| |
| Current Topic: Computer Security |
|
The Impact of Emerging Technologies: The Internet Is Broken |
|
|
|---|
| Topic: Computer Security |
12:04 pm EST, Dec 20, 2005 |
That's why Clark argues that it's time to rethink the Internet's basic architecture, to potentially start over with a fresh design -- and equally important, with a plausible strategy for proving the design's viability, so that it stands a chance of implementation.
This is an interesting, if odd set of articles. The author argues in favor of IP addresses that don't change when you roam, something that I did a bunch of work on a couple of years ago. That makes sense. What doesn't make sense is how he gets from this to an Internet that doesn't need security patches... The Impact of Emerging Technologies: The Internet Is Broken |
|
I got 0wned... (sort of) - Patch your browser if you haven't. |
|
|
|---|
| Topic: Computer Security |
7:52 pm EST, Dec 14, 2005 |
This document serves as a reclassification advisory for the Microsoft Internet Explorer JavaScript Window() DoS vulnerability, originally reported on 31/05/2005. Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user.
I was stumbling around on the web tonight and got hit with a malicious version of this. Fortunately I was running Firefox at the time, where the issue is merely a denial of service (at least as presently understood). Its a remote code execution problem in IE. The perps were trying to shovel adware onto my machine. Figured I'd mention this here as a public service. People are definately out there exploiting this. Microsoft released patches yesterday. Patch your machine. If you go to the linked site from a vulnerable host and click on the proof of concept it will launch a copy of calc.exe on your desktop. I got 0wned... (sort of) - Patch your browser if you haven't. |
|
|
|---|
| Topic: Computer Security |
2:51 pm EST, Dec 12, 2005 |
Looks like a decent blog on Reverse Engineering... OpenRCE |
|
crackmes.de: Tools for practicing reverse engineering |
|
|
|---|
| Topic: Computer Security |
6:25 pm EST, Nov 30, 2005 |
So you think you're good enough to break the protection?
You want to see how good you are in reversing applications?
And you want to do it the legal way?
Then you're at the right place!
Nice! crackmes.de: Tools for practicing reverse engineering |
|
Blue Boxing Wiretapping Systems |
|
|
|---|
| Topic: Computer Security |
11:00 am EST, Nov 30, 2005 |
In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude "C-tone" audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an "on-hook" signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure.
John Markoff has a story on this today. Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it. Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well... Blue Boxing Wiretapping Systems |
|
|
|---|
| Topic: Computer Security |
4:48 pm EST, Nov 21, 2005 |
The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, today filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs.
EFF sues SONY |
|
|
|---|
| Topic: Computer Security |
8:19 pm EST, Nov 16, 2005 |
CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences.
One fears the impact of this will be trouble... What is the association between CMP and Defcon?! BlackHat sells out. |
|
Kaminski Analysis of Sony Rootkit traffic |
|
|
|---|
| Topic: Computer Security |
5:06 pm EST, Nov 15, 2005 |
Sony. Sony has a rootkit. The rootkit phones home. Phoning home requires a DNS query. DNS queries are cached. Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
Nice pictures of worldwide distribution of the rootkit. Kaminski Analysis of Sony Rootkit traffic |
|
