OSCP Certification Challenge (The Most Intense 24 Hours I've Had This Year)

I signed up for the Offensive Security 101 training back at the beginning of May, and I actually got around to going though the course material towards the middle of July. At a first glance, I really wasn't too sure what to make of it, as reading through the index of the training, I was thinking that I know most of the coursework, and maybe I had just wasted some of my bosses budget. To be honest I kind of felt this was even while I was going through the training, kinda that something was missing. Ok, so I have been in this industry for probably about 10 or so years now, and with that comes experience, but still, I enjoy learning something new. The one thing that I would say about this course though is that if you just go through the course slides and the PDF, and leave it at that, not only will you not be ready for the certification challenge if you want to try it, but there's a good chance that you won't make it. The course is a brilliant overview into the tools of penetration testing, and how to use them, but you've really got to do quite a bit of work outside of the course ware to get real benefit from it. Which really is understandable, this is a security course, not a learn Python, Perl, C++, Networking, Windows, Unix, Linux and security course. I think that the guys at Offensive Security have done an amazing job on this course and I can't wait to try their next offering! Now, onto the challenge, obviously I can't mention too much about it here, but I can say that out of all the certifications that I hold, this has got to be the one that I am the most proud to have obtained. I started the challenge at 15:00, by about 16:30 I had already gotten through the first of five hosts. I though things were going well, then I only managed to get through the second host at about 23:45. I had a couple of hours sleep between 05:30-07:30 and then carried on until 15::00. It's the most intense exam that I've ever done for a certification, and I would happily recommend it to anyone. Also having one of the Offensive Security team around to reboot the servers when needed was a godsend, so thank you for your patience ;-) I got news about 18:30 that I'd made it through, and am now OSCP (Offensive Security Certified Professional) certified! Anyone even thinking about doing this course, just take the plunge and do it, you won't regret it.

Technorati Tags: Exploits, Hacking, Training, Security, Vulnerabilities

New Beast

Well, driving around in a sports car has been great for the last couple of years, but I decided that I wanted something that's, well a bit more me shall we say ;-)
This is my new baby, with all the mod-cons that I could ever ask for, it does need a bit of work doing to it, but hey, I'm really looking forward to it. Yeah I know, anyone who knows me probably will laugh at the thought of me working on a car, let alone getting all greasy and the like, but I'm actually really excited it.

It's got 3 monitors already built in, the only catch is that they're all hooked up to a DVD player at the moment, which would be great if we had kids, but as we don't, in time the DVD player will be getting replaced with a Mac Mini, and then I'll be adding an omi-directional antenna onto the roof as well. I'm sure that you can see where this is going, so I'll leave it at that.

Facebook

Okay, so I've had a Facebook account for a while now, maybe a month, but it's only this weekend that I've actually started making use of it, well the way that it's intended anyway. I know that I'm not the only person on the planet that can see the security issues with Facebook, Christ, there have even been posts online about how identity theft is getting a not so little helping hand from Facebook. I won't argue that I've been hooking up with people that I lost contact with about 10 or so years ago, and exchanging photp's with family members, but still, this really is a bomb waiting to go nuclear. I know that web developers in particular are getting smarter day by day to the ways of the the wiley hacker, but I still think that no matter how good your developers are, there is someone out there who is going to find a hole, and a major way to exploit it, and if they're lucky sell it on. So, even though I do have a bit of personal information on there, it's nothing anyone who actually knows how to use Google couldn't find, I say let the games begin!! Ozzy Osbourne - Diary Of A Madman

Technorati Tags: Hacking, Identitiy Fraud, Security, Web Applications

VoIP Security

Securing VoIP, now there's a interesting task! Over the last couple of months, I think that I have almost read everything that there is to read about VoIP and securing it. I must say that I'm all for VoIP technology, but after deciding that I really needed to learn about what's happened in regard to VoIP over the last few years, as I hadn't touched it for a while, I'm shocked to say that the risks have increased a hell of a lot, but it seems that most vendors,(aside from one), haven't really catered for these risks, and still have the same old slap dash security in place. Also, finding buffer overflows that no-one has reported really worries me, as things like this should have been fixed ages ago, and trust me, it really wasn't a difficult one to find at all, no fuzzers, just a string of random characters and boom! One of the other things that really bugs me, is who in their right mind, this day and age still uses telnet on their kit, and who allows this to be used on their network, when will people wake up? Well, I could rant on about VoIP for ages, but I'm not going to, I'm going to stick to using a normal phone as little as possible, e-mail and Instant Messaging as much as possible, and all other comms can be done on IRC, the way that they were supposed to be. Speaking of IRC, here's a nice little titbit from bash.org yay I fixed my laptops battery! it was so dead, nothing would charge it so I gave it the electronic equivalent of a kick in the head, by shorting the +/- terminals for 5 minutes don't they have stickers on them that say they could explode or catch fire by doing that? yeah but it's ok, I took them off first.

AACS encryption key T-Shirts

I've gotta get me one of these!!! http://www.jinx.com/scripts/details.asp?productID=992 Just another reason that I love Jinx. More info on the whole AACS encryption key controversy can be found over at WikiPedia here. Bed Of Razors from the album "Hatebreeder" by Children Of Bodom

Technorati Tags: DRM

Passed SSP-DRAP (Defeating Rogue Access Points) With 100%

I just sat and passed the above exam, so I'm now going to spend the rest of the day relaxing. I was invited to become a SANS Stay Sharp Instructor, and this is the first course that I opted for teaching, I had to get over 85% though to be able to teach this one, seems that I managed that one okay though ;-) I'm not going to even try to schedule when I will be teaching this one until I get back from my holiday though, once I do though, I will post an update on here for anyone who's interested in attending it though. After going through the course ware myself, I can definitely say it'll be a fun and interesting course. The good thing about it as well though, is that I think that just about anyone could walk away with some added knowledge after attending it. I do plan on doing as many of the SANS Stay Sharp Courses as possible though, as this will put me in a better position to cater for different peoples training needs, and help me get the word out about SANS in the UK a bit more hopefully. SANS may be really huge in the US, but it seems that their UK presence is severely lacking, and I really want to do something about that. You can get more info on the SSP-DRAP course from the SANS site here. Silent Night, Bodom Night from the album "Hatebreeder" by Children Of Bodom

Technorati Tags: SANS, Security

Month Of .......Bugs

Okay, so there have been all sorts of Month Of security findings lately, but I really wish that people would ramp this up a little bit to the major vendors aside from Apple and Microsoft. I mean where are the Cisco, Sun and IBM bugs? I've been meaning to spend some time on Solaris 10 myself, but it would take more than just me to pull this one off (any takers?) Also, there has been a Month Of Myspace Bugs, but what about other social networking sites, or webmail sites? Also what about applications, like Citrix, Oracle, MS-SQL Server I know that a lot people have been complaining that the whole Month of thing is going a bit far, but it does seem to be waking up certain vendors quite a bit. Just my thoughts, that I'm probably going to get a load of criticism for, but hey. We're all after the same goal here, making the Internet more secure, the sooner we discover these bugs, the better off everyone will be.

The Number...

09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0 There you have it, talk about generating a lot of noise on the Internet ;-) More info here.

Apple Patches QuickTime Security Flaw

From TheRegister.co.uk QuickTime one of four popular apps currently at risk By Dan Goodin in San Francisco → More by this author Published Wednesday 2nd May 2007 02:04 GMT Apple has patched a high-profile vulnerability in QuickTime eleven days after the flaw allowed a hacker to publicly hijack a brand new MacBook Pro. The Apple media player is just one of four popular applications suffering from security defects that currently require the urgent attention of those who use them. The three other applications include Adobe Photoshop, the Winamp media player and Trillian, a client that combines the functionality of IRC, AOL Instant Messenger, MSN Messenger and other chat programs. Today's update from Apple means that two of the four applications have patches (Trillian's patched download is here.) Users who care about the security of their machines should install them promptly. According to an advisory from Secunia, the current version of Winamp contains a flaw in the way the program handles MP4 files that could allow a booby-trapped file to execute arbitrary code on a victim's machine. Secunia rates the flaw highly critical, the site's second most serious rating. Until there is a patch, Winamp users may want to think twice about playing MP4 files unless absolutely sure they originated from reputable sources. Secunia has also warned of at least two serious vulnerabilities in Photoshop that are also labeled highly critical. One flaw, a buffer overflow vulnerability, affects Adobe Photoshop CS2 and Adobe Photoshop CS3 and involves their handling of Bitmap files. The other affects the same two Photoshop versions as well as Adobe Photoshop Elements 5.x and leaves users open to attack if they open malformed PNG graphics files. Users are advised not to open untrusted PNG or Bitmap files pending the release of a security update from Adobe. Version 3.1.5.0 of Trillian carries three vulnerabilities related to IRC that could allow for the interception of private conversations or the execution of code with the same privileges as the currently logged on user, according to iDefense Labs. The security provider didn't assign a rating to the vulnerabilities. Apple describes the patched vulnerability in QuickTime for Java as an implementation issue that "may allow reading or writing out of the bounds of the allocated heap." By luring a victim to a malicious website, a miscreant could hijack a user's machine, Apple warns. The update is available for Mac and Windows platforms. The QuickTime vulnerability was discovered by Dino Dai Zovi, who spent about nine hours to write code that exploited it and submitted it as part of a contest at the CanSecWest security conference. His discovery, first reported to affect Safari, was later shown to target QuickTime. In either case, the exploit allowed him to take control of a 15-inch MacBook Pro when it visited a website that hosted the malicious code. ® ------------------------------------------------------------------------------------------- Well, 11 days isn't record time, but it's still pretty quick in the grand scheme of things, so well done to Apple, now they just need to learn to release patches even quicker. Like I said, 11 days isn't that bad at all, but it's still 11 days to exploit what appears to be a rapidly growing market share.

Technorati Tags: Apple, Exploits, Vulnerabilities

Nine Inch Nails - Year Zero: A Post-Iran War American Dystopia Set in 2020

From Jonesreport.com "I thought about what was at the forefront of my concern...the state of being an American citizen, a lot of concern about the direction our country is headed in. Kind of the erosion of freedoms that it seems like we're experiencing and the way we treat the rest of the world and our own citizens felt like something I needed to comment on." -Trent Reznor Best-selling industrial rock band Nine Inch Nails' latest album, Year Zero, delves into new ground. For the first time, the group's front man and primary writer, Trent Reznor, focuses mainly on politics. He seems to be jumping headfirst into a game of politics with the resistance party. However, he does so not just with the album's music, but also numerous accompanying multimedia-- Reznor has thrown a private concert, scattered random tracks in random locations, made websites, all above and beyond the album itself. And it’s all about his message of resistance. Reznor covers nearly all the bases: The war on terror, the military industrial complex, the death of America from the loss of liberty, and the resultant New World Order. Reznor even had a flag made to represent the resistance against the NWO (see top). The video to the album's first single, Survivalism, shows, in all its Orwellian glory, cameras in black and white strategically located around town displaying people in the bathroom, watching TV, having sex, preparing to vandalize a wall with graffiti, and finally, there’s Nine Inch Nails performing the song in a dingy room. There are CCTV cameras everywhere now, not just in public places. What should be private is public and worse, the people either don't realize they are being watched or have become accustomed to living without privacy. The video to the first single-- Survivalism-- featuring a dystopic world viewed through invasive and completely pervasive CCTV cameras (note: this external link contains some graphic imagery and that of a nightmarish police state) It seems that in this world-- projected 15 years into the future, in 2022-- the USA has turned into Nazi Germany and privacy is a thing of the past. After a minute into the video, a police force wearing all black uniforms can be seen working their way around town, as if they are preparing to foil some terrorist plot. Meanwhile, a group of vandals can be seen, slowly working out the details of their plan, each step recorded on film. It seems the graffiti artists have it coming to them. When the Gestapo force finally counters the insurgents, it turns out it was actually NIN the police were after. The video concludes with a member of the band dragged out with a line of blood following him. The cameras in the room the band was playing in have been destroyed or shut off. This is the way this dystopia deals with insurgency and resistance. It’s how the USA might deal with resistance if we ever start enforcing the Patriot Act and the Military Commissions Act. Some people may say that it will never get that bad. People would start listening before it got too bad. I’d have to disagree. Most contemporary news reports concerning some kind of defeat of the Constitution or liberty either side with the government or take a neutral stance. Groups that speak out about liberty such as the ACLU, CASPIAN, and the EFF are routinely labeled "privacy advocates" and written off in a paragraph or two, and a lot of the time it’s near the end, after most people have either stopped reading or already made up their minds. The mainstream media acts as if only certain groups of people care about privacy and freedom, like it’s not what the USA was founded upon. This is their way of filtering and spinning a report to make people feel that the ‘normal’ or ‘sober’ approach is not that of privacy, a way of alienating Americans from the essence of what it means to be American. Loss of Liberty This opensourceresistance image shows how America is dying and that loss of liberty is the key to one-world government. Now looking at the album itself, the lyrics seem to be obsessed with premonitions of the future and Reznor's resistance to it. The setting is the USA, in the year 2022. As evidenced by the video for Survivalism, the Constitution has been eviscerated and a new dark age of oppression has emerged. In My Violent Heart, Reznor defiantly screams, “on hands and knees we crawl, you scan not stop us all,” and in Survivalism, “I got my propaganda, I got revisionism, I got my violence, in hi-def ultra-realism. All a part of this great nation; I got my fist I got my plan I got survivalism.” Translation: the constant lies fed to the people by the media are devoured by the masses and you have to fight it just to survive. Reznor forecasts the year 2022 seemingly in an attempt to make people aware of the end point. The incremental, systematic collapse of our Constitution today makes it difficult to see what is happening. Just do a search on Google for “population reduction” or “echelon” or “Patriot Act” and you’ll discover Reznor is not dreaming too deeply. The album is dark with a grinding, synthetic industrial sound-- typical of Nine Inch Nails, yet it is full of substance and energy. It has its highpoint with Hyperpower!, a progressive chant that grows and grows until it roars like millions of screaming people, and its low point with Another Version of the Truth, a melodic and calmingly enchanting piece with simple sounds of a piano and a synth. There is a consistent underlying theme maintained throughout the record of a gloomy future dystopia and all its minutiae. Songs are rife with sentiments long held by 9/11 truthers and anti-establishment types, such as Capital G: Don't give a sh*t about the temperature in Guatemala Don't really see what all the fuss is about Ain't gonna worry bout no future generations and a I'm sure somebody's gonna figure it out Here Reznor marginalizes global warming, stating that if and when a real problem develops, we'll take care of it. This is very contrary to articles like those in the Washington Post forecasting , “…global temperatures will probably rise 4 degrees Celsius over the next century. If so, catastrophic flooding, famine and water shortages may follow, along with the extinction of up to half of existing animal species...fortunately, there is such a solution…It’s called a carbon tax, and it should be applied across the board to every industry that uses fossil fuels, every home or building with a heating system, every motorist, and every public transportation system.” How dare Reznor defy the mainstream media? It’s not like the global warming scare is torn to shreds in films like the Great Global Warming Swindle or anything. No, people should believe the nightly news. They are not fear mongers. They have “top” scientists. The continual warfare of Orwell’s 1984 is alive and well in Year Zero. In The Good Soldier, Reznor sings about his terror-filled vision of America in the future: Gun fire in the street Where we used to meet Echoes out a beat and the bass goes Bomb right over my head Step over the dead Reznor also imagines a Bureau of Morality, a branch of the government that will monitor behavior and thoughts to a whole new level. With this new Bureau, imagines Reznor, the government will truly begin to act as the parent, telling citizens what is right and wrong, especially concerning thoughts about the government. Ironically, Reznor has put a warning from the "USBM" mocking the FBI’s anti-piracy warning on the back of the Year Zero CD case: Interestingly, the number actually dials, connecting to a recording: “This is a message from the United States Bureau of Morality, pursuant to statute 24-12-2, Disclosure of Surveillance. Citizen: by calling this number, you and your family are implicitly pleading guilty to the consumption of anti-American media and have been flagged as potential militants. The United States Bureau of Morality has activated the tracking system embedded in your personal media, and initiated citizen surveillance. United States surveillance law gives us the right to search and seize information relating to subversive activities from your person, vehicle, workplace or home. Any attempt to hinder or prevent our investigation will be met with all necessary force. You are now part of the problem. Your reeducation is about to begin. God bless America.” But everything up to this point is soft compared to the website that the CD links a buyer to, exterminal.net. The consumer incentives are chocked full of artsy gimmicks-- the CD has a special thermo-chrome heat-sensitive coating that changes its face when heated (see video demonstration), displaying binary code that translates roughly into exterminal.net. The website contains lots of political tidbits about the hellish future where everyone is a terror suspect, and people who have alternative viewpoints are criminals. It also talks about Guantanamo Bay or, as it calls it, "the Extrajudiciary Federal Detainment Camp, Guam." Police and surveillance state Interrogation sessions are on the site as well, chronicling what it would be like to be sent there. The interrogation for J. Markakis refers to a drug put into the water called Parepin, alluding to the Soma tablets in a Brave New World by Aldous Huxley. For those not familiar, Soma was the drug distributed by the government to ensure people kept in line with the system, the opiate of the masses. Exterminal.net also includes random documents, such as a letter from the Bureau of Morality, notifying Elliot Carraig that his "citizenship total" has been decreased and that he has lost his "credit." It seems that Reznor envisions a world in which the government can take anything away from you at any time for any reason, and that everything will be connected by a points system. This could be a possible cashless society. All in all, Reznor seems to have taken the world from Orwell's 1984 and Huxley's Brave New World and modernized it with things like the internet and Guantanamo Bay (Ministry of Love anyone?). If there is any doubt up to this point that Reznor is serious, let the website http://opensourceresistance.net/ be examined. True to its name, much of the content is user generated, and the band's concept album seems to support the content more than the other way around. Filled with posters and slogans about freedom and resistance, there is a video available in QuickTime or streaming flash formats, “rescued raw footage,” in which around 50 people are brought into a warehouse setting wherein a man gets up on stage and schools the people about the Military Commissions and Patriot Acts. Then he tells them to "wake up," which is a phrase distinctly 9/11 truth (and lifting imagery from the equally dystopic A Clockwork Orange). What does this have to do with Trent Reznor? After about 20 minutes or so, the people are whisked away and then music starts playing. Suddenly, a stage can be seen and the wall opens up to allow for a private concert by Nine Inch Nails, which is eventually broken up by police. Let it be known this is not a coincidence; this is clearly orchestrated largely by NIN. There is no denying the message of opensourceresistance.net: the government desires to take our freedoms away supposedly to fight terrorism, but they are not trustworthy. Really, it’s about the introduction of the terrorism concept to then expand on it until it replaces the concept of crime completely, turning everyone into a terrorist, ushering in new treatment of would be criminals, in that all of their rights are lost and everything is a privilege arbitrarily given by the government, not God given and government protected. Posters can be found in the broadcasts and submitted sections that delve further into the sentiment of the Year Zero project. One poster demonstrates how an idea can be spread by just one person, infesting the entire world. This example shows the New World Order, the one-world government idea. Information is Infectous There are 10,000 (as of 2005) of these in London's central business district alone and about 4,000,000 in the UK. This means many Londoners are taped up to 300 times a day whether they are aware of it or not, like it or not. This site is just replete with evidence of anti-NWO sentiment; there is no way to cover it all. Just this one website covers many of the issues that Americans should be concerned about: the loss of privacy thru the use of cameras, government propaganda, America's death, the birth of the NWO, warnings from history and dystopic novels, the paranoia of the US citizens and their government, China's one-child policy, freedom of speech and religion, nonviolent resistance, prisoner abuse, and making a difference by waking up and voicing concerns. Please join the war on tyranny. Please “wake up and give a sh*t.” Reznor's Nine Inch Nails are commendable for speaking out-- as few truly huge music acts have been doing in this era. Other such mainstream music groups in this vein include Muse (who have stated their belief that 9/11 was an inside job) and Radiohead's Thom Yorke, who has not been quite so explicit, but has called for Tony Blair's immediate resignation. Perhaps NIN's interactive method of disseminating relevant info will help fight the New World Order before our world meets this grim vision-- perhaps as soon as 15 years into the future. While there have been talks of a movie, a follow-up release, tentatively titled Year Zero Part 2, is due out sometime in 2008.

Technorati Tags: Music

Bad Vista

So I've been playing with Vista on and off at work for abut a month now, and well, I hate the damn thing. To be really honest there isn't one thing that I like about it at this point, I'm willing to give it some more time, but I'm dual booting my AlienWare laptop with Fedora Core 6 and Vista Ultimate, and well, Vista is painful to use. So this site seems to sum up my feelings perfectly.

A Letter To Warner Chairman Edgar Bronfman

Ok, so as many of you will know I am really into Open Source, and freedom of information, and our rights as Human beings, and well, I love music as well. I've been against DRM from the onset, and doing as much as possible to put an end to it as well, the guys over at Defective By Design have been really doing a great job of getting the message out there as well, so go and visit their site and sign up, they do send out news e-mails every now and then, but it's certainly not spam. At the moment there is an letter to Warner's Chairman, Edgar Bronfman, and I'm really urging anyone reading this, to please go over and sign it. Both Apple and EMI have now committed to selling DRM free music, and Warner refuses to budge, I'm not saying that this letter will do the job, but it may help. You can read the letter and sign it here. C'mon people, do it for the music!

Technorati Tags: DRM, Rights

Mod_Auth_OpenPGP

This has got to be one of the coolest projects out there, and I seriously take my hat off to Arturo "Buanzo" Busleiman for developing this. The blurb on this project off of Freshmeat.net is the following: "Mod_Auth_OpenPGP is an Apache module that implements access authorization to servers, vhosts, or directories when incoming requests' HTTP OpenPGP signatures are valid and known by the local keyring. It's the Apache companion for Firefox's extension "Enigform". There is also a really worthwhile interview with Arturo over on the FreeSoftwareMagazine site, which can be read here, I would definitely recommend taking a read if you're into security, Open Source software or Apache, as this has seriously got to be one of the coolest extensions out there for Apache at the moment. I'm really hoping that some big financial companies see this and start using it, it could save us all a lot of trouble.

Technorati Tags: Financial Industry, Open Source, Apache, Security, Web Application

Writing Exploits With Perl ---> Book

Found this while browsing today, seems like a really worthwhile read. I'm going skip through it this w/end. http://www.securitydb.org/Warpboy/Learning_Perl_-_Writing_Exploits.rar

Technorati Tags: Exploits, Perl, Security

InfoSec Europe Next Week

w00t!!

Technorati Tags: Security

ABN Amro Phishing attack bypasses Two Factor Authentication

This is actually pretty troubling, now to see what other attacks on two factor auth come out. Via Out-Law.com A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from the online accounts of customers who fell for a phishing scam. Advert: Infosecurity Europe, 24-26 April 2007, Grand Hall, Olympia, London, UKTwo-factor authentication for online banking usually involves passwords and tokens which provide synchronised, constantly changing numbers to use as additional evidence of identity. The security industry has promoted the tokens as a preventative measure against hacking for users of remote corporate or banking systems. However, experts have warned that they are still vulnerable to phishing attacks, where fraudulent emails lure recipients to bogus websites that are set up to gather security details. Four customers who used two-factor authentication have been compensated by ABN Amro for undisclosed amounts taken from their bank accounts. "We are taking this incident very seriously and, in addition to informing our clients, are also implementing all of the technical measures that are at our disposal to stop criminals in their tracks," said Johan van Hall of ABN Amro Netherlands. "Safe usage of home and office computers is an essential requirement for secure online banking, and we plan to remind our clients even more frequently and urgently than before of that fact." Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details. As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money. Security experts have warned that such 'man in the middle' attacks cannot be prevented by security tokens. At the E-Crime Congress in London last month, several experts spoke out about the limitations of the systems. "Even when all the banks have it [hackers] will still attack them," said Mikko Hypponen, chief research officer of security firm F-Secure, at the Congress. "'We see them using 'man in the middle' already." "There are a whole bunch of things that can go wrong with two-factor authentication," Ross Anderson, a professor of security engineering at Cambridge University, told the same conference. "Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."

Technorati Tags: Financial Industry, Security

Apple Security Update 2007-004

From Apple.com Installed this and it works perfectly, takes a couple of reboots though on Intel Macs, I think that it may have freaked Mail.app out a bit though, as I can't seem to see the sender ID anymore, oh well. It may not be this update though, I may have changed some setting ;-) This document describes Security Update 2007-004, which can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates." Security Update 2007-004 * AFP Client CVE-ID: CVE-2007-0729 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: Under certain circumstances, AFP Client may execute commands without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands. * AirPort CVE-ID: CVE-2007-0725 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may be able to execute arbitrary code with elevated privileges Description: A buffer overflow vulnerability exists in the AirPortDriver module which processes control commands for AirPort. By sending malformed control commands, a local user could trigger the overflow which may lead to arbitrary code execution with elevated privileges. This issue affects eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card. This issue does not affect systems with the AirPort Extreme card. This update addresses the issue by performing proper bounds checking. * CarbonCore CVE-ID: CVE-2007-0732 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may be able to execute arbitrary code with elevated privileges Description: The CoreServices daemon could allow a local user to obtain a send right to its Mach task port, which may lead to arbitrary code execution with elevated privileges. This update addresses the issue by through improved checks in the CoreServices interprocess communication. This issue does not affect systems prior to Mac OS X v10.4. * diskdev_cmds CVE-ID: CVE-2007-0734 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Opening a maliciously-crafted UFS disk image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption vulnerability exists in fsck. It is possible to cause fsck to be run automatically on a disk image when it is opened. By enticing a user to open a maliciously-crafted disk image, or to run fsck on any maliciously-crafted UFS filesystem, an attacker could trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of UFS filesystems. * fetchmail CVE-ID: CVE-2006-5867 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: fetchmail may send passwords in plain text, even when configured to use TLS Description: fetchmail is updated to version 6.3.6 to fix a vulnerability that could allow authentication credentials to be sent in plain text, despite being configured to use TLS. This issue is described on the fetchmail web site at http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt * ftpd CVE-ID: CVE-2006-6652 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution Description: lukemftpd has been updated to version tnftpd 20061217 to address a buffer overflow vulnerability in the handling of commands with globbing characters that could lead to arbitrary code execution. This issue does not affect Mac OS X Server v10.3.9 or Mac OS X Server v10.4.9. Credit to Kevin Finisterre of DigitalMunition for reporting this issue. * GNU Tar CVE-ID: CVE-2006-0300 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Listing or extracting a maliciously-crafted tar archive may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow vulnerability exists in the handling of PAX extended headers in GNU tar archives. By enticing a local user to list or extract a maliciously-crafted tar archive, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This issue has been addressed by performing additional validation of tar files. This issue does not affect systems prior to Mac OS X 10.4. * Help Viewer CVE-ID: CVE-2007-0646 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Opening a help file with a maliciously-crafted name may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in the Help Viewer application. By enticing a user to download and open a help file with a maliciously-crafted name, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-30-01-2007). This update addresses the issue by eliminating any format string processing of file names. * HID Family CVE-ID: CVE-2007-0724 Available for: Mac OS X v10.4 through Mac OS X v10.4.9, Mac OS X Server v10.4 through Mac OS X Server v10.4.9 Impact: Console keyboard events are exposed to other users on the local system Description: Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue. This fix was originally distributed via the Mac OS X v10.4.9 update. However, due to a packaging issue it may not have been delivered to all systems. This update redistributes this fix in order to reach all affected systems. * Installer CVE-ID: CVE-2007-0465 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Opening an installer package with a maliciously-crafted name may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in the Installer application. By enticing a user to download and install an installer package with a maliciously-crafted file name, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This issue has been described on the Month of Apple Bugs web site (MOAB-26-01-2007). This update addresses the issue by eliminating any format string processing of file names. This issue does not affect systems prior to Mac OS X v10.4. * Kerberos CVE-ID: CVE-2006-6143 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Running the Kerberos administration daemon may lead to an unexpected application termination or arbitrary code execution with system privileges Description: An uninitialized function pointer vulnerability exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-002-rpc.txt. This issue does not affect systems prior to Mac OS X v10.4. Credit to the MIT Kerberos Team and an anonymous researcher working with iDefense for reporting this issue. * Kerberos CVE-ID: CVE-2007-0957 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Running the Kerberos administration daemon or the KDC may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A stack buffer overflow vulnerability exists in the MIT Kerberos administration daemon (kadmind), as well as the KDC, which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt. Credit to the MIT Kerberos Team for reporting this issue. * Kerberos CVE-ID: CVE-2007-1216 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Running the Kerberos administration daemon may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A double-free vulnerability exists in the GSS-API library used by the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt. Credit to the MIT Kerberos Team for reporting this issue. * Libinfo CVE-ID: CVE-2007-0735 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Visiting malicious websites may lead to an unexpected application termination or arbitrary code execution Description: In some cases, Libinfo does not correctly report errors to applications that use it. By enticing a user to visit a maliciously-crafted web page, an attacker can cause a previously deallocated object to be accessed, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing appropriate error reporting in Libinfo. Credit to Landon Fuller of Three Rings Design for reporting this issue. * Libinfo CVE-ID: CVE-2007-0736 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if the portmap service is enabled Description: An integer overflow vulnerability exists in the RPC library. By sending maliciously-crafted requests to the portmap service, a remote attacker can trigger the overflow which may lead to a denial of service or arbitrary code execution as the 'daemon' user. This update addresses the issue by performing additional validation of portmap requests. Credit to the Mu Security Research Team for reporting this issue. * Login Window CVE-ID: CVE-2007-0737 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: Login Window does not sufficiently check its environment variables. This could allow a local user to execute arbitrary code with system privileges. This update addresses the issue by through improved validation of Login Window environment variables. * Login Window CVE-ID: CVE-2007-0738 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: The screen saver authentication dialog may be bypassed Description: Under certain conditions, the user's preference to "require a password to wake the computer from sleep" is ignored, and a password is not required to wake from sleep. This update addresses the issue by through improved handling of this preference. * Login Window CVE-ID: CVE-2007-0739 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: The loginwindow authentication dialog may be bypassed Description: Under certain conditions, the software update window may appear beneath the Login Window. This could allow a person with physical access to the system to log in without authentication. This update addresses the issue by only running scheduled tasks after the user login. This issue does not affect systems prior to Mac OS X v10.4. * network_cmds CVE-ID: CVE-2007-0741 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if Internet Sharing is enabled Description: A buffer overflow vulnerability exists in the handling of RTSP packets in natd. By sending malformed RTSP packets, a remote attacker may be able to trigger the overflow which may lead to arbitrary code execution. This issue only affects users who have Internet Sharing enabled. This update addresses the issue by performing additional validation of rtsp packets. * SMB CVE-ID: CVE-2007-0744 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: Under certain circumstances, SMB may execute commands without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands. * System Configuration CVE-ID: CVE-2007-0022 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Local admin users may execute arbitrary code with system privileges without authentication Description: Admin users have the ability to alter system preferences through the writeconfig utility. When the writeconfig utility launches the launchctl utility, it does not clean the environment inherited from the user. This could allow arbitrary code execution with system privileges without authentication. This issue has been described on the Month of Apple Bugs web site (MOAB-21-01-2007). This update addresses the issue by cleaning the environment before calling the launchctl utility. * URLMount CVE-ID: CVE-2007-0743 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local users may obtain other user's authentication credentials Description: The username and password used to mount remote filesystems through connections to SMB servers are passed to the mount_smb command as command line arguments, which may expose them to other local users. This update addresses the issue by securely passing the authentication credentials to the mount_smb command. Credit to Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos Plc for reporting this issue. * VideoConference CVE-ID: CVE-2007-0746 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Remote attackers may be able to cause an unexpected application termination or arbitrary code execution if iChat is running. Description: A heap buffer overflow vulnerability exists in the VideoConference framework. By sending a maliciously-crafted SIP packet when initializing an audio/video conference, an attacker can trigger the overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of SIP packets. * WebDAV CVE-ID: CVE-2007-0747 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: When mounting a WebDAV filesystem, the load_webdav program may be launched without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands. * WebFoundation CVE-ID: CVE-2007-0742 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Cookies set by subdomains may be accessible to the parent domain Description: An implementation issue allows cookies set by subdomains to be accessible to the parent domain, which may lead to the disclosure of sensitive information. This update addresses the issue by performing additional validation of the domain to which a cookie is being sent. This issue does not affect systems running Mac OS X v10.4. Credit to Bradley Schwoerer of University of Wisconsin-Madison for reporting this issue.

Technorati Tags: Apple, Security

Van Eck Method For Laptops and Flat Panels -- Walls Mean Nothing now

Okay now the Van Sck method for seeing through walls has been around for a while now, for CRT's at least, but now this is kinda scary.... Via Newscientist.com Have you considered that someone could be reading what's on your monitor from a few rooms away? It's unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows. A radio antenna and radio receiver - equipment totalling less than £1000 - is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls. Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking, and NATO spent a fortune making its systems invulnerable to it. It was a major part of Neal Stephenson's novel Cryptonomicon. CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too. It works slightly differently. With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time. Because they come through in order you just have to stack them up. And Kuhn has worked out how to decode the colour of each pixel from its particular wave form. If everything is just right, you can pick up signals from some distance. "I was able to eavesdrop certain laptops through three walls," says Kuhn. "At the CEBIT conference, in 2006, I was able to see the Powerpoint presentation from a stand 25 metres away." Here's the image he managed to get: Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximise the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference. As for defending against this kind of attack, Kuhn says using well-shielded cables, certain combinations of colours and making everything a little fuzzy all work.

Technorati Tags: Terrorism, UK, Vulnerabilities

Okay, now this is just bad...

Via Out-Law.com The private details of 100,000 internet users have been stolen from broadband provider Bulldog. The security breach happened when the company was owned by Cable & Wireless. The data was stolen from Cable & Wireless in December 2005 by a third party which the company believes it can identify. Bulldog's customer base has since been sold to broadband provider Pipex, but C&W is investigating the breach. James Brown, managing director of Bulldog Internet, told the Guardian newspaper: "Our understanding is that, following an external enquiry by Cable & Wireless, it has become apparent that at some point in December 2005 Cable & Wireless had some of their customer contact details illegally obtained by a third party. This resulted in a small number of their customers receiving unsolicited calls." C&W said that it was preparing legal action against a third party which it said could be the source of the leak. It is not yet clear exactly what customer data was taken. Several customers have reported receiving telephone calls that alerted them to the security breach. It is not known whether or not credit card or bank details were among those taken. C&W said that there was no evidence that that was the case. Large scale data thefts are becoming increasingly common as identity theft becomes a more lucrative crime. With individuals carrying out more and more of their economic activity online, impersonating those people can bring ever greater rewards. The US has been the location of the most serious data breaches. One recent US breach had implications for UK citizens, though. The owners of High Street discount clothes chain TK Maxx suffered one of the biggest ever breaches when the credit card details of 45 million customers were stolen by a hacker. In a regulatory filing last month the shop's parent company, TJX Companies, said that data had been stolen in the UK. "We believe that information was stolen in the computer intrusion from … a portion of our computer systems in Watford, U.K. that processes and stores information related to payment card transactions at T.K. Maxx in the United Kingdom and Ireland," said the filing. ----------------------------------------------------- Glad I never signed up to Bulldog ;-)

Going To Be A SANS Stay Sharp Instructor!

After passing my GCIH exams with 96% for both of them, I got a mail from Stephen Northcutt at SANS inviting me to be a SANS Stay Sharp and SANS Mentor Instructor. This happened when I passed my GSEC exams as well, but that kinda fell by the wayside for various reasons. This time however I am going to go for it, for those of you that don't know what the SANS Stay Sharp programs are they are basically short courses that range from about 3 hours to 3 days depending on the course. You cna get more info from the SANS Stay Sharp site here. So around the 20th of this month I am going to sign up for the "Defeating Rogue Access Points" course, and so long as I pass that one with a score of over 85%, I'll then be qualified to teach it, so you can expect some spam coming from me once I get through the exams about various training sessions that I'll be setting up in the Reading area, and maybe even London, we'll see how the demand goes. I'm planning on getting trained up on as many of the Stay Sharp courses as possible as it would be great to be able to offer some SANS courses in the UK. I know that SANS awareness is growing gradually in the UK, but it's just not as quickly as I'd like it to. So I'm going to do my best to make it grow a lot quicker. Later all, and apply that darn ANI patch.

Widgets listed on Apple's Dashboard Downloads

I'm actually quite shocked on this one, not so much about the SANS widget, but the fact that Apple actually put up the Milw0rm exploit feed widget is amazing! Here are the links to both of them, so please grab them from there and save my bandwidth. http://www.apple.com/downloads/dashboard/networking_security/sansinternetstormcenterwidget.html http://www.apple.com/downloads/dashboard/networking_security/milw0rmexploitfeed.html

Month Of MySpace Bugs is a Go

Well, it seems that the Month Of Myspace Bugs is going ahead, and with a European mirror configured as well, just in case of a U.S based shutdown. Great thinking guys! Here's the link to the site. http://momby.livejournal.com/ And the first advisory: Advisory MOMBY-00000001: MySpace Official URL Spoofing Press Embargo until April 1, 2007 Rankings: Noobs: ***** LOLs: ** 0wnz: * Myspace allows registered users to create arbitrary pathnames under the http://www.myspace.com/ domain. This can be used in the furtherance of a confidence scheme. Example: http://www.myspace.com/PasswordReset Details: Upon creating a new account, users are presented with an option to pick a MySpace Name/URL, as shown on this screenshot (click). Combined with the allowed CSS editing that allows users to essentially create custom layouts which may appear exactly as the targeted (or invented) MySpace service (such as a password resetting web application), and the "remember my password" functionality of some browsers which respect only domain names + form input names, this technique can help create a very convincing illusion of MySpace officialdom. As an example, the personal profile for "Mondo Armando" is now registered as the above example URL, which can now be used to trick victims into setting a password to a value known by, well, me. The downside (from the attacker's perspective) is that there are technically finite variations. However, a url such as "http://www.myspace.com/PasswordActivate" and "PASSW0RDRESET" may work just as well, so it'll be a while before all the "good" target URLs are taken. Credit: Originally noticed by mybeNi websecurity at http://mybeni.rootzilla.de/mybeNi

Milw0rm and SANS Internet Storm Center Widgets

Just finished these two off as well, I've submitted them to Apple as well, so I'm really hoping that they get approved and listed. I'm hoping that I'll know tomorrow, as it seemed to take a day for the Reg one to get listed, I'll post links on here if they do though. Here's the info on them and the links to my site at this point: Milw0rm Widget This widget gets it’s feed from Milw0rm.com, and lists the last 30 exploits that have been added. SANS Internet Storm Center Widget This widget updates your Dashboard with the feed from the SANS Internet Storm Center. It displays the last 30 entries published. They can be downloaded from my site here.

First Dashboard Widget!

I just finished making my first Dashboard widget for OS X, so I'm pretty chuffed that it turned out okay. I just submitted it to Apple, so hopefully it gets put up on their widgets section. The widget that I created grabs the daily news feed from the The Register, it's something that I've been looking for and never managed to find. Okay, so I didn't look too hard for one, but hey. I'm hoping to get a couple more done this weekend with more of a securtity/exploit focus to them. I'll be updating my blog though as I get them done, I don't want to give out too many details, as I really don't want someone else beating me to it. You can grab the Reg widget from my downloads page here. UPDATE: It's officially listed on Apple's widget site now. http://www.apple.com/downloads/dashboard/news/theregisterwidget.html

Technorati Tags: Apple, Dashboard Widgets

Local Privilege Escalation Vulnerability found in X-Kryptor

From the UNIRAS website: ID: 0107 Ref: 0107 Date: 01 February 2007:0900:00 Title: Local User Privilege Escalation Vulnerability in X-Kryptor Secure Client Abstract: X-Kryptor is a range of multi-role, dynamic-VPN products. The X-Kryptor Secure Client is a software-based VPN client that is used to connect home-base or mobile workers to a secure Local Area Network (LAN). A vulnerability has been discovered by NCC Group plc that, if exploited, could potentially allow a malicious person to take full control of the local system and to execute arbitrary code. Barron McCann is aware of this issue and has produced patches to address it. Please see 'Solution' for further details. Vendors affected: Barron McCann Operating Systems affected: Windows Applications affected: X-Kryptor Driver BMS1446HRR,Xgntr Version BMS1351,Install Release BMS1472 Document link: Local User Privilege Escalation Vulnerability in X-Kryptor Secure Client CPNI Vulnerability Advisory 0107-XKryptor-February 2007 Local User Privilege Escalation Vulnerability in X-Kryptor Secure Client Version Information ------------------- Advisory Reference VAN 0107-XKryptor Release Date 1 February 2007 Last Revision 25 January 2007 Version Number 1.0 Acknowledgement --------------- This issue was reported by NCC Group plc (http://www.nccgroup.com). What is affected? ----------------- The vulnerability was verified against the following product version running on Microsoft Windows: - X-Kryptor Driver BMS1446HRR - Xgntr Version BMS1351 - Install Release BMS1472 Other versions may also be affected. Impact ------ If exploited, this vulnerability can potentially allow a malicious user to take control of the local system. Severity -------- Medium Summary ------- X-Kryptor is a range of multi-role, dynamic-VPN products. The X-Kryptor Secure Client is a software-based VPN client that is used to connect home-base or mobile workers to a secure Local Area Network (LAN). A vulnerability has been discovered by NCC Group plc that, if exploited, could potentially allow a malicious person to take full control of the local system and to execute arbitrary code. Barron McCann is aware of this issue and has produced patches to address it. Please see 'Solution' for further details. Details ------- CVE ID: CVE-2007-0436 Under certain circumstances it is possible for users, when using the X-Kryptor Secure Client on Microsoft Windows, to escalate privileges on the machine to the local SYSTEM account. Solution -------- Barron McCann has produced a fix for this issue; please contact them for further details. Vendor Information ------------------ Based in Letchworth, Hertfordshire, Barron McCann Technology is a leading supplier of high assurance security products including the X-Kryptor, a range of VPN products that secure sensitive government communications across the United Kingdom and Europe. For further details regarding Barron McCann, please visit http://www.bemac.com/. Credits ------- The CPNI Vulnerability Management Team would like to thank NCC Group plc for reporting these issues. Please visit http://www.nccgroup.com for further details about NCC Group plc. The CPNI Vulnerability Management Team would also like to thank Barron McCann for their co-operation and assistance in the handling of this vulnerability. Contact Information ------------------- The CPNI Vulnerability Management Team can be contacted as follows: Email vulteam@cpni.gov.uk Please quote the advisory reference in the subject line Telephone +44 (0)870 487 0748 Ext 4511 Monday - Friday 08:30 - 17:00 Fax +44 (0)870 487 0749 Post Vulnerability Management Team CPNI PO Box 60628 London SW1P 1HA We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.cpni.gov.uk/key.aspx. Please note that UK government protectively marked material should not be sent to the email address above. If you wish to be added to our email distribution list please email your request to info-sec@cpni.gov.uk. What is CPNI? -------------- For further information regarding the Centre for the Protection of National Infrastructure, please visit http://www.cpni.gov.uk. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall CPNI accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. © 2007 Crown Copyright <End of CPNI Vulnerability Advisory> * Accessibility | * Terms and conditions | * Privacy statement | * Data protection act |

Technorati Tags: Vulnerabilities, Security

3 Held For Questioning Over 7th Of July Bombing In London

Via BBC's website: Anti-terrorism police are to begin questioning three men arrested over the 7 July suicide bombings in London. Two suspects, aged 23 and 30, were detained at Manchester Airport as they prepared to fly to Pakistan while a third, 26, was detained in Leeds. The arrests, which are the first major ones since the attacks, followed a lengthy police operation. Fifty-two people died in 2005 after four bombers detonated devices on three London Underground trains and a bus. Police have been searching five houses in the Beeston area of Leeds, and two premises in east London. The three men will be interviewed at Paddington Green police station in the capital. Under new anti-terror laws, police can hold them for a maximum of 28 days. We need to know who else, apart from the bombers, knew what they were planning Scotland Yard spokesman 'Low-key' approach of police The men were held on suspicion of the commission, preparation, or instigation of acts of terrorism. Mohammad Sidique Khan, 30, Shehzad Tanweer, 22, and Germaine Lindsay, 19, detonated bombs on three Tube trains and Hasib Hussain, 18, attacked a bus. Home Secretary John Reid said: "I think the best thing here is not to get ahead of ourselves, not to get into speculation or heighten all of this. The scene after the arrests in Leeds The searches are expected to take some time "It is a normal part of a very serious and continually ongoing operation and the police will keep everybody informed as is appropriate." The arrests at Manchester Airport were made shortly before 1300 GMT on Friday, while the other in Leeds was made just after 1600 GMT. The addresses of the Leeds searches are in Cardinal Road, Colwyn Road, Firth Mount, Tempest Road, and Rowland Place. Tanweer and Hussain had both been living in Beeston when the attacks were carried out and Khan grew up in Beeston. Tanweer lived in Colwyn Road with his parents. The east London searches involve a flat, understood to be in Bromley-by-Bow, and a business, understood to be in Whitechapel. Scotland Yard said the arrests were part of a pre-planned, intelligence-led operation and also involved the West Yorkshire Police Counter Terrorism Unit. Map showing the homes being searched in Leeds Ch Supt Mark Milsom, of West Yorkshire Police, said it had not been a high profile operation and unarmed officers were carrying out the searches. He said the searches may take "some time" but they were not expecting to find firearms or bomb-making equipment. A Scotland Yard spokesman said: "We need to know who else, apart from the bombers, knew what they were planning. Did anyone encourage them? Did anyone help them with money, or accommodation?" BBC correspondent Danny Shaw said that, before Thursday's arrests, the police investigation into the 7 July bombings had been "going on with very little publicity". The investigation had included a search of a landfill site - "the size of 18 Olympic swimming pools" - at Skelton Grange in Leeds, he said. Police had "quietly but assiduously" gone through the entire site looking for evidence, our correspondent added.

Technorati Tags: Terrorism, Security, UK

Web Application Auditing Over Lunch

Johanness Ulrich over at SANS has a really good quick howto on Web Application Security over at the SANS Institute, this really is a worthwhile read for anyone new to web application security, and provides a very good walkthrough at a high level of some of the steps that you should take when auditing web applications. Take a look: Web Application Auditing Over Lunch For a more in-depth view on Web application security audits, have a look at the OWASP Testing Guide. It's a long document, but it covers evrything that you're going to need to check. Mourn - Non-Stop Violence from the album "7" by Apoptygma Berzerk

Technorati Tags: Web Application, Security

BackTrack 2.0 and Parallels

I know that BackTrack 2.0 was release about a week ago now, but I'm only getting around to writing about it now as I only got my MacBook Pro a couple of days ago, and I didn't have a chance to download it or try it out. For those of you who are unfamiliar with BackTrack, it is probably the ultimate penetration tester's bootable Linux distro. BackTrack is what came out of a merger between two of the most famous security related bootable Linux distro's, namely Whax and the Auditor Security Collection. From a pen-tester's point of view, it really does have everything that you could want in a live Linux distro, and more. Here are some of the new features in version 2.0 * Updated Kernel-Running 2.6.20, with several patches. * Broadcom based wireless card support * Most wireless drivers are built to support raw packet injection * Metasploit2 and Metasploit3 framework integration * Alignment to open standards and frameworks like ISSAF and OSSTMM * Redesigned menu structure to assist the novice as well as the pro * Japanese input support-reading and writing in Hiragana / Katakana / Kanji. You can download it from http://www.remote-exploit.org/backtrack.html Now I also mentioned Parallels in the subject of this one, which is something that I have been dying to play with since before I got my MacBook Pro, and well, all I can say is that I am shocked at the speed of it. I installed BackTrack 2.0 on a virtual disk within Parallels, allocated 256MB of RAM to it, and to say that it's damn quick would be an understatement. This blows away my dedicated Linux PC at work! Maybe later on today I'll install XP within Parallels and see how that goes, but at this point, I am really impressed. I know have the perfect setup, OS X as my main OS, and then BackTrack for anything that I can't run within OS X, from a penetration testing point of view, this really is perfect. I'm kinda regretting ordering an Alienware laptop for work now, but hey, I kinda need it to run Core Impact and WebInspect, so I'm sure it'll be worthwhile, when I get it of course. Alienware's build time seems to take forever! Anyway, if anyone reading this hasn't tried BackTrack 2.0 or Parallels yet, do yourself a favour and go and try it out. Love Never Dies [part 1] from the album "7" by Apoptygma Berzerk

Technorati Tags: Apple, Linux, Security

MacBook Pro 17" Core 2 Duo 2.33 GHz

Well, it finally arrived yesterday, and since I got it I've been installing all the tools and programs that I need and want onto it. In regard to my aging G4 PowerBook 1.33 GHz, this little baby flies! Everything that I have done on it so far have been so much quicker, it's pretty scary to be honest, and it also makes me realize that even though I had my doubts about Apple's whole switch to Intel chips, it was definitely worthwhile. I must say though that now that I have a 17" screen I don't think that I could ever go back to a 15" again, also if anyone's curious the glossy display is so much better than the matte displays that I've seen. Everything is really clear and crisp. I read a lot of reviews about the glossy screen and they have all been really bad, and then I saw one at work, and decided that glossy was the way to go almost instantaneously. I must say that I was still a bit concerned about the glare and reflection that kept getting mentioned in the various forums that I read, but well, I've had no problems with it all. The one thing that really amazed me is the speed at which Fink compiles things on the MacBook Pro, it really is quick, to say the least. Also I had to pull down the SVN version of KisMac as the current stable build doesn't support the new Airport Extreme cards in the MacBook Pro's, but the SVN version works perfectly! I'll post more updates as and when I have them, take it easy all. Brain Bypass from the album "What The Fuck Is Wrong With You People?" by Combichrist

Technorati Tags: Apple

Yet another reason that I really like Frank Zappa

This has got to be one of his best interview clips ever, I'd hate to be the interviewer in this one ;-) http://www.youtube.com/watch?v=RFjZOeL10MA&NR

Flu and the SCNA exam != Pass

Well, my body has decided recently that having a dose of flu would be a great thing to do to me, just make the SCNA exam more of a challenge, and well, I didn't make it. You need 62% to pass the exam and I got a grand total of 49%, I know the stuff, but while I was sitting there all I could think about was going home and crawling into bed. I guess I'll give it a couple of weeks or so and then try again, now that it's beaten me, I really want to get this one under my belt. Also to add insult to injury, while I was out failing the exam, the UPS man dropped by to deliver my MacBook Pro, typical! I gave them a call though and they will re-deliver it tomorrow, so at least now I know that I'll be getting it tomorrow. Now I feel a nap coming on, and then some quality time spent in front of the TV, maybe watching cartoons for the rest of the day.

GCIH Certified - 96% on 2nd Exam As Well

So, I couldn't do it, I just couldn't leave the two remaining GCIH books alone and get on with the SCNA studying that I've gotta do before Tuesday. Oh well, right now though I am damn excited to have passed both the GCIH exams! I must say though that I found the second exam a hell of a lot tougher than the first one, but also a hell of a lot more interesting. Well, both the books for the second exam were actually a lot more interesting than the three for the first exam, all in all though, SANS courseware has once again exceeded my expectations. Well, tomorrow and Monday I'm going to be getting into serious study mode for the SCNA exam, and then hopefully on Tuesday I'll pass that one as well. I won't ever be doing 3 exams in the space of 5 days again though, I didn't realise how insane it was actually going to be. Now to decide if I'm going to go for the gold certification on GCIH or not, hmmmmm...

Studying For The SCNA exam *bleh*

OK, so I'm sitting here studying for the Sun Certified Network Administrator (SCNA) for Solaris 10 exam, and well, to be honest it's boring as hell, and I'm forcing myself to study for it. I've been working with Solaris for over 10 years, and this covers things like the TCP/IP model, Subnetting, DHCP, DNS, NTP, and well, I know these things, damnit! I used to be a SysAdmin in a previous life, so I was expected to know these things, and now I'm worried about passing the exam on Tuesday, as I can't remember the last time I actually configured a DHCP server! Yeah, I've hacked a DHCP/NTP/DNS server, I know how the damn TCP/IP model works, but for some reason I'm still stressed about this exam. It really doesn't help either that I have the last two books of courseware for the GIAC Certified Incident Handler (GCIH) sitting on my desk, and all I want to do is pick them up, read them, and do the exam. I'm hoping to do that one next Friday, but then my MacBook Pro is supposed to be getting here next Weds, so we'll have to see how that goes. Oh well, enough of my ranting for now, better get back to some studying. Bleh! I'll leave you with a funny one though: Solaris 10/11 Telnetd vulnerability telnet -l -froot bwahahahahah!!!!!!!

GCIH Exam 1 = Pass 96%

Well, I sat this one this morning and passed it with quite a decent score, so I'm quite happy to say the least. I'm just hoping that I can get the same score or better for the next one, which I'm hoping to sit next Friday, so we see how it goes. Now to carry on studying for the Solaris 10 SCNA exam which I'm sitting on Tuesday. Still no MacBook Pro, but I got an update from Apple saying that it should be delivered next Weds.

GCIH, SCNA and going dark for a while

Well, things have been rather interesting lately to say the least, I'll be sitting the SCNA exam next Tuesday, so I am going to be spending most of this week and next Monday studying for that one. At present though I'm studying for the first GCIH exam, which if all goes as well as I'm hoping I'll be sitting tomorrow night, so wish me luck. I've also recently invested in a nice shiny new 17" MacBook Pro, and yesterday the auction for my PowerBook finished, so I spent last night formatting it, and packaging it up. I sent it off to it's new home this morning. The only catch is though, that I Apple told me that I will probably only be getting my new MacBook Pro around the 24th-26th of this month, so that's going to leave me without a laptop for a couple of weeks. It's going to be damn weird, but I'm so excited about getting my new MBP! If any of the ISW guys are reading this post, please don't send me any encrypted mails, as I won't be able to read them until I get my new MBP, as I'll be using webmail to check my mail until then. Well, take it easy all.

Solaris 10 Network Admin Course

Well, this week was pretty interesting to say the least, I was on the Solaris 10 network admin course at Sun's UK headquarters, and I've gotta say that this has been the best course that I've been on at Sun so far. You can find more details about the course here http://uk.sun.com/training/catalog/courses/SA-300-S10.xml. The first two days of the course were pure networking, which was great, although I seriously detest working out subnets. There were also sections that I knew, and feel very confident about for the exam, namely Bind, DHCPd and XNTPd, the sections on IPv6 and IPFilter were really worthwhile though. The great part about the course though was for a change the instructor seriously had security in mind, even to the point of showing the class how to exploit the Solaris telnetd vulnerability. Okay, so it's not the most complex exploit, but it was still mind blowing to be shown that on a course at Sun. :-) Okay so the lecturer was contracted to teach the course and not a Sun employee, but it was still great. There were also constant references to security throughout the course, which makes a great change from the other courses that I've been on at Sun in the past. Before I went on the course I was planning on sitting the SCNA exam next Friday. To be honest though, after spending a week on the course, I think that a couple of weeks will be a better bet, I really want to make sure that I get through the exam first time. I'll let you know how the exam goes when I go and sit it, I'm hoping to book it sometime this weekend. Well, till next time, and remember: telnet -l -froot Solaris10host ciao If You Want Peace... Prepare For War from the album "Are You Dead Yet?" by Children Of Bodom

Interview with Fyodor

I caught up with Fyodor yesterday in regard to the recent goings on with godaddy.com and his seclists.org domain, the full interview can be found on the Securiteam site here: http://blogs.securiteam.com/index.php/archives/806

SCSA Certified Now!

Passed the second exam today, and well, aside from considering half way through the exam I thought of walking out, as I thought I'd failed. I actually passed it with a better score than the previous one! So, that's another 4 letters behind my name now, so long as it keeps me up to date, and if it helps to get me a decent increase all the better. Oh well, time to be off now, gotta carry on celebrating! At least this means that I don't have to spend any more nights studying for a while, and now I can spend more time with my guitar. Woman from the album "Bloody Kisses" by Type O Negative