[SecurityRatty] tag: drops

Microsoft drops OneCare antivirus product

Mon, 17 Nov 2008 21:00:00 +0000

Two years after trying to build a consumer antivirus business, Microsoft has decide to throw in the towel.

S&P Downgrades TIBCO to Sell On Financial Services Exposure

Thu, 18 Sep 2008 14:15:02 +0000

Standard & Poor’s analyst Zaineb Bokhari cut her rating on TIBCO Software (TIBX) to Sell from Hold. Bokhari referenced TIBCO’s relatively high exposure to financial services and telecom companies and dependence on large deals. Bokhari noted that TIBCO will report Aug 2008 quarter results on September 25. She estimates revenue of $154 million and an operating EPS of 6 cents. For the November 2008 fiscal year, she cut his sales forecast to $650 million from $663 million, with EPS dropping 2 cents to 34 cents. For FY ‘09, Bokhari drops another penny to 44 cents. Bokhari cuts her target price on TIBCO stock to $6.50, from $8.

Wee-Fi: Meraki Modifies, Drops Standard; Tempe's Phoenix?; Remote Wake, Wi-Fi Need Not Apply

Thu, 14 Aug 2008 06:32:51 +0000

Meraki reworks product line, drops new sales of community flavor: The cheap mesh router company has mutated slightly once again. The partly-Google-backed firm founded by MIT RoofNet "graduates" built the company on the notion that they could sell $50 routers that could mesh with each other, and use a robust central management system they developed. Over time, the $50 price didn't hold up for commercial networks of scale. Last October, the company mishandled a change in its business model when they abruptly announced a $100 increase in price for newly purchased nodes under their Meraki Pro level for any network that wanted to control whether or not ads appeared, have user accounts, and charge for service. (They eventually recovered, apologized, and reworked some of the transition details.) The company continued to offer a $50 indoor and $100 outdoor Standard level nodes for networks that required ads and had other limits. As of a few days ago, Standard is dead, and the Meraki mini has been upgraded to the Meraki Indoor ($150). The Indoor has signal strength LEDs on the side for better help in placing units, an internal antenna, and better resilience against power fluctuations. The company explains its move in eliminating Standard by noting that most customers moved to Pro. It's not precisely the end of idealism (nor did that happen last October), as Meraki is still one of the major commercial mesh vendors, and their products are still vastly easier and a fraction of the cost of higher-end competitors.

New life for dead Tempe network? Another firm has expressed interest in buying the pennies on the dollar assets that remain of the former Kite Networks installation in Tempe from the firm that financed the venture as long as they can negotiate a new, more favorable deal with the city for mounting and removal rights. CTC, Inc., which the East Valley Tribune reports runs networks in the Kansas City, Mo., area, thinks there's an opportunity. The article notes that reception problems were due in part to the prevalence of stucco in Tempe, common in the southwest. Stucco walls layer plaster or other materials on a wire mesh for strength that turns a house into a bit of an accidental Faraday cage, partially shielding the home from electromagnetic radiation. (Could I go so far to say that Tempe's network could be a phoenix? Ouch.)

Wake up, you darn computer: Intel's new Remote Wake motherboards won't work with Wi-Fi, it's important to note. The feature, announced today, will let an incoming VoIP call (the articles all say "phone call over the Internet") to wake a computer, as long as the call comes from a particular source. Of course, the standard SIP protocol for VoIP doesn't have the kind of security and integrity that would allow this; Intel has to overcome the problem with network address translation that renders most computer unreachable from outside the local network without a separate service like GoToMyPC or LogMeIn; and it will only work for computers connected via Ethernet to a local network, because Wi-Fi is off when a computer sleeps, while Ethernet can remain lightly active. I don't have the protocol details yet, but there's long been a Wake on LAN protocol that required support in a router, operating system, and Ethernet card; Intel may be leveraging this.

A sneak peek at a Black Hat presentation

Wed, 30 Jul 2008 14:08:27 +0000

No, it is not the Dan K DNS presentation, sorry. Patrick McGregor, CEO of BitArmor Systems is presenting at Black Hat as well. As part of our promotion with the SBN and Black Hat I have made my blog available to Patrick to give us a sneak peek at his presentation. Patrick was nice enough to prepare the following:

Braving the Cold (Boot) – A Sneak Peek of My Presentation at Black Hat

by Patrick McGregor

Cold boot attacks aren’t theoretical academic exercises. Cold boot attacks are real. And they’re serious.

In the past few years, companies have poured hundreds of millions of dollars into full disk encryption technologies. Companies expect full disk encryption to reduce the risk of exposure of sensitive information such as intellectual property or customer data. Reality often deviates from what is expected, however. Researchers from Princeton shocked the industry earlier in 2008 when they released a research paper that showed that low-cost “Cold Boot” attacks could be used to defeat the security of most full disk encryption systems. They recently even published all the tools needed to do this at home!

Some have argued that Cold Boot attacks are not serious security threats. I disagree! First, an unskilled person can capitalize on the exploit using simple, automated steps and publicly available tools. In fact, Cold Boot attacks require nothing more than plugging a USB drive into a laptop. Second, the physical target of a Cold Boot attack, such as a laptop, is very easily obtainable (see the recent Ponemon report on laptops lost/stolen in airports – scary!). Third, although many laptops and desktops are stolen via random acts of theft, it is well known that some criminals profit from organized, calculated data theft. It is only a matter of time before we hear of a high-profile data breach that results from a simple Cold Boot attack.

I am excited to present at Black Hat several innovations for preventing Cold Boot attacks. In addition to summarizing how a Cold Boot attack works, I’ll describe four new software techniques for hardening full disk encryption against the attacks. The software technology was developed by myself, Tim Hollebeek, Alexander Volynkin, and Matt White. All of us work for BitArmor, an exciting security startup based in Pittsburgh. Here’s a sneak peek:

· Wash up: Wipe keys immediately before certain OS state transitions, such as before the computer shuts down or goes into hibernation mode – accessing the memory will yield nothing.

· Take advantage of BIOS memory smashing: By strategically placing keys in certain regions of memory, we can rely on the BIOS boot process to overwrite keys before any operating system can dump the contents of memory.

· Is it chilly in here?: Using built-in temperature sensors, we can lock down the system in reaction to temperature drops that may indicate a Cold Boot attack is in progress.

· Create a virtual enclave for keys: We can implement special cryptographic, OS and processor architecture techniques to provide robust protection for keys against the most aggressive cold boot attacks. By creating a “virtual secure enclave” for encryption keys in software, an attacker cannot extract critical keys from memory – even if the RAM is super-cooled.

Hope you can join us at Black Hat as we take an in-depth look at the future of full disk encryption technology.

Wee-Fi: Sprint Treo 800w, New Wireless in Portland (Ore.), Hartford (Conn.) Fail

Mon, 14 Jul 2008 06:45:41 +0000

Palm Treo 800w released: Sprint is offering the EVDO/Wi-Fi phone with Windows Mobile 6.1 and built-in GPS. The phone is $250 with a two-year contract. This is apparently the phone that Palm should have released a couple of years ago; now, it's unfavorably compared to the iPhone except for keyboard entry and the ability to subscribe ($10/mo) for turn-by-turn live navigation. You'll note that applications are scarcely mentioned, which is one of the linchpins of the iPhone. This is a business phone with productivity tools--unlike the iPhone, you can use on-board apps to create and edit Word and Excel documents, not just view them. There's also no store mentioned for purchasing video and audio, or software for synchronizing them. The reviewer finds the video quality washed out as well, and the 320-by-320-pixel touchscreen is a bit small compared to other smartphones that focus on video.

Stephouse steps into Portland, Ore., void: Local firm Stephouse has built out 5 sq mi of business-grade wireless availability in downtown Portland and 2 sq mi in an underserved part of north Portland using Proxim gear for both Wi-Fi and WiMax service. Wi-Fi use is $20 per month or 1 free hour per day up to 10 free hours per month. The offering seems to focus on the business side, though, in competition with services like Towerstream. Prices aren't listed on the company's site.

Hartford drops Wi-Fi effort: Connecticut's trouble capital city has given up on city-wide Wi-Fi. No surprise. No firms ready to build for free, no money, no tangible goals. My wife grew up in the suburb to the west--West Hartford, prosaically enough--and speculates that the lack of county-oriented government in Connecticut has doomed Hartford to be a civic wasteland. It's recovering a bit as housing affordability goes up, and there's more going on in the city than there used to be. But there won't be Wi-Fi. Incidentally, the Mark Twain House & Museum in Hartford, home of one of the world's first bloggers, is near financial ruin. It's a great piece of American history; I'm hoping it's saved again--it's had many lives since Twain built it and went bankrupt.

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 13:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, every Simpsons fan with net access immediately added Chunkylover53 to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control.

We detect this as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Gmail, Yahoo and Hotmails CAPTCHA Broken

Thu, 03 Jul 2008 04:36:21 +0000

It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.

Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers :

"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."

Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.

Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Successful 802.1X Every Time

Fri, 20 Jun 2008 00:18:15 +0000

It’s not rocket science, but any time we mingle and intertwine four or five different pieces of technology, there’s always the potential for a mess… or at least a misconfiguration or two along the way. Don’t know what 802.1X is? Check out the recent 802.1X technology primer.

If you’re planning to, or are implementing wired 802.1X, wireless security and/or NAC, the contents of this blog may save you hours of time and trouble.

Throughout the implementations I’ve done, for both wired and wireless 802.1X, I’ve developed a procedure for implementing and testing 802.1X each step of the way. Following these steps my seem to be tedious and unnecessarily time-consuming. But, if you’re just starting with 802.1X, I’m offering a way to implement it in phased pieces that will give you the information to test, confirm and troubleshoot at each step.

To be honest, I frequently skip these steps, but I’ve done many 802.1X implementations and can usually hit the bullseye the first time (unless there’s buggy software or firmware- you guys know who you are). But, if something doesn’t work, I start right back at Number 1 here and I follow this procedure.

1) Configure wired 802.1X
First setup the basic wired 802.1X. Ideally, start with a Windows test, using XP SP3 or a later server edition and PEAP. Provision RADIUS, I recommend Microsoft IAS because it’s well-documented and well supported. Even if you have other future plans, if you’re using Active Directory, start with IAS. You’ll need to setup a test RADIUS group and policy and link to AD. Get a test switch, add it as a RADIUS client, and configure it to talk to your RADIUS. Set up some ports for 1X and enable it on the switch. I recommend testing with PEAP as the authentication method and a Windows credential pass-thru. Note- you’ll need to create a server certificate to use PEAP- a self-signed Microsoft cert is fine.

If this simple configuration doesn’t work, you have some troubleshooting options. First, view the system events log in the RADIUS/AD server and look for informational events from IAS. If the authentication request is making it from the client -> switch -> RADIUS, you’ll see something here. The something you see should tell you if the EAP method is mismatched, or if the credentials were wrong, etc. Your second line of troubleshooting comes if you don’t see any RADIUS log activity. If that happens, throw on a packet capture utility like Wireshark. You want to search for 2 things. First look for conversations from your Test Switch to the RADIUS server (filter on IP or MACs). If you see something here, see where the conversation drops off. If that comes up empty, it means the conversation is terminated between the Test Switch and Test Client. I have some neat tricks for troubleshooting I’ll share with you later.

2) Add in Wireless
If you’re planning to implement 802.1X for wireless, now is the time to throw 802.11 in the mix. It’s harder to sniff wireless traffic for troubleshooting, which is why I recommend starting with wired 1X. Keep it simple, and then start layering. Once you have the wired 1X configured, all you need to do is get your AP ready and configure it just as you did your switch- add it as a RADIUS client and configure it to talk to RADIUS. For wireless, you’ll need to configure encryption also. Note, I recommend (for testing) to begin with your primary VLAN.

If your wireless 802.1X isn’t working, follow our troubleshooting above and re-check settings based on the RADIUS event log contents. If nothing is making it to RADIUS, then most likely something is misconfigured in your AP/Controller and the AP isn’t communicating with the RADIUS server. You know the rest of it’s working (RADIUS, AD, Client) so you can narrow your troubleshooting scope. Once that’s working you can stop if wireless is your goal, or keep going if you’re layering on more security.

3) Replace with Custom Pieces
If you’re planning to use a different RADIUS server or a different supplicant, now would be a good time to start swapping out our vanilla configuration with custom pieces. Replace 1 piece at a time and re-test.

4) Add in NAC or Endpoint Integrity
Most NAC or EI solutions will integrate with your 802.1X infrastructure (if you want them to) and can be ‘consulted’ prior to authenticating and opening the secured port. My suggestion is to always get 1X working 100% before you add any type of integrity or compliance testing.

If you follow these steps, you can turn a complex configuration into a set of simple baby-steps. It may sound stupid, but I promise it’ll work for you every time!

# # #

When ISPs Attack!

Thu, 19 Jun 2008 12:31:53 +0000

Here is a scary story about a company, Nebuad (no link juice for you!) that performs a MITM attack all in the name of better ads. Now sniffing to get better data on your customers has been around for a while. In fact I worked at a company that did this as part of our offering. Where NebuAd goes over the line is they manipulate the traffic to get their ad code in the mix.

But Free Press and Public Knowledge found that sometimes when a WOW subscriber visited Yahoo or Google, NebuAd faked an additional packet of data that appears to be the last part of the downloaded Google webpage. The extra packet included NebuAd-written JavaScript that directs users’ browsers to a NebuAd-owned domain named faireagle.com, where the company drops tracking cookies from other domains and companies on the user’s computer. These can be used later to deliver customized ads based off analysis of where people have gone on the web or what search terms they have used.

Cool so not only are they sniffing traffic they are now inject JavaScript and making it appear to originate from Google. This technique is the same one used by the ever popular and super fun Airpwn. Now what would happen if NebuAds servers where compromised? The ultimate JS malware distrubution platform would be born!

Link

Bots + Web Vulnerabilites - An Approaching Storm
I called this one the day after the first wave of mass SQL Injection attacks came out. I told Jeremi...
Hackers Buy Ads to Install Malware
I have been waiting for this is happen for a while now. Jeremiah and I discussed this about a year a...
Dude Don’t Hack My Coffee
As someone trying to get off the coffee train I find the recent reports of vulnerabilities in networ...
When Defenses are Offensive
Review: The Web Application Hacker’s Handbook

Post from: Grumpy Security Guy

When ISPs Attack!

Wee-Fi: Fon Founder Profiled; Creative No-Fi; Inspiair Physics-Fi; Foster City-Fi

Tue, 27 May 2008 09:17:25 +0000

Profile of Fon founder and his plans for future in the New York Times: The head Fonero, Martin Varsavsky, gets a write-up from a confab he put together and hosted at his vacation home on Menorca. Varsavsky is nothing but interesting, something I've heard from everyone who has met or had business dealings with him, and this article partly details his upstart challenge and the shifting focus at Fon. I've been saying for a long time that Fon locations may be numerous and require no coordination for their growth, but only locations convenient to frequent use would have a real impact, such as in retail locations. John Markoff notes that Fon has simplified its roaming model--non-Foneros pay, Foneros don't--and that Varsavsky is now focused on bigger wins, like Fon's Time-Warmer and BT deals. Markoff also gets the detail that Fon is losing €500,000 a month down from €1m per month. Varsavsky is interested in WiMax to supplement Wi-Fi, but I can't see any model in which the frequencies useful for WiMax will be widely available enough for this kind of roaming system.

Creative drops Wi-Fi music player: The formerly leading portable music player firm, before Apple and Microsoft entered the biz, confirmed a report that the Zen Share existed, but that the company chose to drop that Wi-Fi-enabled player. An under-wraps player may appear in about two months that could include Wi-Fi--the name Zen X-Fi could be revealing or not, as X-Fi is an audio-processing technology.

Inspiair's physics-defying technology sold, relabeled Max-Fi: I express my doubts about the combination of marketing promises, including area covered, low latency, and speed, and the collision of those promises with the laws of physics as well as regulatory issues. The lack of sales, noted in the article, tends to confirm my opinion, which is precisely what happened with Vivato after early positive response led to devices being built that couldn't meet the mark. Current claims are 30 sq km with 14 access points for outdoor coverage at the port of Antwerp, a network that's in a test. I wrote about Inspiair back in 2006.

Foster City, Calif., turns down MetroFi equipment offer: The city decided against paying $200,000 for MetroFi's gear, which serves about 1,500 people a month, partly because yearly operations would top $125,000.