RSS MAD

Content Management System for Phprojekt "graphie.php" Local File Include

ZoneMinder Multiple Unspecified Remote Code Execution Vulnerabilities

Does NBC Control Your TV?

Does NBC Control Your TV?

Reports are coming in of digital video recording systems refusing to record NBC programs - both on digital cable and over-the-air transmissions.

We're still investigating whether these involved over-the-air digital TV, which would mean that NBC was the first broadcaster to attempt to revive the abandoned ATSC "broadcast flag" (as opposed to cable and analog copy control signals like CGMS-A which have been used before).

Thanks to the activism of thousands of concerned tech users, hardware and software manufacturers that handle over-the-air digital TV do not need to obey the digital TV broadcast flag. There is no "broadcast flag" copy control requirement for these tuners, since the courts overturned the FCC's plans to enforce it in 2005; and despite the entertainment industry's bluster, it does not look like a broadcast flag law will be passed before the digital switch-over next year.

However, hardware and software could voluntarily obey the flag. Rightsholders are almost certainly lobbying behind the scenes to get tech companies to agree to obey copy controls for over-the-air digital TV. Software like Vista is already designed to comply with rightsholder restrictions when working with standards like CableCard which contractually require copy protection. Turning the same restrictions on when a message is received from an over-the-air tuner is just a small coding step away.

At this point no one knows which tech companies have sold out their users in this way. For understandable reasons, manufacturers keep their compliance details quiet -- which is why customers are so angry when they encounter it. ATI has previously reported that they will support the broadcast flag, but this news was buried in a driver change log.

Companies that implement the over-the-air digital broadcast flag are under no obligation, contractually or due to FCC regulation, to do so. They have a choice. And so do their customers.

Millions of dollars will be spent in the next few months as America switches to digital television. Prosumers like those at "The Green Button" are often the first to be bitten by TV's copy restrictions, but they will not be the last.

Perhaps electronics magazines and online reviews should look into exactly how digital TV equipment is dealing with the rightsholders' demands, and publicize which companies still obey the redundant and user-unfriendly broadcast flag -- and which still listen to their customers.

Rootkits on routers threat to be demoed

Networks own3d

Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers.…

The SaaS Approach to Web Site Vulnerability Management - E-Commerce Times

The SaaS Approach to Web Site Vulnerability Management E-Commerce Times - 1 hour ago Web application vulnerability scanners are sophisticated tools that require substantial ongoing customization and tuning, expertise to operate, ...

Bots + Web Vulnerabilites - An Approaching Storm

I called this one the day after the first wave of mass SQL Injection attacks came out. I told Jeremiah that we would see botnets doing this attack shortly as it was much more efficient.  A few weeks later and boom, Botnets performing mass SQL Injection. The interesting things about these attacks so far is [...]

Debian

Debian: transforming public key in shared key encryption.

Daily dose of links

The largest illegal immigration raid in American history happened at a Kosher meat processing plant. It also turned out to be host to a meth lab. For additional information, read this. A professor was fired from a black college for failing too many of his students. Nothing fights racism like not expecting blacks to attend class and make up for lost time if they're underprepared, right? India is now blaming American eating habits for the world's food shortage. You know, because our biofuel po

New RSS Feeds

EFF is making some changes to the site's RSS feeds. If you subscribe to EFF.org with RSS, you've probably been using either our Blog Feed or our Press Release Feed or our Action Alert Feed or some combination of those three. To simplify things, we've consolidated them into one place: The EFF Updates Feed.

We've also just relaunched the long-dormant Line Noise Podcast. Line Noise has two feeds for your favorite podcast aggregator, depending on your audio-codec of choice: MP3 and Ogg Vorbis. In our newest episode, EFF Staff Attorney Corynne McSherry and Designer/Activist Hugh D'Andrade discuss The Lost Art of Orphan Works.

Apple Blogger's Network

Interesting Information Security bits for May 15th, 2008

Man, I just keep falling farther and farther behind on these posts. Anyway, here we go: Jeremiah has a nifty post up about crossdomain.xml. Jeff Jones has a short paper available that compares Windows Vista vulnerabilities compared to Windows XP SP2 vulnerabilities in 2007. Patrick Romero discusses Electronic Medical Records over on Security Catalyst. Nitesh has an interesting [...]

Got Your XPShield up and Running?

Don't. Continuing previous posts with three different portfolios of fake security software, and Zlob malware variants posing as video codecs, the rogue security application XP Shield is the latest addition to the never ending list, with the following domains participating in the campaign :

xp-shield.com
xpshield.com
xpantiviruspro.com
xpantivirussecurity.com
xponlinescanner.com
xpprotectionsoftware.com
xpantivirussite.com
antivirus2008x.com
securityscannersite.com
antivirus-xp.awardspace.us
xpantivirus.awardspace.co.uk

The detection rates for the time being :

XPShieldSetup.exe
Scanners result : 1/32 (3.13%)
File size: 517632 bytes
MD5...: 99c7271ac88edc56e1d89c9f738f889c
SHA1..: 3347564017d289ffd116f70faa712e05883358f4

XPantivirus2008_v880381.exe
Scanners result : 4/32 (12.5%)
File size: 65024 bytes
MD5...: ef9024963b1d08653dcc8d8b0d992998
SHA1..: 436bf47403e0840d423765cf35cf9dea76d289a5

How would the end user reach these domains from a malicious attacker's perspective at the first place? Once being redirected to them through an already SQL injected or iFrame embedded legitimate site, with evidence of the practice seen in the majority of massive iFrame, SEO poisoning and SQL injections campaigns from the last couple of months.

Dad & Disenfranchised Grief

It’s almost my birthday and it’s my first one without my father. Clarification - It’s the first one without the hope of my father. We hadn’t seen each other for almost 30 years until the day he tragically passed away in May 2007. The story is long and personal but the point is clear: While [...]

Report: Government's Cyber-Security Plan Is Riddled With New Spying Programs

Major parts of the government's proposed $17 billion computer-security plan are actually spying programs, according to a Senate committee's budget report. The committee also faulted the plan for excessive secrecy around privacy and civil liberties issues and for funding experimental and possibly illegal technologies.

Apple okay with Safari 'carpet bombing' vuln for now

'Eh. Don't expect much from us'

Next time you get nagged to install Apple's Safari browser keep this in mind: The company's security team has dismissed research that shows a simple way miscreants can use the browser to litter an end user's machine with malicious files.…

DIY Phishing Kits Introducing New Features

Factual evidence on the emergence of individual phishing kits is starting to appear, with two more available in the wild. So what? For the time being, the lack of communication between the authors of these, or perhaps even the need to is slowing down the adoption of core features that would standardize and create a dynamic all in one phishing campaign C&C.;

In the long term, however, features and customizations already adopted by ethical phishing initiatives, would become the default set of features for public, and not the proprietary kits that theoretically should act as the benchmark. As in a previous discussion on the dynamics of the malware industry and the proprietary tools within, lowering the entry barriers into phishing by releasing this applications for free, greatly benefits the more experienced phishers, as the novice market entrants would be the ones making the headlines :

"The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack. In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension."

Read the entire post - DIY phishing kits introducing new features.

Increase the TCO, kill the project: An ad-hoc analogy

The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't.

The IT security org needs to understand what threats the business faces from its technology systems. In many cases this is not a direct threat to the confidentiality or availability of data. Some attacks may be focused on other aspects of the systems like integrity or even cost. Read more...

Akshay Aggarwal

Practice Manager

Legal victory against spammers as MySpace wins record payout of USD 234 million, Sophos reports

"In the war against spam it is right that large companies should have a heavy stick like this to hit the spammers with"

IT security and control firm Sophos has applauded a legal judgment that has awarded MySpace a record payment of USD 234 million from spammers who bombarded its users with junk emails. via IrishDev.com/News

The Debian random number generator

Ouch! That hurts, and I don’t even run Debian. Thanks, Stepto.

Debian ftw?

Tenable alters Nessus plug-in licensing. Still not Open

Dear Nessus Community, On behalf of Tenable Network Security, we would like to thank you for making Tenable’s Nessus® vulnerability scanner the most widely used scanner in the world. Over the last five years, we have seen Nessus grow globally to over 5 million downloads and we have been there every step of the way. The core Nessus engine [...]

Shrdlu on GRC FTW

Shrdlu is entertaining and insightful and writes everything I wish I could have written on the Blogo-topic du jour, GRC.

Our Data, Ourselves

In the information age, we all have a data shadow.

We leave data everywhere we go. It's not just our bank accounts and stock portfolios, or our itemized bills, listing every credit card purchase and telephone call we make. It's automatic road-toll collection systems, supermarket affinity cards, ATMs and so on.

It's also our lives. Our love letters and friendly chat. Our personal e-mails and SMS messages. Our business plans, strategies and offhand conversations. Our political leanings and positions. And this is just the data we interact with. We all have shadow selves living in the data banks of hundreds of corporations' information brokers -- information about us that is both surprisingly personal and uncannily complete -- except for the errors that you can neither see nor correct.

What happens to our data happens to ourselves.

This shadow self doesn't just sit there: It's constantly touched. It's examined and judged. When we apply for a bank loan, it's our data that determines whether or not we get it. When we try to board an airplane, it's our data that determines how thoroughly we get searched -- or whether we get to board at all. If the government wants to investigate us, they're more likely to go through our data than they are to search our homes; for a lot of that data, they don't even need a warrant.

Who controls our data controls our lives.

It's true. Whoever controls our data can decide whether we can get a bank loan, on an airplane or into a country. Or what sort of discount we get from a merchant, or even how we're treated by customer support. A potential employer can, illegally in the U.S., examine our medical data and decide whether or not to offer us a job. The police can mine our data and decide whether or not we're a terrorist risk. If a criminal can get hold of enough of our data, he can open credit cards in our names, siphon money out of our investment accounts, even sell our property. Identity theft is the ultimate proof that control of our data means control of our life.

We need to take back our data.

Our data is a part of us. It's intimate and personal, and we have basic rights to it. It should be protected from unwanted touch.

We need a comprehensive data privacy law. This law should protect all information about us, and not be limited merely to financial or health information. It should limit others' ability to buy and sell our information without our knowledge and consent. It should allow us to see information about us held by others, and correct any inaccuracies we find. It should prevent the government from going after our information without judicial oversight. It should enforce data deletion, and limit data collection, where necessary. And we need more than token penalties for deliberate violations.

This is a tall order, and it will take years for us to get there. It's easy to do nothing and let the market take over. But as we see with things like grocery store club cards and click-through privacy policies on websites, most people either don't realize the extent their privacy is being violated or don't have any real choice. And businesses, of course, are more than happy to collect, buy, and sell our most intimate information. But the long-term effects of this on society are toxic; we give up control of ourselves.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Debian or Ubuntu users, regenerate those crypto keys now! [Security4all]

Well normally I don't blog about matters that are well published but this is a quite serious one. A Debian packager modified the source used for OpenSSL on Debian based systems (Debian and the whole...

Don’t Drop That Landline

Engadget is reporting some stats that households are increasingly dropping their landline phone service for mobiles only. For safety reasons, I highly recommend against this. … In the latter half of 2007, it was discovered that 16-percent of domiciles didn’t even have a landline Mobile phones are great… until you need to call 9-1-1 (or anyone else [...]

Crypto-Gram Tenth Anniversary Issue

Ten years ago I started Crypto-Gram. It was a monthly newsletter written entirely by me. No guest columns. No advertising. Nothing but me writing about security, published the 15th of the month every month. Now, 120 issues later, none of that has changed. I started Crypto-Gram because I had a lot to say about security, and book-length commentaries were too...

EBay seller pleads guilty to software piracy charges

A 23-year-old Oregon man has pleaded guilty to charges that he used identity theft to set up bogus accounts on eBay, where he sold counterfeit software with a retail value of more than $1 million, the U.S. Department of Justice said.

Revealed: Cyber crimefighting successes

But is e-crime really a priority?

Ghost Busters

A special guest blogger for this month is Eduardo Vela, also known as sirdarckcat, a security researcher from Mexico. Eduardo has been on the field for a couple of years, mainly focusing on web-app based vulnerabilities, privilege escalation, and IDS/filter evasion. Today, he is a student of computer sciences, does some research on his free time, and works for an important website as a security engineer. [...]

Check out these great blogs!

I'm excited and grateful to the Industry Standard for including us in their "Top 25 B-to-Z list blogs."

There's some great stuff in there which I read, like "Information AestheticsVenture Hacks," "The Old New Thing" and "Schneier on Security."

There's also a set of blogs that I hadn't seen, and am checking out.

Why not take a minute to flip through the list, and see what chaos emerges in your feed reader?

Phishing Site in Email

I was looking at a phishing email last night for OANDA FXTrade. At first glance I could see something a little different about it. Instead of linking directly to the phishing site in the email, it contained an attachment (an html file) that you are supposed to double click on. The page is [...]

Cutting Through the RSA Hype

I am pretty excited to have made guest appearance on the re-convening of The Security Roundtable. Posted yesterday, we recorded this conversation right after this year’s RSA Conference. I was joined by the hosts Michael Santarcangelo and Martin McKeay, as well as Dr. Anton Chuvakin and James Costello. We had a great, open and honest discussion [...]

Trojan-Downloader.Win32.VB.bnp

This malicious program is a Trojan. It is a Windows PE EXE file. It is 117248 bytes in size. It is packed using UPX. The unpacked file is approximately 280KB in size. This Trojan is written in Visual Basic. Installation Once launched, the Trojan creates a folder called "DETER177" in the Windows...

Trojan-Clicker.Win32.Tiny.a

This Trojan is designed to increase the number of times a site appears to have been visited. It is a Windows PE EXE file. It is 5120 bytes in size. It is written in C++.

Shimel Wants To Sell You A Dead Parrot. On An Iceberg. Slathered In GRC

Blog War!! It’s been a while since Alan and I got into it; I think we both appreciate a little healthy debate. As friends, we don’t really have to worry about offending each other or taking things out of context. Unless, of course, it will get us a laugh. In this case I think Alan is [...]

Time to get a new set of keys

If you’re using Debian or Ubuntu, it looks like you need to generate a new set of keys immediately, if not sooner! The SSH keys on those systems used the PID of the process as a seed for generating the old keys, which severely limits the randomness of the keys and has made [...]

SME strategies for virus-attack recovery - ZDNet UK

SME strategies for virus-attack recovery ZDNet UK, UK - 8 hours ago From applications in social-networking sites and website banner ads to online services, hackers have found ways to spread malicious code and steal ...

Vulnerability Numbers, Q1 2008

Jeff Jones has just published some pretty interesting vulnerability numbers from Q1 2008. Ok, I know that the source is Microsoft, but the numbers and their meanings are very well documented, im my opinion. I’m one of the believers that these numbers show the results of the impressive security initiative from Microsoft. It’s also good to [...]

Phishing botnet expands by hacking legit sites

"The tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts"

A botnet is now using a SQL-injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher. via ComputerWorld

Security Briefing: May 15th

Spilled coffee on my keyboard…ugh. And now, the news… Where The Web Is Weak Preparation Key to Managing Data Breaches The Cost Of Privacy Colonel suggests using hackers’ tool against them Guide to VoIP Security Phishing botnet expands by hacking legit sites Kaminsky on DNS rebinding attacks, hacking techniques OSU: Important Security Alert Click here to subscribe to Liquidmatrix Security Digest! Tags: News, [...]

EU raises privacy issue for Google Street View

Europe's data protection supervisor, Peter Hustinx, urged Google Thursday to respect local privacy rules  as it prepares to launch its Street View function this side of the Atlantic.

Microsoft: Four Updates Close Six Holes

From Heise.de: As previously announced, Microsoft published four security bulletins along with updates for six security holes on May patch day. The Redmond developers classify four of the holes as critical because they allow attackers to inject malicious code. Security Bulletins MS08-026 and MS08-027 remedy two security holes in Word and one in Publisher that attackers could [...]

Communications Data Bill announced

Gordon Brown has, either for genuine transparency in Government reasons, or, more likely, for cynical short term "Must be Seen To Be Doing Something" reasons just before the Crewe and Nantwich by-election, pre-announced a list of forthcoming Bills, which would traditionally have been first revealed in the Queen's Speech in November.

See the document with the meaningless slogan title "Preparing Britain for the Future" - Government's Draft Legislative Programme 2008/09 (.pdf)

These include Yet Another Police Bill, and a Transport Security Bill - more on those in later blog postings.

The one which caught our attention most is the Communications Data Bill which will increase the Government and Police snooping capabilities, regarding Internet usage logfiles etc. Telephones and mobile phones are already subject to the mandatory Data Retention scheme, brought into force last October, as a result of the "policy laundered" European Union Directive on Data Retention ("we have to do this because the EU told us to" - even though it was the UK Government which was on of the prime movers who helped to inflict this wasteful and intrusive policy on all 450 million European Union citizens in the first place).

Even though UK Goverment was one of the proponents of this scheme, they, along with several other EU states cried off impementing the Directive for internet email, web traffic and peer to peer filesharing etc. for 18 months after doing so for mobile and landline telephony.

See the Data Retention Is No Solution wiki

Will there be strict limits and adequate safeguards regarding exactly who has access to such retained log files ?

Will there be a cheap, easy, rapid, fair and decent error correction and complaints procedure for individuals and businesses ?

Will there be criminal penalties for data abusers, generous financial compensation and prompt public apologies from senior officials and politicians when, not if, things go horribly wrong ?

Can pigs fly ?

There is a promise of "pre-legislative scrutiny"of this Bill, but, given the fiasco of the Public Consultation conducted by the Home Office on the topic of RIPA Part 1 Communications Traffic Data statutory Code of Practice, back in 2006, we are extremely wary and cynical, and fear that it will be another sham.

The Labour Government actually went ahead regardless and introduced and then rubber stamped into law, a Statutory Instrument Order which went ahead and implemented one of the Questions on which it was allegedly "consulting" the public about, right in the middle of the 12 week Consultation process, without even pretending to "listen" to the views of the public or analysing their responses.

See The Consultation Process paras 17 to 20

Details of the Bill:

11. Communications data bill

Microsoft Jet Database Engine update could be issue for admins

Deploying the updates for the Microsoft Jet Database Engine could be tricky for companies with homegrown applications. Experts are warning users to test those patches first.

More Patriotic Hacking

Benny from security4all.be sent Heike a link to an article at the Internet Storm Center that covers some patriotic mass SQL-Injection attacks.  The attacker appended this text to the bottom of every compromised index.htm file (this text was copied from the ISC and includes their edits): “This is a mass invasion.        Safeguard the motherland’s dignity! F*** [...]

Security goes to the movies: Iron Man

Time once again for "Security Goes to the Movies," a leisurely look at the inevitable bleeding from the eyes that security folk experience when Hollywood takes liberties with tech, the laws of physics and other aspects of reality. Our shiny and metallic subject today is "Iron Man."

Spam Spikes: A Real Risk to Your Business

(Source: Messagelabs) A close look at the data provides a clear picture of how spammers vary their tactics to overwhelm traditional corporate email defenses, through changes in duration, frequency and intensity among others. This white paper will help you understand these threats to your business, and how MessageLabs provides a unique solution.

Five agile testing perils to watch out for

Agile testing is full of perils, but if you are aware of them and watch for them you can prevent them from becoming problems. Consultant Janet Gregory explains what to look out for and how to handle situations should they occur.

Third Annual Movie-Plot Threat Contest Winner

On April 7 -- seven days late -- I announced the Third Annual Movie-Plot Threat Contest: For this contest, the goal is to create fear. Not just any fear, but a fear that you can alleviate through the sale of your new product idea. There are lots of risks out there, some of them serious, some of them so unlikely...

The Backward World of Secure Software Development

My blog postings have been a bit thin this week, as I've been awaiting the latest blog software upgrade, which should improve the performance substantially.

I've been reflecting on last Friday's excellent Cyber Security KTN workshop on Secure Software Development. This special interest group has been meeting for some time and I'm pleased say there's been a fair bit of progress as the sessions are broader, deeper and the group is better joined up with other standards activities, including ISO and OWASP initiatives.

The workshop included parallel streams addressed business cases, good practices, training, and the systems development lifecycle. That illustrates the large scope of the problem space. It's not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process.

It's a strange phenomenon of security that encourages us to address issues from the end point of a process, rather than its starting point. I noticed this when writing the original BS7799 text. The weakest chapter was the one on systems development. It's always been the last place we focus our efforts. In fact our development lifecycles have for decades ignored security. And when we do address this area, we start at the end of the cycle, focusing on operational issues first, then testing and then coding standards, with more emphasis on securing the finished product than educating the designers.

Ideally we should have started at the beginning of the cycle: address the business case for security, then the requirements analysis, then the design principles and then the architecture. These are easier areas to improve, and yet they remain the least developed. We could make a big impact by if we could agree a simple set of design principles (such as always use open, secure protocols) and provide guidance on security architecture.

Protect Any Hard Drive With This Drive Enclosure

"Maybe you're a spy or you've got schematics for the next hot gadget locked away on your hard drive, but either way you're going to want to lock your files down. "

Should the US Military Create a DDOS Botnet?

Absolutely. The military should have both defensive and offensive capabilities in electronic warfare, just as in traditional warfare. DDOS capabilities to knock attackers off-line should certainly be a priority. If one believes that it should be policy to “walk softly and carry a big stick”, DDOS for offensive capabilities should also be a priority. A Slashdot [...]

New Botnet Malware Spreading SQL Injection Attack Tool

Hacker writes rootkit for Ciscos routers

Posted by InfoSec News on May 15

Taking your laptop into the US? Be sure to hide all your data first

Posted by InfoSec News on May 15

All the perl documentation

A quick note:

When I talked earlier about turning off warnings in Perl, I referenced the perldiag page. If you wish to see a list of all the perl... documentation available, you can look at the language reference at perldoc.perl.org (there is also a 5.8.8 version if you haven't upgraded yet, although the differences should be too big between the two). Most of them are a very informative read, although you can leave some of them out if you are not interested in doing special things (for example if you don't wish to use C code from Perl, you can leave out the perlxs page).

HACKERS TO TRACK VISITORS AT THE LAST HOPE

This summer, hackers from around the world will track the movements of thousands of visitors to New York City.

107.4 WDNS…All requests, no replies

El Sidekick, and perhaps TB, read the title to this post and chuckled.  The title stems from a simple configuration oversight.  Three times over. As I write this the air seems a little more pure, the sun a little brighter and the grass a little greener.  This game we play isn’t a Mike Tyson (in his [...]

Rich Mogull does his best Stiennon imitation, says GRC is dead

Some of the Stiennon "magic" must have rubbed off on Rich Mogull when they were both at Gartner or maybe in a case of the imitation being the sincerest form of flattery, Rich M secretly admires Richard S. In any...