September 2005

Exploit for ca$h

An exploit that I can not give you exists for Mozilla (Gecko) based web browsers, and I also tested it on KDE’s Konqueror to find out that the problem exists there as well…

The bug was found by Georgi Guninski. For those who don’t know him, he is almost a “bug hunter for hire”.

So why can’t I give you the exploit ?

Well Mr. Guninski wrote the following in his Exploit:

Cannot be used in vulnerability databases
Especially securityfocus/mitre/cve/cert

And when we (SecuriTeam) sent him a private email about it, he told the entire world:

no.

you don’t have my permission.
try buying a licence with ca$h.

BTW If you really wish to see the Exploit, you can visit bugzilla

So I have one question, what ever happened to the idea of full disclosure?! I believe in it, and I saw how good it does for many products, that only when exploits and advisories came out, the vendor actually fixed the problems …

PSP Buffer Overflow Allows Downgrading of Firmware

SonyxTeam has released a downgrader for the PSP. The downgrade works by exploiting a buffer overflow in libtiff which resides in PSP’s toc2rta 2.0. The downgrade utilizes the overflow as there is no other way to run non-Sony approved software on the PSP 2.0. The downgrade opens up the PSP device to independent software development for Sony’s device which hasn’t been Sony-approved.

In my opinion this is the first time a buffer overflow has been used for “good“, i.e. execute a good piece of software, rather than for “evil“, execute a bad piece of software. It would be interesting to see how would Sony react to this, and whether this will speed Sony’s responsiveness to software vulnerabilities found in their product.

Paul Vixie on Internet Naming and Alternate-Roots

this was just posted by paul vixie, and i believe it is the shortest and most to-the-point summary of the problem that i’ve seen.

the discussion was about alternate roots and people using alternate roots, causing chaos on the internet by hurting the stability and flow of the domains/dns system, and thus the internet.

some may say, they suck! others may say – who can blame them?

—————————————-

(“christopher l. morrow”) writes:

>> so… why is it again that folks want to balkanize the internet like this?

the dreams fulfilled and/or still promised by the internet mostly involve
some kind of disintermediation, increases in freedom or autonomy, that kind
of thing.

in that context, centralized control over things like address assignments
and tld creation is like fingernails on a chalkboard. a lot of folks feel
that “if it has to be centrally controlled, then $me should be in charge”
or at best “if it has to be centrally controlled, then $me want a voice.”

this desire is more powerful than any appreciation or understanding of the
benefits of naming universality or address uniqueness. human nature,
especially when individuals interact with herds, is predictable but not
necessarily rational.

>> i’m confused by the reasoning behind this public-root (alternate root)
>> problem… it seems to me … that there is no way for it to work, ever.
>> so why keep trying to push it and break other things along the way?

i think it’s because of what margaret mead wrote:

“never doubt that a small group of thoughtful, committed people can
change the world. indeed, it is the only thing that ever has.”

the internet is supernational. control over it is held by the ruling
political party, and their backers, in one country. thus there’s plenty of
money and power ready to back the next hair-brained scheme to break the
lock, even if (as i expect) lack of naming universality would be worse
than lack of naming autonomy.
— paul vixie

—————————————-

gadi evron,
ge@beyondsecurity.com.

Don’t listen to the priests

One of the most damaging misconceptions in the world of security is the phrase “there is no 100% security”. This phrase is from the time of the security alchemists – the black-magic-voodoo-witch-doctor experts that knew how to install configure a firewall or harden a UNIX machine when it was a full-day task that required unusual expertise.
Back then, security was complicated and thus mysterious. Security experts were the selected few, and the common people needed and relied on them. In return, the priests chanted obscure statements such as “security is as good as the weakest link” (translation: after I fix this problem you will need to hire me to strengthen the second-weakest link) and my favorite phrase of all: “there is no 100% security”. The original intention of this phrase was to pack the 10 page legal disclaimer into a one-liner: “if someone hacks you after I finish securing your network, that’s not my fault”.

Only it backfired.

The “common people” tend to take things at face value. If you tell them there is no complete security, they understand just that – and the natural conclusion is that if there’s no complete security, why spend a small fortune on a partial solution? We might as well spend the bare minimum that’s required; we’ll never reach 100% anyway, the expert said so himself!

And so you have a whole generation of sys admins telling their boss that if they can’t spend a fortune on security they might as well do nothing. If only I had a nickel for every time I heard the “100%” as an excuse not to invest money in security…

But this climate is finally changing. How can I tell? First, the ‘security for dummies’ books and courses. This is the equivalent of teaching farmers to read the bible, taking away the power from the Church. Second, the availability of automated tools that make it easy for the average sys admin to secure their network properly (no, it’s still not 100%. But so is every other thing in life). And finally, people like Ira Winkler, formerly the NSA, who says “[people] could prevent 95 percent of their problems by making a few simple changes in the way they do things with what they have already”. Amen.