Archive for the ‘Security News’ Category

Since I did not get out to Black Hat DC last month I was just reviewing the papers and came across one very interesting one. Aside from the white paper I also enjoy the story about the new “Friends” disclosing such an exploit brings. All in all a good read and just more wood for the fires of security threats in our digital age.. I should point out that the founder and CEO of the company to disclose this is pretty hot, and the fact that she is smarts.. and can hack increase the hot meter by at least x10.

Read more about it here

Advertisements

During the PWN2OWN security competition the hacker best known for hacking the iPhone, discusses hacking fully patched Macbooks in under 2 min shares some information.

Yes, I took down the Mac in under a minute each time. However, this doesn’t show the fact that I spent many days doing research and writing the exploit before the day of the competition. It only looks Hollywood because you don’t see the hard work in the preparation. If you set me down in front of an application I’ve never seen before and told me I have 2 minutes to hack it, as is often the case in movies, I’d have no more luck than your grandma at accomplishing it. Well, maybe a little more of a chance, but not much!

As for comparing this to other competitions, most other competitions face teams of hackers against programs written for the contest with bugs purposely added. I like Pwn2Own because its against real software and the bugs found are real bugs and are given to the vendors to fix, so some good comes out of it too.

New 0 Day in the wild..
For those poor souls still using Internet Explorer take heed!

Here are the details on the vulnerability and the emergency patch

Good Luck!
And if you haven’t already Do Yourself A Favor

To anyone that has had to deal with this issue, I feel you.  I can recall less than 2 years ago how an SSH brute force attempt, our preventive/corrective actions, and their response (a weak DoS attempt) triggered a change in our internal process regarding SSH access to the outside world.

There was a fairly detailed write up on Security Focus earlier this week that describes someone else attacking the same issue we faced.  While there are various ways to address the situation one thing is clear.  We are never alone in this fight and as long as we can freely share our experiences and knowledge we can only grow in our understanding and ability to fight off these types of attacks (or conduct them depending on where you stand).

So over the past 4-5 months I have been getting very strange calls. I have gotten these calls on all of my mobile or landlines.

They usually all start the same way.
“This is an Automated message informing you that your auto warranty is about to expire. Please stay on the line to renew”

The first few times I disregarded this message as maybe some type of mixup. I mean all of the vehicles I own are older than 20yrs so I would not expect any type of Auto Warranty at this point. But the calls continued. Finally after about the 4-5th call I realized this was a scam. Not only are they contacting me on my personal numbers but they are reaching me on my business mobile, of which only select people have the number?
It does seem I am not alone in getting hit with this scam. But unlike other people have mentioned I am getting these calls from legit numbers which appear to be within the USA (Denver, Los Angeles, Georgia). I am not sure if the Boilerrooms these calls are coming from are US based or just being routed thru some VoIP server from another country.

Another interesting occurrence recently was a call my Wife received. It was someone claiming to be from one of our credit card companies. Being my wife and living thru the security lectures that are my passion she asked for a company name, address, and call back number before providing any more info. The caller quickly hung up.

With the current state of the World economy and the ease of use of VoIP tools. I think the rise in phone based phishing scams is just the tip of the iceberg.

If you feel you are being harassed by these scammers there are a few things to look for and even some things you can do to report this and even fight back.

Personally I want them to call back and this time I want to talk to a live personl..
I have my airhorn sitting on my desk ready to rips some eardrums!
Will that stop the calls? Probably not but at least when their ears are ringing they will remember me 😉

The article states that at least 18 servers (and maybe as many as 40) had been penetrated, including Human Resources and the banks “security and password server”.

More Info…

While ATM Skimming is nothing new it really is interesting to look at the current situation with this technology and the way its being abused. ZDNet had a good write up revisiting the process in today’s world.

Starting from $8,500 and capable of sending 1,856 SMS messages — processed credit card details — without any charging the introduction of built-in SMS notification, and the ability to “call the ATM skimmer” in order to retrieve the information, is a major milestone for an ATM skimming device.

More Info…

Rather than base the encryption on complex maths, such systems use the laws of quantum theory – in particular, the Heisenberg Uncertainty Principle, which says quantum information cannot be measured without disturbing it.

More Info…

Security researchers warned today that a new class of vulnerabilities dubbed “clickjacking” puts users of every major browser at risk from attack.

More Info…

“Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned,” Lee told CNET News. One of the behaviors experienced was packet loss where the packets just kept trying, and trying, and trying, creating, more or less, a denial of service (DoS) on that machine.”

More Info…