Posted by agent0x0 on October 15, 2007 – 12:29 pm
If you haven’t heard…there is a critical security vulnerability that affects Adobe Acrobat and Adobe Reader, versions 8.1 and below.
See Adobe Security Advisory APSA07-04 and CVE-2007-5020.
According to the Adobe Security Advisory, your machine is vulnerable if you have:
* Adobe Reader 8.1 and earlier OR Adobe Acrobat 8.1 and earlier
* Windows XP
* Internet Explorer 7
Javacool Software has a nice little tool that implements the workaround mentioned in the Adobe security advisory here.
Share and Enjoy
Posted by agent0x0 on October 15, 2007 – 10:14 am
Interesting article on password lists that are being published on the Internet. Tens of thousands of forum password hashes were posted (79,000) to a Finnish website. Most of these were from Finnish forums but none the less, it goes to show you that webmasters need to continuously patch their websites or their databases will be pwnd!
Passwords on the Loose – F-Secure Weblog : News from the Lab
The link in this article about the embassy pop3 passwords is very interesting as well.
Share and Enjoy
Posted by agent0x0 on October 10, 2007 – 3:54 pm
<%image(20071010-cc_rfidtag.JPG|200|78|RFID tag in a debit card)%>
While checking out some security blogs the other day I came across a very good article over at the IT Security Expert blog about 15 tips to help reduce the risk of identity theft and fraud. One thing to add to that list is to use an RFID shield for your RFID enabled credit/debit cards.
RFID or “contactless” payment cards are being issued by more banks and are starting to be accepted at more merchants. I actually noticed recently that you can use your MasterCard Paypass RFID card at Sheets gas stations and also at the local movie theater.
There have been several vulnerabilities (good paper here) and other security concerns regarding RFID especially focused on privacy.
One example I saw when I was at the Blackhat conference in Las Vegas this past year. I was walking by one of the entrances to the conference areas and noticed a gentleman sitting with a laptop and a long range wireless antenna (looks like a Pringles can). On the antenna was a sticker that said “Your RF is showing”. I observed that he would also smirk when conference attendees passed him and to me I took that he was getting at least “some” identifying information from RFID enabled cards people had on them. In addition, I saw a great (but scary) presentation at Blackhat from Adam Laurie entitled “RFIDIOts!!! Practical RFID Hacking (Without Soldering Irons or Patent Attorneys)“. These two examples made me think that I should probably use some sort of protection while carrying these cards around.
The solution?
Yes, wrapping your cards in tin foil supposedly works but its not as sexy as a sleeve shield to put your cards in. A company called Identity Stronghold makes “Secure Sleeve” shields for ISO 14443/15693 and EPC Gen 1/Gen 2 contactless smart cards and RFID tags (which most cards issued by banks are). You can check them out here. Also there is a company that makes RFID blocking wallets which protect your entire wallet.
I highly recommend you check out Adam Laurie’s website which has really good technical information about different types of RFID tags as well as software (written in Python) to read them. You can even buy the hardware needed to read RFID tags directly from his site.
If you ever get a chance to see Adam speak..do so..he is one of the leading RFID security researchers and a great presenter as well.
Share and Enjoy
Posted by agent0x0 on October 9, 2007 – 10:27 am
Interesting post on the F-Secure Weblog about a recent Paypal phish. Take a look at the questions being asked? Do you think someone would fall for this? You bet! It is amazing to me that people will still give all of this sensitive information when asked (click on the link below for a screen shot).
There is no cure for human stupidity except more education. 
<%popup(20071009-SP32-20071009-102407.gif|713|711|Questions asked in a PayPal Phish)%>
How Gullible Can You Get? – F-Secure Weblog : News from the Lab
Share and Enjoy
Posted by agent0x0 on October 8, 2007 – 12:37 pm
I saw a good webcast and presentation on forming a red/blue team in your environment. What is a red/blue team? A red team is basically your attackers and your blue team is the defenders. This is a typical program used by the government and other large organizations to test the assessment process as well as incident response. Lots of good stuff for forming your own pen test team no matter what size organization you are.
You can view the entire archived webcast below (presentation by Dave Shackelford).
Note: you have to register for an account on the SANS portal to view the presentation but I highly recommend you do that anyway just to get the great SANS newsletters every week.
SANS Institute – Ask The Expert Webcast: One Team, Two Team, Red Team, Blue Team
Share and Enjoy
Posted by agent0x0 on October 8, 2007 – 8:50 am
Remember the movies where the bad guys replace the security guards video feed with a fake one showing an endless loop of nothing? Security researches have just figured out how to do this on a AXIS 2100 Surveillance Camera. This is a popular camera that can be remotly controlled – and viewed over the web.
“This hack (.pdf) works by combining a few vulnerabilities in how the camera’s accompanying software accepts input — a type of security hole known as cross site scripting, or XSS.
In this case, the attacker first sends some malformed information — which is actually JavaScript — to the camera’s web server, which then writes that information to the log files. When the camera’s administrator checks the logs, the JavaScript executes, creating a new user account and e-mailing the attacker that the new account has been created.
…From there the attacker can simply change the HTML on the camera viewing page to secretly point the playback screen to another video file — one that can even be hosted on another web site.”
The trick is to get the administrator to check the logs which could easily be done by sending a flood of traffic to the camera causing a temporary denial of service to the camera. You can view the entire hack here. Full article is below.
Sneaky White Hats Pull Surveillance Cam Switcheroo
Share and Enjoy
Posted by agent0x0 on October 4, 2007 – 9:38 am
Here is a good article about some research that was done at Carnegie Mellon University. They basically explain that by sending users phishing type emails in a controlled environment, these same users that are tricked into clicking on links in these emails are more receptive to learn about online security.
“…phishing is often successful because many people ignore educational material that might otherwise help them recognize such frauds.”
This is so true, especially in the corporate world. How many of your users actually read the propaganda that your IT security department sends out?
“…initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating users to protect themselves.”
I am a strong advocate of testing your own employees using the same tactics as the phishers. One idea that you can use for your organization….send your employees an email that looks like a phish, when they click on the link it takes the user to an awareness page that explains phishing techniques to them. This can easily be setup with a internal web server and an internal SMTP gateway. I am starting to put together a more detailed article on some ideas to increase security awareness about phishing. If you have some ideas, lets talk about them in the security forums (click below).
Share and Enjoy
Posted by agent0x0 on October 2, 2007 – 11:14 am
<%image(20071002-wifispy.png|200|265|WiFi Hacker)%>
I am sure all of you have heard about the massive TJX data breach which was detected back in December of 2006. Well it looks like WEP was the root cause for the data breach:
“While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.”
Two years to convert from WEP to WPA may sound like a long time but I am not surprised as these types of upgrades in very large corporations can take even longer then two years. However, it still seems that the selection of systems that didn’t support WPA were the cause for the delay. Keep in mind, with WPA and WPA2 you need to select a long (63 characters if possible) passphrase (if using PSK) to ensure that your key can’t get cracked with a brute force attack.
I wrote an article about properly securing your wireless network last year which explains why it is important to choose a very long, unique WPA-PSK passphrase.
More on the TJX fiasco is here.
Share and Enjoy
Posted by agent0x0 on October 1, 2007 – 10:09 am
I guess it was just a matter of time that Fraudwatchers.org would be completely shut down because of a massive botnet DDoS attack that started in August. Even after moving to another server, the attacks got more intense! This goes to show you that botnets are still a very real and serious threat. While Fraudwatchers.org couldn’t stop an attack like this (mostly because of cost and feasibility issues) other sites like CastleCops have been dealing with this for sometime as well. This could really happen to any organization, not just anti-fraud/crime websites. Unless an organization has some serious cash, how can one defend against something like this?
Good article about this over at Darkreading.org.
Here is a good site with some ideas on how to prevent DDoS attacks. Not a whole lot of information out there, hopefully there is more research done on this subject soon.
Share and Enjoy
