Information Security | [security.pimp]

Archive for the ‘Information Security’ Category

Cisco PIX & ASA Multiple DoS, ACL Bypass, & Authentication Bypass Vulnerabilities (Bugtraq ID:34429)

Posted: 2009/04/13 in Hardware News, Information Security, Proof of Concept, Security Disclosures, Security News
Tags: cisco firewall pix exploit hping

Some fairly critical issues disclosed on a very popular security product.

Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are prone to multiple denial-of-service vulnerabilities, an ACL-bypass vulnerability, and an authentication-bypass vulnerability.

Read More Here …
An attacker can use readily available network utilities to exploit these issues. The following example data is sufficient to exploit the denial-of-service issue affecting PIX and ASA:


/*Utilize 1550 blocks on an ASA to trigger a crash...*/

hping --fast -p 22 -w 1518 -S -d 1480 -a 10.22.1.1 10.22.1.2

/* Trigger the vuln a bit faster */ hping --fast -p 22 -w 1518 -S -d 26201 .a 10.22.1.1 10.22.1.2

Who should be America’s CTO?

Posted: 2009/04/10 in Digital Freedoms, Information Security, Uncategorized
Tags: cto america security it technology obama

Never before has a presidential candidate used technology in the way the Obama administration did during the past elections. From Youtube, to twitter tweets sent from him trusty Blackberry. Obama definitely leveraged his technilogical savvy in his favor. So then why after more than a handful of months into his term has he still not chosen a CTO for the nation? Is it due to lack of competent technology folks? Maybe he feels it is not as important as say visiting the Tonight show? Or maybe he wants to assume the responsibilities himself on the weekends and in his spare time? Techcrunch is running a poll on this very question. So take the time and head on over and share your input on this question. In a world of increasing threats to our IT infrastructure you would figure this role should be filled soon…

The Secret Battles of Electronic Warfare

Posted: 2009/04/09 in Information Security, Security Disclosures, Security News
Tags: hacking powerplant poweroutage cyberspies

This is not the first time we have mentioned the rise of computer security related crimes or pointed out the hacking of or weaknesses of many critical metropolitan infrastructures. With that said the recent hacking events first mentioned over the past weekend does again cast a big bright light on how living in our ‘digital age’ can also be our Achilles heel. Remember the East Coast Power Outage of 2007? No airports, emergency services, traffic & street lights, mobile phones, or other critical services.. Now picture that on a slightly larger scale, and you begin to understand how important events like this can be to not only us IT security folks but to the society as a whole.

The intruders, who came from countries including China and Russia, were believed to be attempting to map the US electrical system and work out how it was controlled…
…..Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.

Pen Testing with RUBY

Posted: 2009/04/08 in How To's, Information Security, Security News, Software News
Tags: security pentest ruby toolkit

It was in 2006 that the language known as RUBY was fully accepted as a standard language. The self described “open source programming language with a focus on simplicity and productivity” is one of the more powerful languages in use today. The folks over at Matasano Security (not affiliated with “matz” Y.Matsumoto the creator of RUBY) have announced the release of ‘rbkb’ or The Ruby Black Bag.

‘rbkb’ is an ever growing collection of reversing and pen-testing related ruby libraries and tools I’ve been using and evolving for a long time now.

Head on over to their site to read more.

LSYiPDT: Biometric Security Software

Posted: 2009/04/07 in LSYiPDT, Security News, Software News
Tags: biometric android g1 bbva biowallet

While the concept is pretty clear the development team is having some issue with resources ($$). You can read more about the concept first shown in the Android Dev Challenge at Androidandme.com. You can also show your support for the dev team by voting for them to help get some funding here.

I am pretty excited to see this project mature and release a workable version. In my opinion this would pretty much be cake for Android security which is already is ahead of the pack in this field.

Conflicted by Conflicker

Posted: 2009/04/06 in Information Security, Security Disclosures, Security News, Software News

As posted in the “Waiting for the Worms” article below the conflicker worm was MIA on April 1st along with all the Gloom N Doom forecasted by the IT security industry. There is an interesting article posted by SearchSecurity.com that talks about not only possible reasons for the fizzle of the worm but also the impact these “Crying Wolf” scenario’s can have on the security industry. Will we get to a point where these warning will be ignored? Is that maybe the intention of some of these skilled attackers? How about end users who could of patched this 6 months back but still may have not until something as hyped as this? .. Many good questions still to be answered.

Article: How to evaluate and manage UTM for network security

Posted: 2009/04/03 in How To's, Information Security, Security News

Unified threat management (UTM) is a promising approach to consolidating security controls, including firewalls, intrusion prevention, anti-virus, content filtering, and reporting.

Waiting for the Worms

Posted: 2009/04/01 in Information Security, Security Disclosures, Security News, Software News

As anyone who have heard any news media source lately may already know. Today is April Fool’s Day, and also “worm” day. For those that are unfamiliar the worms first started back in 1988 and was released by accident (so the story goes) by a researcher named Robert Morris. Today this has evolved quite a bit but the overall concept is still the same, create some malicious code that can move freely to any exploitable system it can talk to. While the build up for the today’s worm may have been part hype and part prior preparation, it is still a real reminder of how vulnerable our technology is still. For today’s threat make sure you are patched and safe.

Excerpt from “The Truth About Identity Theft”

Posted: 2009/04/01 in Information Security, Proof of Concept, Security News

It is common to read about various social engineering attack scenario’s in many of today’s IT security based books. None the less just like the need to constantly drill this information into the minds of the non tech users of many organizations. It makes for a better story when the scenario can be drawn from real world experiences. SearchSecurity had an excerpt from the book titled “The Truth About Identity Theft” that cover the topic in this exact way. But of course this would never happen in your organization now would it? (as they say ignorance is bliss)

Exploiting Intel CPU cache mechanism

Posted: 2009/03/31 in Hardware News, Information Security, Proof of Concept, Security Disclosures, Security News

Since I did not get out to Black Hat DC last month I was just reviewing the papers and came across one very interesting one. Aside from the white paper I also enjoy the story about the new “Friends” disclosing such an exploit brings. All in all a good read and just more wood for the fires of security threats in our digital age.. I should point out that the founder and CEO of the company to disclose this is pretty hot, and the fact that she is smarts.. and can hack increase the hot meter by at least x10.

[security.pimp]

Categories

-=[security.pimp]=-

tweets

Top Posts & Pages

Comments

Other cool Stuff