by Ryan Naraine
July 31st, 2008 @ 8:21 pm

Apple has shipped a Mac OS X security update with patches for at least 17 documented vulnerabilities, including a fix for the serious DNS cache poisoning vulnerability reported by hacker Dan Kaminsky. With Security Update 2008-005, Apple plugs holes that could lead to privilege escalation, denial-of-service, information disclosure and arbitrary code execution attacks. The update affects Mac OS X Server 10.4, Mac OS X 10.4.11, Mac OS X Server 10.5, and Mac OS X 10.5.4.

CVE-2008-1447 - BIND: A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.

CVE-2008-2320 - CarbonCore: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-2830 - Open Scripting Architecture: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges.

by Dancho Danchev
July 30th, 2008 @ 8:08 am

A week after |)ruid and HD Moore release part 2 of DNS exploit, HD Moore’s company BreakingPoint has suffered a trafficMetasploit Logo redirection to a rogue Google site, thanks to the already poisoned cache at AT&T servers to which his company was forwarding DNS traffic :

“It happened on Tuesday morning, when Moore’s company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas area.

One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company. When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.”

Moreover, last month, before the latest DNS cache poisoning vulnerability and exploits started taking place, Metasploit Project’s site was temporarily hijacked through ARP poisoning, perfectly demonstrating that old-fashioned DNS attacks remain intact.

By John Leyden
30th July 2008 15:22 GMT

Google allowed one of its Gmail SSL certificates to expire days after promising users improved webmail security. Because Google's certificate for IMAP/POP traffic expired on Tuesday users were confronted by a potentially confusing "invalid certificate" warning. In some cases users may also have been left unable to send email.

Google fixed the problem within hours on Tuesday afternoon (US time). The snafu comes less than a week after Gmail improved security by making sure users of the popular web mail service go through a secure connection each time they access their account online. Forgetting to renew a digital certificate can happen to any organisation, as Microsoft and HSBC (among many others) are able to testify. Even though a certificate is out of date a secure connection with a site can still be established.

Google makes it its business to index all the world's data so its own failure to manage a key domain is an embarrassing faux pas even though no harm, or much inconvenience, was caused. Reg reader Peter Houppermans, who brought the slip-up to our attention, notes that users are now so well trained against clicking on invalid certificates that this sort of thing should present no great problem. Well, except for the untrained users.

by Zack Whittaker
July 23rd, 2008 @ 5:37 am

Oh the fun. Once again, another police website has been hacked by a student, showing that even the police aren’t safe from all crimes. This is another link in the long chain of attacks over the years from egotistical teenagers trying to get a kick out of life without sticking a needle in their arm.

Bedfordshire Police had their website hacked and defaced, replacing the content with Arabic and an animation of a man carrying a Tunisian flag. The perpetrator of the attack is known to be a 17 year old US student by the name of Arfaoui Firas, and a site snapshot shows the website after it was defaced. This comes as the news of the website being brought back from the ashes has finally gone live again.

A spokesperson for Bedfordshire Police said, according to the BBC: “The website is hosted externally, away from all other police systems so no personal or confidential data could have been obtained. Bedfordshire Police take security extremely seriously, which is why the website is hosted independently and outside all other IT systems.”

Let’s throw in some background material here. Police forces around the country and around the world have databases packed with information about crimes, people and citizens, drivers licence details, things like that. To then have a website on the same network or server as the rest of these secure databases would be a huge security risk; which is why they don’t.

By Robert McMillan
July 23, 2008

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write. The flaw, a variation on what's known as a cache poisoning attack, was announced on July 8 by IOActive researcher Dan Kaminsky, who planned to disclose full details of the bug during an Aug. 6 presentation at the Black Hat conference.

That plan was thwarted Monday, when someone at Matasano accidentally posted details of the flaw ahead of schedule. Matasano quickly removed the post and apologized for its mistake, but it was too late. Details of the flaw soon spread around the Internet. And that's bad news, according to Paul Vixie, president of the company that is the dominant maker of DNS software, the Internet Systems Consortium.

By Joel Hruska
July 22, 2008 - 09:40PM CT

ICANN has unanimously approved a request by the Public Interest Registry (which handles .org domains) to become the first generic Top Level Domain (gTLD) to switch to the DNS security protocol DNSSEC.

As part of the agreement, PIR will trailblaze DNSSEC, while simultaneously developing an education and adoption plan that can later be disseminated across the Internet's infrastructure, PIR's use of DNSSEC is a significant step forward, but a mixture of contentious political and technological issues have slowed the worldwide development and deployment process.

DNSSEC is intended to fix fundamental flaws in the original DNS protocol that leave it vulnerable to several different attack vectors, including cache poisoning. This is accomplished in part through the use of digital signatures. By using such signatures, the DNS resolver can check to see if information it is receiving is actually from the appropriate address; the digital signatures effectively act as a password (the analogy is not exact).

The DNS flaws themselves aren't anything new—they were discovered back in 1990—but the solution to the problem has been no less than eleven years in the making, putting the length of its development cycle almost on par with Duke Nukem Forever. DNSSEC development lasted from January 1997 to the present day, or roughly 11 years and six months.

July 22, 2008
By Robert McMillan

Convicted penny-stock spammer Eddie Davidson walked away from a federal minimum-security prison camp in Colorado on Sunday, the U.S. Department of Justice said Tuesday. Davidson, 35, had been serving 21 months in federal prison after pleading guilty to criminal spam charges in December.

He is now considered an escapee and is being pursued by U.S. marshals, with help from the Federal Bureau of Investigation, the U.S. Internal Revenue Service and local police. He earned millions of dollars between 2003 and 2006 by operating a spamming operation, called Power Promoters, out of his home. He would change the header information in his messages to make it appear as if they had come from legitimate companies such as AOL and then send them out to hundreds of thousands of addresses.

Davidson sent the messages on behalf of an unnamed Houston company, court filings state. He was asked to promote about 19 penny-stock companies, including one called Advanced Power Line Technologies in 2006 and 2007. He would earn fees based on the trading volume of the stocks he was promoting. The business was lucrative: The Houston company paid Davidson about $1.4 million for his services, court documents state.

Between 2003 and 2006, when his primary source of income was spam, bank account deposits into Davidson's account totalled about $3.5 million. Davidson, of Bennett, Colorado, had been incarcerated at the Florence Federal Correctional Complex, about 45 miles south of Colorado Springs

by Ryan Naraine
July 21st, 2008 @ 2:12 pm

[ UPDATE: Kaminsky has all but confirmed that, yes, the cat is out of the bag ] It looks very much like the nitty gritty of Dan Kaminsky’s super-secret — and heavily hyped — DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups. Flake, CEO and head of research at Sabre Security, said his speculation was driven by the need to discuss the vulnerability in public instead of a one-month embargo that culminates with Kaminsky’s presentation at the upcoming Black Hat conference.

“In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves,” Flake argued, before posting the following hypothesis: Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory’s IP is 244.244.244.244. Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com … to ns.polya.com.

ns.polya.com doesn’t have these requests cached, so it asks a root server “where can I find the .com NS?” It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc. Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is … long …....

by Robert Vamosi
July 21, 2008 11:38 AM PDT

For the last few months, I've been hearing some well-regarded security people tell me they are considering ditching their antivirus protection all together. They haven't done it, but these individuals feel the days of having a special application scan to remove malware on your desktop are numbered. Malware has changed, but the applications to ferret them out have not.

Antivirus programs, as we know them today, are based on 20-year-old technology of pattern matching. Pattern matching may have worked in the days of the Micheangelo virus and even as recently as Netsky, but methodically matching each and every file on a computer against a list of known malware is getting tedious, if not archaic. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million signatures, or even a percentage of that if generic signatures are used, is a pretty serious undertaking.

That's why vendors are talking to me about newer strategies for 2009 (and beyond). Among these is the exact opposite of signature file databases--something called whitelisting. If pattern matching is just another way of saying certain bad files have been blacklisted, whitelisting goes to the other extreme: it only allows certain trusted files to run on your machine.

That's more or less what Symantec CEO John Thompson called for at this year's RSA: "If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting--where we identify and allow only the good stuff to come in--will become critical." He actually didn't say much more about whitelisting, yet everyone talks about this speech as though Thompson had provided clear guidance the year of whitelisting.

17 July 2008, 9:20 AM

IT'S EASY to check on a Google Gmail account to find out the actual name of the user, according to a five step plan here, or a four-step routine here. That's assuming a user input their real details in the first place. Google of course knows more about you than you probably do yourself. If you have a Gmail account have it open and do a Google search in a separate window, Google will remember all about it. Close it all up and then open up Youtube. Chances are that whatever topic you searched for in Google will be proferred up on the video site, whether you want it or not. Blinking cheek.

by Elinor Mills
July 14, 2008 4:12 PM PDT

Photobucket on Monday fixed a security hole that allowed people to view private photos of strangers. All that was needed was the user ID of someone with a private album on Photobucket and the file name of one photo in their album, said Byron Ng, a Vancouver, B.C.-based computer technician who exposes security flaws in social networks and other sites.

Many MySpace users use Photobucket to post material on their MySpace pages, he said in an e-mail, adding, "This is a way to find 'some' private Photobucket albums." MySpace and Photobucket are both owned by News Corp. Photobucket fixed the hole Monday afternoon after being contacted by CNET News in the morning. "Photobucket is aware of the issue and it has been resolved. A fix was rolled out this afternoon, less than 24 hours after the site was made aware of the issue," a Photobucket representative said in an e-mail.

by Robin Harris
July 14th, 2008 @ 4:20 pm

FTP - file transfer protocol - is the most commonly used method for moving files around Web. Now Steve Frank, a founder and developer for Mac software company Panic, has come out and recommended that people stop using FTP.

I wrote about this (see If hackers don’t get you, maybe Google will) after my other blog, StorageMojo, was hacked. I’m glad to see a vendor of FTP software - I use their fine product Transmit - jump on board with a strong recommendation. Why? Here are a couple of the best reasons he gives.

* Unless totaled over a secure socket, FTP is 100% insecure. Your password, and the contents of all your files are sent in the clear, free to be examined or captured by any network hop between you and your server. . . .

* FTP is not friendly with firewalls. Because it constantly needs to establish new connections, this has led us to “passive mode” which might as well be black magic as far as most people are concerned. Briefly, passive mode means the client initiates data connections to the server, rather than the default where the server makes connections to the client (yes, really)......

By Robert McMillan
July 10, 2008

Hackers are a skeptical bunch, but that doesn't bother Dan Kaminsky, who got a lot of flack from his colleagues in the security research community after claiming to have discovered a critical bug in the Internet's infrastructure.

Kaminsky made headlines on Tuesday by talking about a major flaw in the DNS (Domain Name System), used to connect computers to each other on the Internet. In late March he grouped together 16 companies that make DNS software -- companies like Microsoft, Cisco and Sun Microsystems -- and talked them into fixing the problem and jointly releasing patches for it.

But some of Kaminsky's peers were unimpressed. That's because he violated one of the cardinal rules of disclosure: publicizing a flaw without providing the technical details to verify his finding. On Wednesday he took things a step further on his blog, asking hackers to avoid researching the problem until next month, when he plans to release more information about it at the Black Hat security conference.

The flaw appears to be a serious one that could be exploited in what's called a "cache poisoning attack." These attacks hack the DNS system, using it to redirect victims to malicious Web sites without their knowledge. They have been recognized for years but can be hard to pull off. But Kaminsky claims to have found a very effective way of launching such an attack, thanks to a vulnerability in the design of the DNS protocol itself.

by Dancho Danchev
July 8th, 2008 @ 5:03 pm

Right after the U.S Independence Day fireworks, Storm Worm latest campaign launched a couple of hours ago, isStorm Worm says the U.S have invaded Iran back online this time attempting to once again exploit client-side vulnerabilities, this time serving iran_occupation.exe by spreading false rumors of U.S invasion in Iran. The text reads :

“Just now US Army’s Delta Force and U.S. Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran’s Army resistance. The video made by US soldier was received today morning. Click on the video to see first minutes of the beginning of the World War III. God save us.”

Despite that you’re highly advised to stay away from spam and phishing emails in general unless you know what you’re doing, the latest Storm Worm domains used in the “Iran invasion campaign” should get a priority for the time being :

statenewsworld . com
morenewsonline . com
dailydotnews . com
dotdailynews . com
newsworldnow . com

By Nick Farrell
09 July 2008, 7:26 AM

PUNTERS who use the ZoneAlarm security package might not want to install MS update KB951748. According to several news groups, the first thing you will notice after running the update is that your internet connection dies as KB951748 made changes to the networking files that Zonealarm doesn't like.

It then decides to block everything just to be safe. You can get around the problem by setting the Internet Zone Security permission slider from high to medium and that will give you your connection back but that is not really a good idea if you want high security. Sniffing around the forums we found similar advice although, apparently, the best bet is to reset the ZoneAlarm database.

No word has come from Microsoft or ZoneAlarm yet on the problem which appears to be caused by the update not liking the different file sizes and checksums. It might be a bad idea to install KB951748 until after either of the companies releases some more concrete information.