= Stories Of Interest =
[http://securityvulns.com/Sdocument126.html Pidgin Remote DoS] - [
PaulDotCom] - A "nudge" message sent to a user of Pidgin on the MSN network will cause the client to access invalid memory and crash. Vulnerabilities in chat clients that rely on merely receiving a message are very scary, and seem to be popular these days. Its interesting, since we have firewalled ourselves into oblivion, a great way to get evil packets to your victim is via an IM. Even web browser and web-based exploits are cool, but you still have to get the user to click on something. If I am in a chat channel or on IM, you just need to send me a message and I am pwned.
[http://feeds.computerworld.com/~r/Computerworld/Hacking/News/~3/163537461/article.do TJX Offers Settlement] - [Larry] - They also owned up to how they got hacked - poor encryption on wireless networks. The obviously haven't been listening to our podcast, because we've been ramming this down your throat for some time.
[http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/ Citrix Low-Tech Hacking] - [
PaulDotCom] - Hacking without exploits is great, and thats my new catch phrase. All these people patching everything, running IPS, A/V, and what not makes it a little harder to run traditional exploits (I did say a "little"). This is a great example of how to use your Google hacking skills (okay, its a simple query "ext:ica") and find Citrix servers. Looking into this file reveals that we can run a program or command, and if the server is anonymous, change the command to "cmd.exe". Sweet! Instant command shell!
[http://isc.sans.org/diary.html?storyid=3438&rss There is nothing important here] - [Larry] - I wanted to reiterate the need for user education, so that your users/customers/mom doesn't fall for the "I don't need this, I have nothing important" argument. Everyone needs to practice defense in depth, even if you don't think it applies to you - Just because server A doesn;t have any important data on it, it can still be used as a launch pad for attacks on other networks, as well as your own - even against machines that DO have important data.
[http://www.heise-security.co.uk/news/96860/from/atom10 Firewall-1 is full of holes] - [
PaulDotCom] - I did not have time to read the 200+ page report, however, reports say it looks legit. Many of the attacks appear to be buffer overflows in local commands, which sounds like it would require access to the firewall already. However, its how they found these exploits that is scary, ''"According to Pentest, they have not even used fuzzing tools for their tests, but have simply used manipulated arguments to cause a buffer overflow in the programs; this does not comply with the vendor’s description of the relevant target of evaluation"''. So like, passing a large parameter to a command triggers a buffer overflow, sweet! If its that easy, where are other holes lurking?
[http://securityvulns.com/Sdocument97.html Airdefense M520 DoS (and more)] - [Larry] - This seems like the perfect opportunity for an attacker to utilize this DoS condition to effectively neuter the ability to monitor for wireless attacks. compare this to someone being able to D0S your Snort box, and slip attacks by either undetected, or if they are detected not allow you to see details.
[http://isc.sans.org/diary.html?storyid=3456 Protecting Mobile users - ideas?] - [
PaulDotCom] - Chris is right, we need to protect our mobile users. However, traditional methods such as logging on with user privs, A/V, anti-spyware, and firewalls just aren't enough. Malware is too smart, and users are too dumb. We almost need to wipe mobile users machines on a regular basis, and keep the data separate and protected. It would be a neat experiment, store all your data on an encrypted thumbdrive, then your machine gets wiped everytime you come back to the office... I know, I am the "Mad Security Geek".
[http://www.milw0rm.com/exploits/4482 A nice healthy SQL Injection Exploit] - [
PaulDotCom] - A notice to all companies producing web applications, when a vulnerability is found in your product, take down your demo site. [Larry] - I'll give you something nice and healthy to inject.
[http://blogs.technet.com/bluehat/archive/2007/09/28/the-new-security-disclosure-landscape.aspx RFP Emerges, Speaks about disclosure] - [
PaulDotCom] - According to RFP, testing someone else's web site is a no-no. Quote: ''"NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. "'' Whoa. This could go either way. I've seen some people be happy that you found a vuln in their web site, and I can definitely see it going the other way. Thoughts? Oh, and where has RFP been since 2003 anyway? BTW, check out some [http://www.microsoft.com/technet/security/bluehat/2007fall.mspx podcasts from Microsoft.]
[http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040878&source=rss_topic85 DHS mailing list oops] - [Larry] - A mailing list reply to all has potentially revealed a number of individuals that consider them part of the DHS security community, and some of the info may have been classified - names, phone numbers, and so on. Just goes to show, that if you put anything in front of the public, you need to design, configure and audit/test appropriately - especially dealing with sensitive info.
[http://www.engadget.com/2007/09/28/iphone-update-facts-and-fiction/ iPhone "bricking" and hacking] - [
PaulDotCom] - A bit off-topic, but some ppl are wondering why their iPhones are bricked once they apply a firmware update to a hacked phone. Just an example, OpenWrt can potentially brick due to an upgrade, but I would still like to know more about how the iPhone works (my understanding is that there is firmware on the modem and a separate OS for the rest?). [http://www.mckeay.net/secure/2007/09/ibrick.html Martin seems convinced] that Apple did this on purpose, however, it could be just an artifact of hacking and firmware upgrades. Why would they only brick phones with the anySIM program and not all hacks?
[http://securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html#comment-7822943064091432904 PGP Whole disk backdoor] - [Larry] - PGP has a "back door" (a what now?) so that the machine with it installed and disks encrypted can boot without using the boot time password. Sure I can see that this would be valuable - it only works one time, so it would be great in support organizations where patches are deployed that require a reboot. Hmmh, the big thing is that it is not documented (or poorly at that). PGP claims that this feature exists in their competitor's products...
[http://seclists.org/vulnwatch/2007/q3/0056.html Cisco Call Manager SQL Injection and XSS] - [
PaulDotCom] - These vulnerabilities exist in the login page, hence you do not need to be authenticated. The SQL one is interesting, ''"An attacker could exploit the SQL injection vulnerability to read
a single value from the database. Several successful attacks could disclose information about the database, information such as user names and passwords, and information from call records such as the time calls are placed and the numbers dialed. This vulnerability cannot be used to alter or delete call record information from the database."'' Niiiiiice! Extracting call records, that could be interesting...
[http://www.voip-news.co.uk/2007/10/04/hacker-broke-into-routers-and-stole-voip-services/ Default passwords net $1M in profit] - [Larry] - Scan network. Find routers that deliver VOIP with default passwords. Re-sell 10 million minutes at discounted rates. Profit! The guy that did this is now in prison for the next two years, and only made $20K for his efforts. He claims that remote administration with default or easy passwords was his success story. My advice: Create a policy for strong passwords, have devices use multiple factor authentication (TACACS/AAA maybe?) and test the hell out of all of the possibilities. Enforce the policy. Because one smaller VOIP telco didn't, they went out of business from this attacker.
[http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf Pwning the Axis Camera] - [
PaulDotCom] - A slew of vulnerabilities exist here, many of which are persistant XSS, which allows the attacker to redirect the video of the camera. So, instead of seeing [http://www.youtube.com/watch?v=IuwMOBM5xfU Female Ninjas rob the store] you see an empty store with the clerk picking their nose. Sweeeet. [Larry] - More on XSS and CSRF - this time with Axis IP cameras - one of the most popular. I can think of a number of places where it may be beneficial for an attacker to want access to a camera so that it could be hijacked...