights from last week’s CRYPTO 2006 and the hash function workshop. We also speak with Rudy Wolfs, chief information officer, ING DIRECT, about a new login process for his company’s online banking customers.
Related Links:

CRYPTO 2006 Conference
ING DIRECT Introduces a New Login Process (Press Release)
CRYPTO 2006 / hash function workshop (Speaking of Security Blog Entry)

Original post by blog@rsa.com (Podcast Producers) and software by Elliott

Computer security Systems Computer security Systems

CRYPTO 2006, the 26th annual cryptology conference, was held in Santa Barbara last week. Several results particularly caught the attention of RSA Laboratories’ researchers, including a few that I’ll summarize within the space (and time) available for a brief note:
Elad Barkan, Eli Biham, and Adi Shamir, in their paper “Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs,” showed that the classical tradeoff due to Martin Hellman from 1980 is just about optimal. These tradeoffs received renewed interest due to the rainbow table approach to recovering a password P, given its hash value H(P).
A brute-force attack tries all likely passwords to see if any has the correct hash…

Original post by blog@rsa.com (Burt Kaliski) and a wordpress plugin by Elliott

Computer security Systems Computer security Systems

Scientific progress stands on the shoulders of researchers throughout the world, and cryptography in particular draws from a multi-national community of experts. My colleague Moti Yung, the newest full-time member of RSA Laboratories, is in a unique position to contribute his expertise to one such multi-national effort as an advisor to the European Network of Excellence for Cryptology (ECRYPT).
A four-year project funded within the Information Society Technologies (IST) priority of the European Commission’s Sixth Framework Programme (FP6), ECRYPT was launched on February 1, 2004. Its stated objective is “to intensify the collaboration of European researchers in information security,” particularly in cryptology and digital watermarking…

Original post by blog@rsa.com (Burt Kaliski) and software by Elliott

Computer security Systems Computer security Systems

Click here to listen/download (09:10).
We continue our summer-series on building the business case for security within your organization – RSA Security’s Brian Breton returns with more tips and ideas. And you’ll find an update on technology dos and don’ts in the aftermath of the recently-heightened airline security – RSA Security has received numerous calls asking whether two-factor authentication technology will be confiscated at airport security checkpoints.
Related Links:

podcast@rsasecurity.com (Submit your thoughts and stories about the “business of security”)
Transportation Security Administration

Original post by blog@rsa.com (Podcast Producers) and software by Elliott Back

Computer security Systems Computer security Systems

In Part 4 of this series, we discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts; 8-track hubs and building a receive-only ethernet cable; reasons why ARP cache poisoning shouldn’t be used for network forensics; defeating name resolution-based promiscuous mode detection; defeating specially crafted ARP and malformed multicast-based promiscuous mode detection; default snaplengths and configuring a sniffer for full packet capture; introduction to tcpdump and windump; issues with Win32-derived packet capture libraries; introduction to the Network Toolkit from CACE Technologies; and more.
This LiveAmmo Podcast is in .mp3 format, 00:36:15 in duration, and a 17.4 MB download.
Click To Play:

Copy and paste our Podcast feed URL into your Podcasting client to subscribe:
http://feeds.feedburner.com/LiveAmmoRadio
Apple iTunes users click here:
LiveAmmo Odeo Channel:
For past episodes, visit the LiveAmmo Podcast Archives.
New to Podcasting? Download a free software client today and tune in on your MP3 player or PC:
Apple iTunes (Windows or Mac)Doppler (Windows, Windows PocketPC, Windows Mobile)Juice (Windows, Mac, FreeBSD, and Linux)[download .mp3]

Read more at info@liveammo.com (http://www.liveammo.com)

Computer security Systems Computer security Systems

If you used IDA Pro for a while, you might have noted that it contents itself
with simple things. It neatly displays the disassembly listing.
It allows you to improve the listing by adding names and comments. You can manually define
your symbols, types, functions. IDA itself can add some types and discover some
program properties, but
overall the performed analyses appear to be rather modest.

Original post by Security Wonk and a wordpress plugin by Elliott

Decompilation Decompilation

Click here to listen/download (08:41).
We look at how more corporate organizations are deploying virtual private networks (VPNs)- and at the need for strong authentication to protect VPN-based access – with guest speakers from Hudson Advisors, L.L.C. We also continue our series on selling the need for security within the corporate enterprise: the director of security for RSA Security, Howard Hantman, joins us.
Related Links:

Implementing a Secure Virtual Private Network (White Paper)
podcast@rsasecurity.com (Submit your thoughts and stories about the "business of security")

Original post by blog@rsa.com (Podcast Producers) and powered by Img Fly

Computer security Systems Computer security Systems

After a weekend of monitoring here’s what we seem to know about the MS06-040 Worm(s) in the wild:

There’s at least two variants in the wild so far (ref)
It appears to be primarily targeting Windows 2000 machines (ref)
After infecting machines it communicates out via IRC via port 18067 and scans for additional machines to infect via port 445 (ref)
One variant is also spreading via AOL IM. (ref)
Most AV Vendors have released updates to detect for at least some of these known exploits.
The purpose of the worm seems to be to spread a botnet to SPAM.

A couple of stats to ponder:

Time from patch release to public POC code: ~40 hours
Time from patch release to self propagating worm: ~96 hours
Average time it takes an enterprise to patch a critical vulnerability: A lot more than 96 hours.

References:

Microsoft Security Response Center Blog
SANS ISC
LURHQ
Security Fix

Original post by Security Wonk and software by Elliott

Computer threats Computer threats