Archive for the ‘Security News’ Category

RSA researcher Ari Juels sat down with SearchSecurity.com to discuss various topics. One of which was the constrained capabilities of RFID (like wireless bar codes), and how it affects the security posture needed to secure these devices.

But, in fact, it’s possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags — those are an optional security mechanism — and even the privacy feature on the tags, what’s called the “kill” function, a self-destruct feature that’s meant to protect consumer privacy. We’ve shown ways the tags can be commandeered for authentication.

Read More Here …

There is a cNet report on the director of the NSA stating

“We do not want to run cybersecurity for the U.S. government”

At least not for all the government agencies, just a select few. With all the latest high profile security breaches on government facilities the brutal honesty of the statement is understood. And it is promising to note some plans are in the works to fix the situation. We have more than enough skilled security experts in this nation, it’s about time we try to tap every resource possible to help strengthen our national cybersecurity posture.

As I suspect we may never really know the full impact some of these security breaches have had.

Read More Here …

Some fairly critical issues disclosed on a very popular security product.

Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are prone to multiple denial-of-service vulnerabilities, an ACL-bypass vulnerability, and an authentication-bypass vulnerability.

Read More Here …
An attacker can use readily available network utilities to exploit these issues.
The following example data is sufficient to exploit the denial-of-service issue affecting PIX and ASA:

/*Utilize 1550 blocks on an ASA to trigger a crash...*/
hping --fast -p 22 -w 1518 -S -d 1480 -a 10.22.1.1 10.22.1.2

/* Trigger the vuln a bit faster */
hping --fast -p 22 -w 1518 -S -d 26201 .a 10.22.1.1 10.22.1.2

This is not the first time we have mentioned the rise of computer security related crimes or pointed out the hacking of or weaknesses of many critical metropolitan infrastructures. With that said the recent hacking events first mentioned over the past weekend does again cast a big bright light on how living in our ‘digital age’ can also be our Achilles heel. Remember the East Coast Power Outage of 2007? No airports, emergency services, traffic & street lights, mobile phones, or other critical services.. Now picture that on a slightly larger scale, and you begin to understand how important events like this can be to not only us IT security folks but to the society as a whole.

The intruders, who came from countries including China and Russia, were believed to be attempting to map the US electrical system and work out how it was controlled…
…..Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.

Read More Here …

It was in 2006 that the language known as RUBY was fully accepted as a standard language. The self described “open source programming language with a focus on simplicity and productivity” is one of the more powerful languages in use today. The folks over at Matasano Security (not affiliated with “matz” Y.Matsumoto the creator of RUBY) have announced the release of ‘rbkb’ or The Ruby Black Bag.

‘rbkb’ is an ever growing collection of reversing and pen-testing related ruby libraries and tools I’ve been using and evolving for a long time now.

Head on over to their site to read more.

While the concept is pretty clear the development team is having some issue with resources ($$). You can read more about the concept first shown in the Android Dev Challenge at Androidandme.com. You can also show your support for the dev team by voting for them to help get some funding here.

I am pretty excited to see this project mature and release a workable version. In my opinion this would pretty much be cake for Android security which is already is ahead of the pack in this field.

As posted in the “Waiting for the Worms” article below the conflicker worm was MIA on April 1st along with all the Gloom N Doom forecasted by the IT security industry. There is an interesting article posted by SearchSecurity.com that talks about not only possible reasons for the fizzle of the worm but also the impact these “Crying Wolf” scenario’s can have on the security industry. Will we get to a point where these warning will be ignored? Is that maybe the intention of some of these skilled attackers? How about end users who could of patched this 6 months back but still may have not until something as hyped as this? .. Many good questions still to be answered.

Read More Here

Unified threat management (UTM) is a promising approach to consolidating security controls, including firewalls, intrusion prevention, anti-virus, content filtering, and reporting.

Read More Here

As anyone who have heard any news media source lately may already know. Today is April Fool’s Day, and also “worm” day. For those that are unfamiliar the worms first started back in 1988 and was released by accident (so the story goes) by a researcher named Robert Morris. Today this has evolved quite a bit but the overall concept is still the same, create some malicious code that can move freely to any exploitable system it can talk to. While the build up for the today’s worm may have been part hype and part prior preparation, it is still a real reminder of how vulnerable our technology is still. For today’s threat make sure you are patched and safe.

It is common to read about various social engineering attack scenario’s in many of today’s IT security based books. None the less just like the need to constantly drill this information into the minds of the non tech users of many organizations. It makes for a better story when the scenario can be drawn from real world experiences. SearchSecurity had an excerpt from the book titled “The Truth About Identity Theft” that cover the topic in this exact way. But of course this would never happen in your organization now would it? (as they say ignorance is bliss)

Read More Here