It’s been a while since I got out to the trade seminars. You know, marketing’s traveling bumpf show, where they trot out the VP of sales, plus a “security evangelist” or somebody with some such title (who has a technical background, but likes schmoozing more than doing actual research). I used to go to lots: it’s a good way to get up to speed when you first enter a field, but the law of diminishing returns tends to set in real fast in terms of actual information.

There were actually two that I signed up for this week. SANS had one, and I’ve never been to any SANS stuff, so I went to that. Intel also had a real dog and pony show, with extra associated vendors. When I get home from these things, Gloria always asks me whether I’m glad I went.

I’m glad I went to the SANS show. Didn’t get much out of the presentation itself. But the style of the presentation was intriguing: an awful lot of “cute stuff” demonstrated, without much actual information being relayed. The attitude of the presenters was also interesting: they were definitely in it for the cash.
(more…)

In a post by Brian Krebs in the Washington post, Brian describes how Virus (malware) makers have started to spend cash on buying sponsored links of high-profile keywords which get regularly visited by poorly patched people so that they can infect them with malwares.

One such high-profile keyword is the BBB, the Better Business Bureau, which as you would guess it most average joes would go to visit and will look for, while buying something like Slashdot won’t .

This of course is an interesting move, though not so much unexpected. I can see an “legit-company” coming soon, where a company of such malware distribution will have an R&D - create new malwares and find new vulnerabilities, Marketing - buy high profile keywords, or generally get people interested in your malware infected web site and Sales - sell bot nets and infected/hacked computers for money type of organizations.

Mozilla Developer News section of Mozilla Developer Center has released new information about the timeline of Mozilla Firefox 1.5 support.

They inform that “Mozilla will only supply security and stability upgrades for Firefox 1.5 until mid-May” (of this year).

It was informed earlier that the support ends on 24th April.

Mozilla is in process to release Firefox 1.5.0.12 and 2.0.0.4 in May (thanks MozillaZine!). Firefox 1.5.0.12 includes Auto Update feature.

Just a few quick snippets.

First, as mentioned on vulnerableminds.com, Google has some kick-ass training videos available. I recommend the following search: http://video.google.com/videosearch?q=type%3Agoogle+engEDU+security

Second, I’m still trying to break my Motorola Q. However, the fuzzing is going slow due to a stupid little thing called DHCP! I have to literally watch the fuzzing as my IP changes so often. Add to this the fact that I’m naturally lazy and prone to distraction and you have a recipe for disaster (read: lawsuit). An interesting post on cell phone (in)security can be found here.

Third, I’m into source code scanning (well, actually, I’m into the automation of source code scanning). I’ve mentioned Ounce labs in the past…Well, Dinis Cruz was just cajoled into doing some work for them. I’ve had the pleasure of working with Dinis in the past. This freaking guy is a .NET ninja! I expect Ounce will be kicking butt in this arena very soon.

Last, but certainly not least, if you’re a GPF fan there is a very cool movie that Jared Demott put together. Go see it here

!Dmitry

This post seems from news.com to sum it all up really:

i appreciate your confidence, but the fact remains, nobody has exploited OSX. that’s a fact you can’t deny. 10’s of millions of machines, nobody has gotten in.

so it’s time to put up or shut up… here is a raw OSX Server. Why don’t you report back to us when you “crack it”

http://24.8.244.176/

If you can’t, all your comments are “baseless”.

Have fun!

Being knee deep in online mischief all day I sometimes forget that most of the online attacks are simply extensions of offline ones. The Nigerian scam has been performed via fax and (snail) mail for decades now - I even got a 419 scam by postcard a year back that made me feel very special that someone will waste a stamp on me.

Spam is obviously just an online extension of junk mail, only in a different order of magnitude, and same goes for phishing compared to identity theft. But there is one fraud scheme I’m especially fond of - ‘pump-n-dump’, where you get a spam email about a stock that’s about to go up (”skyrocket”), hoping enough people will buy it and make it go up so that the person who initiated the attack can sell quantities of this penny stock and leave the victims with a worthless piece of paper.

The ‘pump-n-dump’ is an extension of phone-based fraud that was featured in the Sopranos (with Chris’s crew running the scam) and outlined nicely in “Boiler Room”. Wikipedia has a nice description on the scheme and origin of the term.

The reason I’m reminded of this is because I actually got a call from a boiler room, sorry, from a law office with offices in Park Avenue and London. The call could have been a scripted audition to “Boiler Room 2″ to play the part of the junior associate creating warm leads to Ben Affleck’s gang. It included everything to the immortal “I will only call you if we have something really good” and “we might have something for you in 2 weeks”. Amazingly enough they did have something really good for me and exactly two weeks later I got a call from the Vin-Diesel wannabe following up on the warm lead created by the associate. Unfortunately this time I didn’t have the time to play along so I don’t know if he would have told me there’s a maximum for new clients and 5,000 shares is as much as he can sell me…

My only complaint now is that my spam filter who is doing such a good job filtering pump-n-dumps is unable to handle human conversations and filter boiler room calls. Actually, there’s one more complaint - why is it I always get stuck in the Boiler Room-like movies instead of getting a visit from Halle Berry a-la swordfish?…

On 15th April Japanese Matousec Transparent Security group reported about several Insufficient Argument Validation vulnerabilities in Check Point Zone Labs ZoneAlarm. The problem was related to Vsdatant.sys driver.

ZoneAlarm Pro versions 6.5.737.000 and 6.1.744.001 have been reported as affected. The group said 7.0.302.000 includes a fix, but the latest version is 7.0.337. It appears that Matousec.com has a disclosure policy keeping issues three months confidential.

According to the advisory “probably all versions of ZoneAlarm products branches 6.x” include this flaw.

Today, in turn, a Local Privilege Escalation vulnerability was reported in Check Point Zone Labs SRESCAN IOCTL by iDefense.

iDefense advisory states that version 5.0.63.0 of Srescan.sys as installed with Zone Alarm Free is affected.

iDefense Labs informed Zone Labs on 19th Dec ‘06 and again on 21th March ‘07. The vulnerability mentioned was reported to iDefense (VCP) by Ruben Santamarta of reversemode.com.

Dave Aitel sent this one in, and it’s a good one:
http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department

It’s been roughly two months since Accidental backdoor by ISP. Dan Goodin has written this whole thing nicely for everyone to read.
ISP ejects whistle-blowing student
Don’t forget to digg it :p

Memory Leak, twenty-first strip of this new comics.

Click on the image for full size.

If you are into security, anti-spam, or perhaps you are a NANOG or IETF person of old, this mailing list is for you.

To subscribe:
http://whitestar.linuxbox.org/mailman/listinfo/sf-hackers

Keep it low-traffic, keep it fun. Books, TV shows, etc. all welcome.

Gadi Evron,
ge@linuxbox.org.

According to the exploit released by H.D. Moore’s metasploit project, the function responsible for the RPC DNS server vulnerability is caused by extractQuotedChar() function. No additional details on what is the purpose of this function.

From Fergie on funsec:

Date: Fri, 13 Apr 2007 16:14:52 GMT
From: Fergie
To: funsec@linuxbox.org
Subject: [funsec] Pakistan: Deadly ‘Phone Virus’ Threat Causes Panic

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Via ComputerWorld (Reuters).

[snip]

Mobile service providers in Pakistan have been inundated by calls from
subscribers worried by a prank message that they could die of a deadly
virus being transmitted via their phones.

The rumor was so effective that some mosques in the country’s biggest city,
Karachi, made announcements that people were being killed by a mobile virus
and they should be aware of God’s wrath.

In a prank reminiscent of the plot in the hit Hollywood movie “The Ring” in
which people die within a week after watching a video, the prankster warned
users that a deadly virus transmitted through phones had killed 20 people.

[snip]

More:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
icleId=9016500

Happy Friday the 13th.

Enjoy.

- - ferg

One of the issues raised here in Malware’07 is whether a security research, white hacker or ethical hacker, can be considered a journalist.

The analogy is that a journalist uncovers fraud, mis-use, bad quality, etc in products, one example is poisonous food for cats informs the public, is he liable to being sued for damages by the company making the food?

In the same sense, a security researcher finding a vulnerability in Windows Vista, and reporting it to the public, is he liable to being sued by Microsoft for damages being  caused by this vulnerability?

The debate is on, one thing is for sure, until it reaches the court, no one will know for sure whether the researcher is protected by the same laws that protects the journalist.

Microsoft has confirmed late on Thursday that the RPC vulnerability exists in DNS service implementation of Windows 2000 Server SP4, Windows 2003 Server 2003 SP1, and Windows 2003 Server SP2.

The official Security Advisory is located at
www.microsoft.com/technet/security/advisory/935964.mspx.

SANS ISC had reports about the related exploitation on Saturday 7th Apr already.

The date of the next monthly updates? Tuesday 8th May. More than three weeks.

Support Intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

You can find more information on their blog:
http://blog.support-intelligence.com/

They are good people, and they know botnets.

Gadi Evron,
ge@linuxbox.org.