A new release of the (IN)Secure
magazine is out. Version 1.9 - December
2006 [pdf].
Some highlights from this month's issue:
- Effectiveness of security by admonition: a case study of security
warnings in a web browser setting
- Interview with Kurt Sauer, CSO at Skype
- Web 2.0 defense with AJAX fingerprinting and filtering
- Hack In The Box Security Conference 2006
- Where iSCSI fits in enterprise storage networking
- Recovering user passwords from cached domain records
- Do portable storage solutions compromise business security?
- Enterprise data security - a case study
- Creating business through virtual trust: how to gain and sustain a
competitive advantage using information security
This free online magazine has some great articles, I'm looking forward
to reading it!
Posted by Marcin on Tuesday, November 28, 2006 in
Security.
China's at it again, this time having obtained information on secret
technology used on the B-2 stealth bomber's engines. The data will now
allow China to copy or counter weapons using the technology.
Details of the classified defense technology related to the B-2's
engine exhaust system and its ability to avoid detection by infrared
sensors were sold to Chinese officials by former defense contractor
Noshir S. Gowadia, an Indian-born citizen charged with spying in a
federal indictment released by prosecutors in Hawaii.
The stealth technology isn't the only thing Noshir gave the Chinese,
having assisted in developing a missile exhaust system that is hard to
detect by radar and helped modify a cruise missile to intercept U.S.
air-to-air missiles. In 2002 and 2004, Noshir sent emails containing
SECRET and TOP SECRET data to Israel, Germany and Switzerland. It is
suspected he's given classified information to as many as eight foreign
nations, and has been paid as much as $2 million.
Posted by Marcin on Friday, November 24, 2006 in
Security.
You're on the go, at the airport, at a coffee shop, whatever. You need
to check your email or login to your bank account to make sure you have
sufficient funds(I'd recommend against it, but people do it anyways).
You sit down at a public internet terminal or internet café and proceed
to go about your business. Well, you have no idea now what is running on
that computer; you trust the administrator keeps it free of viruses and
any spyware that could be lurking underneath. What you don't know, is
someone could have installed a software or hardware keylogger to record
all your keystrokes and use it to find your passwords and see where
you've gone.
Well, couple boys from Microsoft Research came up with an interesting
study, you can download
here
[pdf]. To sum it up, they suggest switching focus between applications
and text fields and inputting "random" characters so the keylogger
cannot easily see what's the password. A good keylogger will record the
following at a minimum:
- Keystrokes
- Mouse clicks
- Active browser window
Let's assume your password is snoopy2, as in the paper. Employing
the methods suggested, a keylogger would record the following:
(lclick)s(lclick)quioe(lclick)n(lclick).,jmz(lclick)o (lclick)queis(lclick)o(lclick)lkjd(lclick)p(lclick)hguhjcxf (lclick)y(lclick)mc,m(lclick)2(lclick)(enter)
You can easily derive what the password is here by looking at the
character typed inbetween (lclick)'s. So, to make it nearly impossible
for the keylogger to see what password you typed, just randomly left
click and right click between typing "random characters" and actual
password characters. To the keylogger, it could then look like this:
(lclick)s(lclick)qui(rclick)o(lclick)e(lclick)(lclick)n (lclick).,(lclick)jmz(lclick)o(lclick)que(lclick)is(lclick)o (lclick)lk(lclick)jd(lclick)p(lclick)hguh(rclick)jc(lclick)xf (lclick)y(lclick)mc,m(lclick)2(lclick)(enter)
I'd still recommend against logging into public terminals to check
financial information or important email, as there's other things to
worry about as well.
Posted by Marcin on Friday, November 24, 2006 in
Security.
If investing into an IT services company is something you are interested
in, Morningstar published their Picks Among U.S. IT Service
Providers.
Great for the personal investor looking to make a couple bucks in their
trading account, but if you're a business-decision-maker-type-of-person
at any company, just hold it right there. Whatever you do, do not sell
off your IT infrastructure to an outsourcing firm! You will never get
those resources back when you finally realize you would have been better
off without them. Add to the series, the outsource firm's processes and
office politics on top of your own company's policies and processes.
Then try and tell me how tough it is to get something done...
If your company has outsourced IT services, let me know how it's been
going so far. In addition, include the firm and where they are located
if you'd like.
Posted by Marcin on Friday, November 17, 2006 in
Tech.
Alex Rice of Websense Security Labs, dissected
"Web-Attacker",
one of the most popular exploit kits on the web. He recently got a hold
of the source code and takes us step by step through it all. For those
who do not know how Web-Attacker works, here's a brief scenario:
- User visits a compromised webpage containing a hidden iframe that
loads go.php.
- go.php redirects to ie0609.cgi?homepage, which redirects to
demo.php.
- Obfuscated JavaScript from demo.php determines which exploit
should be attempted and redirects to
ie0609.cgi?type=<EXPLOIT_TYPE>.
- Based on the value of the type parameter, ie0609.cgi returns
the requested exploit. Each exploit differs but attempts the same
action: execute the data downloaded from
ie0609.cgi?exploit=<EXPLOIT_TYPE>.
- With the exploit parameter, ie0609.cgi returns the malicious
binary to be executed. The attack is complete.
Be sure to check out the blog post and see how this simple, yet
nasty little Perl script works.
Posted by Marcin on Saturday, November 11, 2006 in
Security.
