From the L0pht Archives:

Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC
9.30.1999
The lack of client side security for internet transactions poses a huge
security risk that online banks and others just seem to ignore. Tools such
as BO2K and even simpler keystroke loggers can cut through the
authentication used for “secure” web transactions to allow an attacker to
authenticate as the hapless consumer.

Dateline explores this problem on Sunday October 3rd at 7pm EST. Watch
Cult of the Dead Cow demonstrate the attack and Weld Pond from the
L0pht talk about whatis really going on.

It is shocking how …

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online financial accounts. They are succeeding.

Controlling the endpoint within a business can net an attacker $100,000+. In “Real-Time Hackers Foil Two-Factor Security”, …

Trust has long been a favorite target of malicious individuals. Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye.

Ken Thompson’s seminal paper “Reflections on Trusting Trust”, which won a Turing Award, addresses in detail why we can never be fully sure of the trust relationships in our development environment. The paper asserts that since people tend to only …

The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez.

It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network.

The indictment doesn’t give any details of the technique that was used to leverage the SQL Injection vuhnerability to install the malware. I have my theories. Here are some potential ideas:

• xp_cmdshell was enabled and allowed the attackers to execute the commands of their choice on the …
  
  » Read the blog post in full here

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year.

“Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information stolen from a person in France.”

I have my own data point to share on this attack trend. My credit card number was used fraudulently to register 4 web sites from separate ISPs last Monday. The fraud …

Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java VM or the .NET CLR. As more companies with software security testing technology wade into the “no source available” pool (come on in guys, the water is nice), it is important to understand what capabilities you need for software assurance when you don’t have access to …

It’s time for the yearly BlackHat picks. Without further ado, here’s where you’ll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes — there is no way I will actually make it to all of these, but as of now, this is what’s caught my interest:

Day 1

• John McDonald & Chris Valasek: Practical Windows XP/2003 Heap Exploitation
• Andrea Barisani & Daniele Bianco: Sniff keystrokes with Lasers /Voltmeters
• Mark Dowd, Ryan Smith & David Dewey: The Language of Trust
• Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism ’09
• Pwnie Awards

Day 2

• Zane …
  
  » Read the blog post in full here

Christien Rioux, Veracode co-founder and chief scientist, recently gave a webinar on mobile app security. He covers the strengths and weaknesses of 3 popular mobile application platforms: Windows Mobile, RIM Blackberry, and Google Android. Veracode recently announced our capability to scan Windows Mobile applications for vulnerabilities and malicious code. Blackberry and Android support will be coming in the next few months.

Watch the webinar:

Veracode Security Solutions

Internet Security
Malicious Code
Vulnerability Assessment
Web Security
Application Testing
Dynamic Analysis

Security Alternatives

HP Fortify
Whitehat Security
IBM Rational AppScan

Security Threat …

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more.

We’re not sure why the software was delivered in both .jar and .cod form. The .cod file is a RIM proprietary format that contains the compiled Java classes along with a signature. Therefore it’s not even necessary to send the .jar, but they did, completely unobfuscated. Arrogance or incompetence? Here’s what’s …

Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that let’s the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks

It is time to stop thinking about computer security as a castle wall …

The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting read so get to it…

Mr. Herzog suggests in this presentation that the “Defense in Depth” strategy, with regards to network defense, is ineffective and antiquated, and needs to be replaced with a new and updated defense model. His …

It was an integer overflow.

I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you have seen King of Kong you would know that one of the challenges of getting a high score is getting as many possible points before a software glitch causes the game to end abruptly at level 22. This is because the time is calculated incorrectly and there is not …

As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to “protect” viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, researchers at the University of Michigan have published a report detailing several remotely exploitable vulnerabilities in the Green Dam software. These vulnerabilities include:

• Stack buffer overflow in URL blacklisting code due to a fixed-length buffer, triggered by URLs longer than approximately 2064 …
  
  » Read the blog post in full here

Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs.

I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their forum as the first post on a new topic “Security” in April 10, 2009. It was not replied to until yesterday.

http://forum.lxlabs.com/index.php?t=msg&th=11197&start=0&:

Lxadmin/hyperVM has become popular enough that people are SPECIFICALLY …

It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke’s position under President Clinton.

This position will be critical for organizing the government’s fragmented information security efforts, both for the government sector and the country’s infrastructure, which is largely privately owned. Many of the security tasks that must take place to improve our nation’s security posture are well known. They are employed by forward thinking and risk averse sectors such as the financial industry. The challenge is rolling …