| |
| Current Topic: Computer Security |
|
Richard Clarke sets tone for Black Hat 2007 | Tech news blog - CNET News.com |
|
|
|---|
| Topic: Computer Security |
6:20 pm EDT, Aug 1, 2007 |
Clarke leveled the harshest language on the Bush administration. "The Bush administration has systematically reduced the work to secure cyberspace." Clarke cited recent cuts to the Defense Advanced Research Projects Agency as an example. While he doesn't believe that government is the solution--it is just a part of the solution--he said he thinks government helps set the tone. He said he thinks Bush is "setting an example how not to do cybersecurity."
Richard Clarke sets tone for Black Hat 2007 | Tech news blog - CNET News.com |
|
|
|---|
| Topic: Computer Security |
4:00 am EDT, Jul 28, 2007 |
SummerCon 2007: August 24-26, 2007 Atlanta Where: Wyndham Garden Hotel
125 10th Street NE
Atlanta, GA 30309
1 404-873-4800
(corner of Peachtree St & 10th)
I am happy about this... SummerCon |
|
DOMinatrix - The JavaScript SQL Injector |
|
|
|---|
| Topic: Computer Security |
3:17 am EDT, Jul 26, 2007 |
Yeah, Billy has another toolkit for destroying the web.. Don't be too shocked or anything, there will most likely be another one next week. This one is branted with more sexual innuendo then the last one though.. DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action.
DOMinatrix - The JavaScript SQL Injector |
|
SPI Labs advises avoiding iPhone feature |
|
|
|---|
| Topic: Computer Security |
10:42 am EDT, Jul 17, 2007 |
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing
Oops, Billy did it again! SPI Labs advises avoiding iPhone feature |
|
How the Greek cellphone network was tapped |
|
|
|---|
| Topic: Computer Security |
3:00 pm EDT, Jul 10, 2007 |
From the cryptography@metzdowd.com list: A fascinating IEEE Spectrum article on the incident in which lawful
intercept facilities were hacked to permit the secret tapping of
the mobile phones of a large number of Greek government officials,
including the Prime Minister: http://www.spectrum.ieee.org/print/5280 Hat tip: Steve Bellovin. Perry
--
Perry E. Metzger perry@piermont.com
This is worth reading. An operation leverages the "lawful intercept" features of telephone switches, combined with rootkit malware specifically designed for the switches, and a collection of corrupt employees for some very unlawful intercepts. One, possibly two deaths. One of the most sophisticated computer intrusions I have ever heard of. Most likely a state intelligence organization. Americans widely suspected. How the Greek cellphone network was tapped |
|
Solving the Web security challenge | CNET News.com |
|
|
|---|
| Topic: Computer Security |
9:58 am EDT, Jun 28, 2007 |
"We have information on security practices out there. The disconnect is that we don't have an intermediary that says how these things apply to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there."
Are there any articles on Web 2.0 security out there that are not made up of Billy Hoffman quotes? I hope not.. Solving the Web security challenge | CNET News.com |
|
General: China taking on U.S. in cyber arms race - CNN.com |
|
|
|---|
| Topic: Computer Security |
5:35 pm EDT, Jun 14, 2007 |
China is seeking to unseat the United States as the dominant power in cyberspace, a U.S. Air Force general leading a new push in this area said Wednesday. "They're the only nation that has been quite that blatant about saying, 'We're looking to do that,"' 8th Air Force Commander Lt. Gen. Robert Elder told reporters. Elder is to head a new three-star cyber command being set up at Barksdale Air Force Base in Louisiana, already home to about 25,000 military personnel involved in everything from electronic warfare to network defense. The command's focus is to control the cyber domain, critical to everything from communications to surveillance to infrastructure security. "We have peer competitors right now in terms of doing computer network attack ... and I believe we're going to be able to ratchet up our capability," Elder said. "We're going to go way ahead." The Defense Department said in its annual report on China's military power last month that China regarded computer network operations -- attacks, defense and exploitation -- as critical to achieving "electromagnetic dominance" early in a conflict. China's People's Liberation Army has established information warfare units to develop viruses to attack enemy computer systems and networks, the Pentagon said. China also was investing in electronic countermeasures and defenses against electronic attack, including infrared decoys, angle reflectors and false-target generators, it said. Elder described the bulk of current alleged Chinese cyber-operations as industrial espionage aimed at stealing trade secrets to save years of high-tech development. He attributed the espionage to a mix of criminals, hackers and "nation-state" forces. Virtually all potential U.S. foes also were scanning U.S. networks for trade and defense secrets, he added. "Everyone but North Korea," he said. "We've concluded that there must be only one laptop in all of North Korea -- and that guy's not allowed to scan overseas networks," Elder said. In October, the U.S. Joint Chiefs of Staff defined cyberspace as "characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures."
General: China taking on U.S. in cyber arms race - CNN.com |
|
|
|---|
| Topic: Computer Security |
5:21 pm EDT, May 30, 2007 |
More from Acidus: Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database.
DOMinatrix: Spanking the DOM the way the DOM like it! I'd like to thank Dan Kaminski for the suggestion. He came up with the name and challenged me to come up with the spanking victim. You'll see it at Blackhat.
DOMinatrix... |
|
Christopher Soghoian | Remote Vulnerability in Firefox Extensions |
|
|
|---|
| Topic: Computer Security |
4:22 pm EDT, May 30, 2007 |
A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. The vulnerability is made possible through the use of a man in the middle attack, a fairly old computer security technique. Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong. While Firefox does at least prompt the user when updates are available, some commercial extensions (including those made by Google) have disabled this, and thus silently update their extensions without giving the user any say in the matter.
A demo video is available. Christopher Soghoian | Remote Vulnerability in Firefox Extensions |
|
Russia accused of unleashing cyberwar to disable Estonia | Guardian Unlimited |
|
|
|---|
| Topic: Computer Security |
2:17 pm EDT, May 17, 2007 |
A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications. While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies. Nato has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences. "This is an operational security issue, something we're taking very seriously," said an official at Nato headquarters in Brussels. "It goes to the heart of the alliance's modus operandi."
Interesting. This is the first I've heard of this. If it were established that Russia is behind the attacks, it would be the first known case of one state targeting another by cyber-warfare.
I'm not so sure about that part... I guess it depends on how you define cyber-warfare. I prefer to view this all as different flavors of information warfare, which very much includes espionage activity, which we have often seen. The crisis unleashed a wave of so-called DDoS, or Distributed Denial of Service, attacks, where websites are suddenly swamped by tens of thousands of visits, jamming and disabling them by overcrowding the bandwidths for the servers running the sites. The attacks have been pouring in from all over the world, but Estonian officials and computer security experts say that, particularly in the early phase, some attackers were identified by their internet addresses - many of which were Russian, and some of which were from Russian state institutions. "The cyber-attacks are from Russia. There is no question. It's political," said Merit Kopli, editor of Postimees, one of the two main newspapers in Estonia, whose website has been targeted and has been inaccessible to international visitors for a week. It was still unavailable last night.
At the moment, the big question may be if this type of attack qualifies as a military action in the same way that electronic warfare does. At this point, if only websites are being DoS'd, it's one thing. If the attacks are (or become) focused on key infrastructure, it would be more clear cut. If these attacks are driven by state conflicts, this is a dangerous grey area to play in. Without more information, it is very hard to determine if these attacks are backed by the state, or just being done by rogue hackers that happen to be motivated by the row between Russia and Estonia. Russia accused of unleashing cyberwar to disable Estonia | Guardian Unlimited |
|
