Secure Yourself Online

Recently there has been a huge discourse in the security community about the proper way to disclose a vulnerabilty. A vulnerability can be defined as “A security exposure in an operating system or other system software or application software component”. Security exposures that people find typically vary between coding structure vulnerabilities, logical program design flaws, or unintended priveleges of information. The issue that many people have with the disclosure of vulnerabilities is that a specific set of instructions can be constructed to exploit the vulnerability. The exploitation program can carry with it a payload, either allowing attacker access to your computer or doing malicious things to it.

So, why don’t software makers want you to know whats in the software that you buy? Because they don’t want you to know what their problems are. Realplayer, for example, has near daily security vulnerabilities- and almost daily there is another way to break into a system via realplayer. Software vendors often are the loudest to scream “Foul!” when a security researcher releases a vulnerabilty publically, however- there are countless stories of when a researcher has informed a company (Cisco) of vulnerabilities in their software/hardware and the company waits months if not years to actually fix the issue. The developers in these companies are so wrapped up in prior commitments or “maintenance” that a vulnerability will get pushed to the bottom of their to do list. Besides, if noone is exploiting it- its not important in their eyes.

So why dont they want people to publically reveal the vulnerabilities in their products? Because they don’t want to fix it? Well, they usually get around to fixxing the vulnerabilty- just not immediately; so no its not that. Well why?  Because they believe that people will actively exploit the vulnerability? That could be, but in most situations, the people who truly know how to use the exploitation already have it. The security community is a tight knit group, Just because a exploit hasn’t been publically released doesn’t mean that it is not well known. The main argument that I have seen is that someone will package the exploit, sell it to people who will then use it for malicious means against machines. The flaw in this argument is that although there will inevitably be a lapse in the time between the public release and the repair, this time is a fractional amount of the time that the hole would have remained open if it hadn’t been marked as “Urgent”. You will not have to worry about people going into a hole that’s been covered. Many in the security community have an intense frustration at the closed disclosure system- which is absolutely unresponsive to “Responsible Disclosure Reports”. Although some companies take these seriously, many sit on their thumbs while a hole is open.

So What is the issue here? Public Relations, pure and simple. Companies do not want you to know about the problems with their software. *Is Google leaking your search data? Too Bad. Is Microsoft monitoring your downloads? Too Bad. Will a program allow an attacker to get into your system and steal your personal information? Too Bad. The companies want maximum amount of money for minimal amount of investment, the less they have to code, the better. The less you ask, the better, in the opinion of most large companies. Each time a vulnerability is found, even more people begin reviewing the code, finding even more vulnerabilities, until the program is vulnerability free.

So we come to the issue of public disclosure of bugs. Public disclosure serves four important services for the computing community. Public disclosure allows security researchers, developers,coders, and computer professionals in general to analyze trends in coding and see common vulnerabilities. With analysis of vulnerabilities comes the opportunity to teach college students the proper ways of coding to avoid exposing vulnerabilities, thus creating secure software. While the prior solution recognizes the contribution disclosure will make in the future, Right Now public disclosure allows security analysts to analyze trends in vulnerabilities in programs and see where they can patch programs before a problem occurs. Public disclosure also allows the consumer to make EDUCATED decisions in the marketplace. Instead of buying a program that has security vulnerabilities, the educated consumer will purchase a program that is coded securely- Because they know that their information will be secure inside of it.

Q:Why Do I Support Public Disclosure of Bugs?

A:Because it Keeps you secure.

Yahoo, Hewlett Packard and Intel are jointly announcing a new cloud computing research initiative called the Cloud Computing Test Bed.

It’s being described as “a globally distributed, Internet-scale testing environment designed to encourage research on the software, data center management and hardware issues associated with cloud computing at a larger scale than ever before.” Other partners include partnered with the Infocomm Development Authority of Singapore (IDA) (which is distinct from the MDA, I believe, which is unfortunate), the University of Illinois at Urbana-Champaign, and the Karlsruhe Institute of Technology (KIT) in Germany:

The test bed will initially consist of six “centers of excellence” at IDA facilities, the University of Illinois at Urbana-Champaign, the Steinbuch Centre for Computing of the Karlsruhe Institute of Technology, HP Labs, Intel Research and Yahoo!. Each location will host a cloud computing infrastructure, largely based on HP hardware and Intel processors, and will have 1,000 to 4,000 processor cores capable of supporting the data-intensive research associated with cloud computing. The test bed locations are expected to be fully operational and made accessible to researchers worldwide through a selection process later this year.

The test bed will leverage Yahoo!’s technical leadership in open source projects by running Apache Hadoop — an open source, distributed computing project of the Apache Software Foundation — and other open source, distributed computing software such as Pig, the parallel programming language developed by Yahoo! Research.

“The HP, Intel and Yahoo! Cloud Computing Test Bed furthers our commitment to the global, collaborative research community that is advancing the new sciences of the Internet,” said Prabhakar Raghavan, head of Yahoo! Research. “With this test bed, not only can researchers test applications at Internet scale, they will also have access to the underlying computing systems to advance understanding of how systems software and hardware function in a cloud environment.”

Researchers at HP Labs, the central research arm of HP, will use the test bed to conduct advanced research in the areas of intelligent infrastructure and dynamic cloud services. HP Labs recently sharpened its focus to help HP and its customers capitalize on the industry’s shift toward cloud computing, a driving force behind HP’s vision of Everything as a Service. With Everything as a Service, devices and services will interact seamlessly through the cloud, and businesses and individuals will use services that anticipate their needs based on location, preferences, calendar and communities.

A recent study showed that people aged 18-29 account for nearly 30 Percent of all the reported identity theft cases. This is presumably because of college students, but thieves are also beginning to target young professionals. Younger targets offer a particularly delicious mark for identity thieves, because they are presumably just beginning their credit lives and don’t check their credit ratings regularly.

Here is a checklist to help keep your identity secure online, and off:                (Alternatively a guide to your DEFCON experience )

• Keep your Social Security card and number in a locked safe place. Do not carry it with you. Don’t share it with anyone without knowing why they need it. Most schools now use a student identification number instead of the Social Security number (SSN). Parents, please note: This may be one factor to consider when choosing a college. Many prominent universities have been hit with data breaches in recent years, where hackers were able to make off with students’ personal information, often organized and stored by their SSN.

• Store your laptop in a locking security box when you are not in the room and do not have it with you.

• Use your home address as the permanent mailing address rather than a temporary address used while in school. This will lessen the complications of multiple addresses. Dorm and apartment mailboxes are not always locked and are easily accessible by people who do not have your best interest in mind.

• Obtain and use a credit card and NOT a debit card. Credit cards may be pre-paid or have a low limit, if you so choose. Debit cards are targets for identity thieves. Check your monthly statements as they come in and look for unexplained expenses.

• Never supply a phone, in your name, to someone else, such as a friend or roommate. The reason they cannot get a phone is probably because they have bad credit to start in the first place. The chances of being paid back are slim.

• Never loan a credit or debit card to a friend. Co-signing for any cell phone, utility account, car loan or credit card puts you at major, unwarranted risk.

• Never loan your driver’s license or identification card to anyone. They could use it as an ID card when stopped by the police and you will be listed as the offender.

• Finally, check your credit report annually using the free credit reports available at AnnualCreditReport.com. If you have never established credit, you will be told there is no report. If there is a report, check it out and make sure that none of the information is a result of fraudulent activity.

True to form, AT&T is attempting to scuttle the Great American WiMAX Merger.

Late last week, the big-name US telco tossed an official petition (PDF) at the FCC requesting the destruction of the proposed WiMAX tie-up between Sprint and Clearwire.

“The applicants have failed to address in any meaningful way the competitive showing traditionally required by the FCC when reviewing major transactions,” the petition reads. “Because the applications are therefore facially defective, they should be denied.”

Backed by $3.2bn from Intel, Google, Comcast, Time Warner Cable, and Bright House Networks, Sprint and Clearwire have agreed to merge their beleaguered WiMAX networks under the control of a brand new company, also called Clearwire. Together, the two operations hope to blanket the states with “4G” wireless well before the likes of AT&T and Verizon, delivering the mobile internet to laptops and various consumer electronics devices as well as mobile phones.

Sprint’s network has rolled out slower than expected. Clearwire’s network was originally designed for fixed-location wireless access, not mobile. And the companies’ definition of 4G may not cut the mustard. But AT&T stills sees the merger as a threat.

“Clearly, a company that has the largest spectrum position of any mobile carrier, deploying a service that is ‘here now,’ with financial backing from Google, Intel, and three of the nation’s largest cable television companies is capable of substantially impacting competition in the mobile communications market,” continues AT&T’s petition.

It’s worth noting that the joint Sprint-Clearwire network will be open to any device and any application. Though AT&T likes to say that it has fully embraced openness, this may or may not be true.

But according to a message tossed our way by a company spokesman, AT&T “does not fundamentally oppose the transaction.” It simply believes that “Sprint and Clearwire should be required to demonstrate that its merger serves the public interest just like any other providers would have to do.”

The company argues that in seeking FCC approval for their tie-up, Sprint and Clearwire haven’t put all their cards on the table. The FCC requires added scrutiny for transactions that would deliver an unusually large swath of spectrum to a single operation, and AT&T claims that the “New Clearwire” has failed to disclose all its holdings in a portion of the US airwaves known as the Broadband Radio Service (BRS) and Educational Broadband Service (EBS) spectrum.

The BRS/EBS spectrum was originally licensed to American schools and colleges for on-campus broadcasting. But in recent years, the FCC has shifted the band to commercial use, letting those schools and colleges lease their holdings to corporate interests, including Sprint and Clearwire - and AT&T.

When the FCC reviewed AT&T’s merger with Dobson last year, it did not scrutinize AT&T’s BRS-EBS holdings because the band was still making the slow transition to commercial spectrum. But, AT&T tells the FCC, this switch is now complete.

“The applicants have touted this spectrum as being superior for the delivery of mobile broadband to the public. And the major reason the spectrum has not been previously included has evaporated - the applicants note that the BRS/EBS transition is ‘nearly complete.’”

So, AT&T has suggested that the FCC reject the Sprint-Clearwire merger application.

From (The Register)

The iPhone’s Mail and Safari browser applications are prone to a URL spoofing vulnerability, which may allow attackers to conduct phishing attacks against the phone’s users.

Security researcher Aviv Raff has revealed the vulnerability in his blog. By creating a specially crafted URL, and sending it via an e-mail, an attacker can convince the user that the spoofed URL, shown in the mail application, is from a trusted domain, such as a bank, PayPal or a social network.

When clicking on the URL, the Safari browser will be opened. The spoofed URL, shown in the address bar of the Safari browser, will still be viewed by the victim as if it is from a trusted domain.

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Earlier versions may also be affected, said Raff.

Sorry,

I have been out of commision this past week, due to the removal of- Not One, Not Two, But FOUR wisdom teeth.Needless to say- I spent most of this week completely out of it; so I have not been able to really write or stay up-to-date on whats been going on. I missed the talks from #LastHope, I will be going back this coming week and seeing if there was anything interesting there. The next two months are absolute security hell, we have defcon and blackhat- which are the creme de la creme of the security aparatus- underground and coorporate respectively.

So I will have quite a bit to cover coming up. More to come tommorow.

The Trojan in question has been named Limbo 2, and according to the people who came up with it, the best 10 security software solutions on the market today are not capable of detecting it. Acquiring this malware will set you back about $1,300, but for that amount of money you will get a software product that is unique, customized to your personal requirements, and guaranteed to run under the radar of most security solutions.

“Each variant sold is built anew and has to be customized to incorporate the domain of where all the information is to be sent back to. These are then sold on to websites or botnets to infect individuals,” says Prevx, the security company that discovered the threat.

What does the Trojan do? Once it manages to infect a system, it goes to work whenever it detects that the user has accessed an online banking service. Not only does it record the regular login info, it also adds spoofed information boxes which ask you to provide additional information in regard to your bank account. All the gathered security credentials are then sent to the person that bought Limbo 2, so that it can be used for whatever malicious purpose that person has in mind.

“This is one of the most dangerous Trojans out there at the moment. The strength of this piece of malware lies in its versatility, even if it is recognized up by an anti-virus company it can be changed so as to be invisible again within hours. There are likely to be so many variants out there that they will never all be detected, which is a scary thought as it is designed to steal bank details,” says Jacques Erasmus, Director of Malware Research with Prevx.

According to Erasmus, this is a very lucrative piece of software, earning the designer of Limbo 2 a few thousand pounds every day. Since it has not yet been detected how the malware propagates, it is safe to assume that the source of infection is a malware spreading site.

In what appears to be a violation of Net Neutrality by Rogers Cable, Digital Home readers are reporting that Rogers High Speed Internet service has begun redirecting customers “Server not found pages” to webpages laden with Rogers advertising.

The hijacking of the webpage appears to be attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users.The “Cannot Find Server” web page is typically shown to a user when they type in a web address that does not exist. The purpose of the page is to inform the user that the web site does not exist or a lookup error has occurred so a correction can be made.

Using DPI technology, Rogers inspects the web address request and if it determines that a web surfer has mistakenly entered an invalid web address, Rogers redirects the request and serves up an ad laden webpage selling Rogers products and services rather than allowing the informative “Cannot find server” web page to be displayed.

The result is a confused web browser who has no idea why his or her browser has been hijacked and is now on a Rogers search page.

Example of the Net Neutrality Violation

In order to understand what is happening, consider the following example. Suppose a user typed the following url “www.rogersviolatingnetneutrality.com” into their browser. Since no such website yet exists, Internet Explorer or any other web browser would display a page that looked like this.

What a Server Not Found Message should look like

The page states the page the user requested cannot be displayed and provides some suggestions on how to resolve the issue.As of today, Rogers customers typing in the url “www.rogersviolatingnetneutrality.com” into Firefox, Opera or Internet Explorer will receive a page that looks like this.

What Rogers Customers see on a failed look up

This practice is in violation of the tenets of net neutrality because proponents of net neutrality believe that Internet Service Providers (ISP) should not be allowed to be the gatekeepers of the internet and must not interfere with the content requested by users (especially error pages which provide users with information on why the page did not properly display) Link

The Wi-Fi Link 5000 chip that’s part of Intel’s newly launched Centrino 2 platform doesn’t appear to like security keys that comprise a stack of zeros.

That’s the conclusion drawn by writer Frank Ohlhorst, who’s been testing a pair of Centrino laptops and found they wouldn’t talk to access points from different vendors whenever he set the base-stations to use 64-bit or 128-bit WEP security and keys containing nothing but zeros in hex.

Now, you could argue that no one should be using WEP, and certainly not with a ‘guessable’ key like ‘0000000000′, but there it is. If you set up your access point that way, your Centrino 2 notebook won’t be able to use it.

That’s a bug in anyone’s book, even if, as Frank admits, it’s “very, very minor”. And Centrino 2’s barely out the door.

It’s not a glitch that manifests itself with WPA or with non-zero WEP keys, of whatever key length. It’s got nothing to do with the OS - the access points work with older laptops running a range of operating systems, and with kit like the Wii and the iPod Touch.