softsecurity.com In focus

Friday Squid Blogging: Preserving Your Giant Squid

Fri, 19 Mar 2010 23:47:31 GMT

Plastination: For several years von Hagens and his team experimented using smaller squid, and found that the fragility of the skin needed a slower replacement process than other animal specimens. Some 1500 litres of silicone later, the plastination of the giant cephalopods was completed in January.

Bringing Lots of Liquids on a Plane at Schiphol

Fri, 19 Mar 2010 19:58:49 GMT

This would worry me, if the liquid ban weren't already useless. The reporter found the security flaw in the airport's duty-free shopping system. At Schiphol airport, passengers flying to countries outside the Schengan Agreement Area can buy bottles of alcohol at duty-free shops before going through security. They are then permitted to take these bottles onto flights, provided that they have the bottles sealed at the shop. Mr Stegeman bought a bottle, emptied it and refilled it with another liquid. After that he returned to the same shop and 'bought' the refilled bottle again. The shop sealed the bottle in a bag, allowing him to take it with him through security and onto a London-bound flight. In London, he transferred planes and carried the bottle onto a flight to Washington DC. The flaw, of course, is the assumption that bottles bought at a duty-free shop actually come from the duty-free shop. But note that 1) it's the same airport as underwear bomber, 2) reporter is known for trying to defeat airport security, and 3) body scanners would have made no difference. Watch the TV program here.

Church of the Jedi ?

Fri, 19 Mar 2010 19:11:16 GMT

Just found out today that there is a Church of the Jedi, that they ordain ministers and you can get married by them . Sometimes people just amaze me with their awesomeness. Seriously, the creativity and whackiness that we have as a race is something...(read more)

Security Trade-Offs and Sacred Values

Fri, 19 Mar 2010 13:58:00 GMT

Interesting research: Psychologist Jeremy Ginges and his colleagues identified this backfire effect in studies of the Israeli-Palestinian conflict in 2007. They interviewed both Israelis and Palestinians who possessed sacred values toward key issues such as ownership over disputed territories like the West Bank or the right of Palestinian refugees to return to villages they were forced to leave?these people viewed compromise on these issues completely unacceptable. Ginges and colleagues found that individuals offered a monetary payout to compromise their values expressed more moral outrage and were more supportive of violent opposition toward the other side. Opposition decreased, however, when the other side offered to compromise on a sacred value of its own, such as Israelis formerly renouncing their right to the West Bank or Palestinians formally recognizing Israel as a state. Ginges and Scott Atran found similar evidence of this backfire effect with Indonesian madrassah students, who expressed less willingness to compromise their belief in sharia, strict Islamic law, when offered a material incentive. [...] After giving their opinions on Iran?s nuclear program, all participants were asked to consider one of two deals for Iranian disarmament. Half of the participants read about a deal in which the United States would reduce military aid to Israel in exchange for Iran giving up its military program. The other half of the participants read about a deal in which the United States would reduce aid to Israel and would pay Iran $40 billion. After considering the deal, all participants predicted how much the Iranian people would support the deal and how much anger they would feel toward the deal. In line with the Palestinian-Israeli and Indonesian studies, those who considered the nuclear program a sacred value expressed less support, and more anger, when the deal included money.

SPAM of the Day ? Trouble Viewing This Social Attack? Read it Online

Thu, 18 Mar 2010 18:57:13 GMT

I wasn?t really planning to do a ? Spam of the Day? every day, but this one got through all of the filters today and I found it interesting enough to share. This one combines the use of: E-mail spoofing (the E-mail ?from:? field used my own address,...(read more)

Revised Cybersecurity Bill Introduced in Senate

Thu, 18 Mar 2010 17:54:15 GMT

(Computerworld) A revised version of a cybersecurity bill first proposed last year was introduced again in the U.S. Senate today, notably without a controversial provision that would have given the President authority to disconnect networks from...(read more)

Disabling Cars by Remote Control

Thu, 18 Mar 2010 14:41:13 GMT

Who didn't see this coming? More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments. [...] Ramos-Lopez?s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee?s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.

SPAM of the Day ? A Classic Nigerian Scam

Wed, 17 Mar 2010 18:30:12 GMT

I am continually amazed at some of the email-based social attacks that I see, sent either to me or one of my friends and family. Some are so outrageous, it is hard to believe anybody could fall for them, but on the other hand ? what if it were true that someone left me money ? isn?t worth just one little check? And therein lies the hook. When someone is phishing, they just want a nibble. Wondering how these scammers get their email targets? It is not that hard ? have your friends read about E-mail address harvesting and advise them to think about this the next time they consider sharing their E-mail address on a web site or in a job posting. I thought it might be fun and interesting to share some of the unwanted emails I see periodically. This is a real one that was sent to my wife in mid-February. From: "MR.LAMIDO SANUSI"<email deleted>
Date: February 13, 2010 1:12:57 AM PST
Subject: Your kind Attention: Beneficiary, Call me at +2348080754902 for more information. My Name Is Mr. Lamido Sanusi. I Am The Governor Central Bank Of Nigeria. This Is To Notify You That Your Over Due Inheritance Funds Has Been Gazzeted To Be Released To You Via The Foreign Remmitance Department Of Our Bank. Meanwhile, A Woman Came To My Office Few Days Ago With A Letter, Claiming To Be Your Representative And Sent By You. If she is not your reprsentative or sent by you, kindly respond immediately reconfirming to me the following details to avoid any mistake.
+ Full name
+ Full residential contact address
+ Direct telephone number number
+ Age and current occupation
+ Copy of your identification if available.
However, We Shall Proceed To Issue All Payments Details To The Said Mrs. Barbara Kleihans If We Do Not Hear From You Within The Next Three Working Days From Today. Await for your prompt response You.Regards, Mr. Lamido Sanusi
Reply-To: <deleted - a different email!> Note that Nigeria has recently started an aggressive campaign against ?Nigerian scams? aka as 419 scams,

Casino Hack

Wed, 17 Mar 2010 13:33:42 GMT

Nice hack: Using insider knowledge the two hacked into software that controlled remote betting machines on live roulette wheels, the report said. The machines would print out winning betting slips regardless of the results on the wheel, Peterborough Today said. I'd like to know how they got caught. EDITED TO ADD (4/17): They got their math wrong: However, the scheme came unstuck after an alert cashier noticed a winning slip for �600 for a �10 bet at odds of 35-1. The casino launched an investigation that unearthed a string of other suspicious bets, traced back to Ashley and Bhagat, IT contractors working at the casino at the time of the scam.

Network Security Podcast, Episode 189

Wed, 17 Mar 2010 05:33:38 GMT

We’ve been hearing about the Aurora attacks on Google and a host of other companies since early January. So why is it that NSS Labs is finding that the majority of the End Point Protection (aka AV) companies aren’t protecting against the vulnerability yet? And why is AVG upset with NSS Labs and their testing [...]

SPencer Pratt Plans to Fight Cyber Crime

Tue, 16 Mar 2010 19:08:18 GMT

WARNING WARNING WARNING ? Serious security folks might want to skip this one ;-) Not quite a true computer security news item, you might be interested just for the entertainment value: Spencer Pratt, Cyber Security Ninja-in-training. In case you don?t know, Spencer is an MTV ?star? from the show The Hills. He is also married to Heidi Montag, one of his co-?stars? from the show. PREDICTION: Next year at RSA Conference 2011, Spencer and Heidi will do a keynote.

The Great PCI debate, with special guest appearance

Tue, 16 Mar 2010 06:45:59 GMT

Unluckily, the only time I was able to make it down to SF Bsides was for the Great PCI Debate, part 2. Luckily, all the rest of the presentations that went on there are available via Ustream. Of course, I still say the Great PCI debate was the most important presentation, partly because it contains [...]

March 2010 Security Bulletin Webcast

Tue, 16 Mar 2010 00:55:15 GMT

Hello, Today we published the Questions & Answers from the March 2010 Security Bulleting webcast. We answered a total of 13 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them. The video covers the core part of the presentation Adrian Stone and I gave during the webcast. We talk about the two bulletins for March, a bulletin re-release and Security Advisory 981374. More listening and viewing options:
Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV) Please join us for our next scheduled webcast where Adrian and I, along with a room full of subject matter experts, will present on the Security Bulletins for April and try to answer all your questions live. Date: Wednesday, April 14
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721 Thanks! Jerry Bryant
Sr. Security Communications Manager Lead *This posting is provided "AS IS" with no warranties, and confers no rights.*

USB Combination Lock

Mon, 15 Mar 2010 20:59:46 GMT

Here's a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contact are still accessible. Maybe it should be given away by companies that sell security theater.

Mykonos: WAF, IPS or honeypot?

Mon, 15 Mar 2010 16:02:36 GMT

I’m not an expert on web application firewalls, which is why I’m asking for feedback on the Mykonos Security Appliance. I was given a demo of the product at the RSA Conference this year and it’s one of the few products I’ve seen lately that’s doing something new and innovative. Or more accurately, it appears [...]

Typosquatting

Mon, 15 Mar 2010 13:13:37 GMT

"Measuring the Perpetrators and Funders of Typosquatting," by Tyler Moore and Benjamin Edelman: Abstract. We describe a method for identifying "typosquatting", the intentional registration of misspellings of popular website addresses. We estimate that at least 938 000 typosquatting domains target the top 3 264 .com sites, and we crawl more than 285 000 of these domains to analyze their revenue sources. We find that 80% are supported by pay-per-click ads often advertising the correctly spelled domain and its competitors.Another 20% include static redirection to other sites. We present an automated technique that uncovered 75 otherwise legitimate websites which benefited from direct links from thousands of misspellings of competing websites. Using regression analysis, we find that websites in categories with higher pay-per-click ad prices face more typosquatting registrations, indicating that ad platforms such as Google AdWords exacerbate typosquatting. However, our investigations also confirm the feasibility of signicantly reducing typosquatting. We find that typosquatting is highly concentrated: Of typo domains showing Google ads, 63% use one of five advertising IDs, and some large name servers host typosquatting domains as much as four times as often as the web as a whole. The paper appeared at the Financial Cryptography conference this year.

Listener Survey for the podcast

Sun, 14 Mar 2010 22:47:15 GMT

We’re trying to get some background information about who our listeners are, where they sit in their security careers and what we can do to improve the Network Security Podcast. We’d really appreciate it if you can take 5 minutes or less to fill out the survey and tell us how we can serve your [...]

Friday Squid Blogging: Cipherlopods

Sat, 13 Mar 2010 00:21:58 GMT

This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke.

Update on Security Advisory 981374

Fri, 12 Mar 2010 23:34:14 GMT

Hi everyone, I?m writing to let you know that we have updated Security Advisory 981374 with new workaround information. We are aware that exploit code has been made public for this issue. As with our last update, Internet Explorer 8 remains unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version. On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With today?s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected. We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs. Please review the advisory for more information. We will keep you posted as additional information becomes available. Jerry Bryant
Sr. Security Communications Manager Lead *This posting is provided "AS IS" with no warranties, and confers no rights.*

Why DRM Doesn't Work

Fri, 12 Mar 2010 19:31:20 GMT

Funny comic.

Video from the first day of RSA2010

Fri, 12 Mar 2010 16:01:46 GMT

I’d almost forgotten that David Spark ambushed Ben Tomhave, Andrew Storms and me with a video camera on the first day of RSA last week.� I think we literally hadn’t even had the time to get more than 10 steps beyond the escalator when David found us.� Which is my way of saying none of [...]

More Hollow Coins

Fri, 12 Mar 2010 14:58:19 GMT

A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well.

Wikibooks Cryptography Textbook

Thu, 11 Mar 2010 20:26:36 GMT

Over at Wikibooks, they're trying to write an open source cryptography textbook.

Wanted: Trust Detector

Thu, 11 Mar 2010 14:17:12 GMT

It's good to dream: IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions. A second part of the IARPA proposal might involve using new types of sensors and software to gauge human facial, language or body signals that might help predict trustworthiness. Perhaps facial recognition technology that could deduce emotions or facial tics might help, not to mention better lie detectors. IARPA is the Intelligence Advanced Research Projects Activity, the U.S. intelligence community's answer to DARPA.

Nose Biometrics

Wed, 10 Mar 2010 21:47:12 GMT

Really: Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people. "Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University of Bath's Dr Adrian Evans. "Ears have been looked at in detail, eyes have been looked at in terms of iris recognition but the nose has been neglected." The researchers used a system called PhotoFace, developed by researchers at the University of the West of England, Bristol and Imperial College, London, for the 3D scans.

The Limits of Identity Cards

Wed, 10 Mar 2010 15:09:08 GMT

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

The Network Security Podcast, Episode 188

Wed, 10 Mar 2010 06:11:26 GMT

Can you hear that? That’s the sound of air escaping as we all finally recover from the RSA conference. Rich and Martin are back, and Zach… never left (but did celebrate a birthday last week). We do a quick recap of RSA and then dig into the security news… much of which had nothing to [...]

Ubuntu CVE Tracker

Wed, 10 Mar 2010 01:11:09 GMT

Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site: For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker. I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues. For example, take a look at the page Vulnerability Report: Ubuntu Linux 9.10 on secunia.com (9.10 is Ubuntu Karmic Koala, released on October 29, 2009) and you?ll see a couple of interesting summary statistics as shown here: Looks good, eh? However, if you take a look at the CVE tracker, you get a view that is a bit different: You can see the Risk Color Key, but it is about what you?d expect. Red is High or Critical, orange is Medium and yellow is Low. The asterisk means that this is a package maintained by Canonical instead of a 3rd-party. I didn?t bother to do a count, but I can see that the number of ?needed? fixes is somewhat larger than zero, however, I did not see an RED = High vulnerabilities, so I did check on more thing ? I wondered how these severity ratings mapped to CVSS as used by the National Vulnerability Database (ie, http://nvd.nist.gov). I spot-checked a few: CVE-2009-4537, kernel, Orange(Medium) by Canonical, High(7.8) by CVSS CVE-2009-4565, sendmail, Orange(Medium) by Canonical, High(7.5) by CVSS CVE-2010-0408, apache2, Orange(Medium) by Canonical, Medium(5.0) by CVSS CVE-2010-0433, openssl, Orange(Medium) by Canonical, Medium(4.3) by CVSS CVE-2007-5901, krb5 (kerberos), Yellow(Low) by Canonical, High(10.0) by CVSS There were 474 CVE entries, so I didn?t do a comprehensive check, but it turns out that there are more than a few of these unfixed vulnerabilities that are rated High by CVSS.

Marc Rotenberg on Google's Italian Privacy Case

Tue, 09 Mar 2010 20:36:00 GMT

Interesting commentary: I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States. The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video. Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it. What is striking is that both cases involved the use of a person's image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man's image was placed in a newspaper, without his consent, to sell insurance. Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person's "name or likeness" for commercial use. The whole thing is worth reading.

March 2010 Security Bulletin Release

Tue, 09 Mar 2010 20:02:03 GMT

Today we are releasing two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of ?1? so we recommend that customers deploy these updates as soon as possible. The Microsoft Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins. A summary of today?s security updates can be found on the Microsoft Security Bulletin webpage. MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension. The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security. MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited. Since both of today?s bulletins require user interaction, we give them both a ?2? on our deployment priority scale: Our Severity and Exploitability Index slide offers additional guidance to help customers prioritize this month?s bulletins: In the following video, Adrian Stone and I give a brief overview of today?s bulletins: More listening and viewing options:
Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV) Today we also re-released MS09-033 to add Virtual Server 2005 to the affected products list. Customers who have already installed the update for affected products do not have any additional actions. Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected. Please join us tomorrow for a public webcast where Adrian Stone and I will go in to detail on these bulletins and answer customer questions with the help of the engineers who worked to produce them so please plan to join us. Date: Wednesday, March 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427711 Thanks! Jerry Bryant
Sr. Security Communications Manager Lead *This posting is provided "AS IS" with no warranties, and confers no rights.*