[SecurityRatty] tag: videos

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Kids with Cell Phones in Emergencies

Thu, 14 Aug 2008 08:20:24 +0000

In the middle of a sensationalist article about risks to children and how giving them cell phones can help, there's at least one person who gets it.

Since the 1999 Columbine High School shootings and the 9/11 terrorist attacks, many parents feel better having a way to contact their children. But hundreds of students on cell phones during an emergency can cause problems for responders.
"There's a huge difference between feeling safer and being safer," says Kenneth Trump, president of National School Safety and Security Services.

According to Trump, students' cell phone use during emergencies can do three things: increase the spread of rumors about the situation, expedite parental traffic at a scene that needs to be controlled and accelerate the overload of cell-phone systems in the area.

Tom Hautton, an attorney for the National School Board Association, said that cell phones in schools also can lead to classroom distractions, text-message cheating and inappropriate photographs and videos being spread around campus.

We are just naturally inclined to make irrational security decisions when it comes to our children.

The web browser is sick but wheres the cure?

Thu, 14 Aug 2008 07:11:14 +0000

Blogger: Ramon Krikken

The web browser is one of those peculiar pieces of software, having to accept input from arbitrary sources and then parse and render the data that is sent to it. Part of this it does by itself, and other parts are taken care of by handlers and plug-ins. In doing so, it displays hypertext, images, videos, and even runs active content like Flash, JavaScript, and ActiveX.

But however much we love the browser, we’ve also come to hate the myriad of vulnerabilities that affect it. Everything from cross-site scripting to remote code execution via maliciously formed animated cursor files and Flash content can make browsing a hazardous activity. The browser is sick, and that’s not desirable for a platform we use for important business and personal transactions.

Worsening the browser’s diagnosis is the recent paper from Mark Dowd and Alexander Sotirov, sub-titled “Setting back browser security by 10 years,” which discusses how to bypass Microsoft Vista’s memory protection capabilities with some added effort for the exploit designers. It’s not that all of the techniques are necessarily new, but the browser appears to be particularly vulnerable to easy exploitation.

Surprising? Not exactly, when we take into account that the browser is suffering from the same disease as the general purpose operating system: bloat and compatibility. We expect the browser to do ever more, but everything we used it for before still needs to work as if it were yesterday. It feels a bit like people insisting on using a cardboard box as a safe, and wondering why their money keeps getting stolen.

It’s not like we haven’t been working on the browser’s cure, though. There have been some improvements in the browsers themselves, the operating systems have also implemented compensating controls, but most of all, there has been an enormous push for securing the web applications that deliver the data in the first place. Unfortunately, the latter two won’t help secure the browser in the long run.

The first issue is that not all content will come from ‘nice’ servers, the second that the server can only make an educated guess on how a browser will parse and render a given set of data, and the third that operating system controls have their own limitations, whether by design or implementation (for example needing to re-compile existing code to enable certain protections.) The browser, in the end, has to be mostly responsible for keeping itself safe; the operating system must assist it in doing so.

So we’re in a pickle. The browser is sick (and the operating system is too), but it’s hard to cure it without a redesign that will undoubtedly impact compatibility, the ever-so-desired multi-functionality, or its ease of use. We can layer defenses by using web filtering in the enterprise environment, but in the end – for the consumer market in particular – we need to fix the browser itself. I can think of a few things I think might help:

Some kind of site security policy to restrict where the browser loads auxiliary content from, and which data it can ‘trust’, when loading a web page (I’d prefer mandatory enforcement, and adding an HTML tag to be able to indicate blocks of untrustworthy data.)
Restricted compartments for plug-ins to run in, ensuring that their bugs cannot easily affect the whole browser.
Better software development practices for the plug-ins and content parsers themselves, so that they’re less vulnerable, and compiled with the latest protection measures to begin with.

All of this means more work, and some of it means a lot of unhappy reactions when things stop working. Even then we will of course still have to deal with additional vulnerabilities, such as those that may be present in hardware, but we will at least have taken prudent steps to ‘find a cure.’

Spamblogs Pushing Rogue Antivirus Programs

Mon, 11 Aug 2008 14:50:05 +0000

Nothing earth-shattering, but worth a mention anyway. I've noticed a couple of blogs pushing security blog feeds are also hawking pretend Youtube vids:

Click to Enlarge

When the videos are clicked, you'll find your browser vanishes down onto the taskbar, replaced by this sitting in the middle of the screen:

Once you click the popup box away, you're confronted with this:

Click to Enlarge

...a randomly selected rogue antivirus product. From here on it, any and all attempts to get rid of this page results in an endless barrage of popups, scare tactics ad hilariously lame warning messages (note the first one is called a "Security Update"):

Wow, they just get more and more hysterical, don't they?

The site to block that's pimping the fake videos is

thoughtcrime(dot)blogtodo(dot)com

Fake IE7 Downloads Advertised Via EMail

Thu, 07 Aug 2008 10:56:21 +0000

There seem to be quite a few of these in circulation over the past day or so:

Download the latest version!

About this mailing:
You are receiving this e-mail because you subscribed to
MSN Featured Offers. Microsoft respects your privacy.
If you do not wish to receive this MSN Featured Offers e-mail,
please click the "Unsubscribe" link below. This will not
unsubscribe you from e-mail communications from third-party
advertisers that may appear in MSN Feature Offers.
This shall not constitute an offer by MSN. MSN shall
not be responsible or liable for the advertisers' content
nor any of the goods or service advertised. Prices and item
availability subject to change without notice.

2008 Microsoft | Unsubscribe |
More Newsletters |
Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

As you might have guessed, it's fake. Microsoft don't send out EMails asking you to download files from random, non-Microsoft websites. This:

....is not what it appears to be. Run the file, and instead of IE7, you're actually more likely to see a fake antivirus program appear on your desktop:

Click to Enlarge

This particular fake AV is also being pushed quite heavily via the recent CNN videos scam. You can see another example of these emails here. There is more than one URL being used for this attack, so be alert!

Last HOPE Session Videos - Seeded by AoIS

Wed, 06 Aug 2008 22:57:47 +0000

To be honest, 2600’s The Last HOPE conference didn’t really catch my attention at first. But some of the sessions, especially ”Crippling Crypto: The Debian OpenSSL Debacle”. That presentation, by Jacob Appelbaum, Dino Dai Zovi, Karsten Nohl is a winner. Not only do they provide a fantastic and detailed description of how OpenSSL’s random number generator was accidentally lobotomized, they also demonstrate how to leverage cheap cloud computing to generate the set of bad keys that resulted. (All of them!)

At any rate, legit torrents of the video presentations are available from The Last HOPE Video Tracker. Art of Information Security is seeding torrents, and plans to do so for the next 10 days.

Check ‘em out.

Cheers, Erik

Last HOPE Session Videos - Seeded by AoIS

Exploitability Index - More Information for Customers

Wed, 06 Aug 2008 12:20:56 +0000

Yesterday at Black Hat 2008, along with some other stuff, we announced that we will be adding some new information to Security Bulletins - an "Exploitability Index" for each of the vulnerabilities addressed by the bulletin.

Based upon talking with Microsoft customers over the past five years, they are always looking for that little bit of extra information to help make prioritization decisions. An obvious example of this is the severity attached to the vulns. However, as explained by Mike Reavey of the the Microsoft Security Response Center (MSRC) over on the Ecostrat blog today, customers are also very interested in which vulnerabilities already have exploit code or sample exploits available.

According to our analysis in the most recent Security Intelligence Report (SIR), only about 30 percent of the vulnerabilities we fix each year have exploit code released. Why is it not 100% ? Some are not interesting to attackers, sure, but some are simply more challenging to develop a consistent exploit against. It seems like it would be practically useful if this sort of information could be analyzed and published for customers.

How does one come up with an Exploitability Index?

The MSRC will analyze the vulnerability and explore what it would take to exploit it, with the support of our Security Vulnerability Research & Defense (SVRD) team. This will include leveraging methodologies from the broad researcher community.
We will also ask security researcher members of the Microsoft Active Protections Program (MAPP) (download FAQ) to review the vulnerabilities and check our analysis before releasing the index.

The idea of the Exploitability Index is to provide more information to help customers prioritize Microsoft security updates. This Index will reflect our best estimate, scrutinized by MAPP partners, of the likelihood of a functional exploit being developed for a given vulnerability.

If you are interested, I did an interview with Mike Reavey a while back, where we discuss what sort of information customers want that isn't yet in Security Bulletins. FYI, the video is about 15 minutes long and the early part focuses on Mike, how he got into security and how he ended up at Microsoft before we get to the Security Bulletin discussion ... if you want to get right to the Security Bulletin discussion, skip forward to about 08:40.

If you like these sorts of videos, click on
SecurityGuy 001 - Interview with MSRC Leader Mike Reavey and it'll take you to the edge.technet.com site and you can check out the related videos.

Regards ~ Jeff

CNN Daily Top 10 Videos Spam

Tue, 05 Aug 2008 14:50:01 +0000

Like me, you've probably had quite a few "CNN Top 10" emails through over the last day or so. Here's just two of the many, many mails I've had through to various mailboxes:

If you opened up any of the mails, you'd have seen this:

Click to Enlarge

The first clue that something might have been amiss is the strangeness of some of the titles ("Michael Jackson sued by his own dog" isn't something I'd expect to see on CNN, at least not yet). Of course, the giveaway is that regardless of what link you click on, each one takes you to a website that isn't CNN.com - in fact, they all point to the same "video".

Click to Enlarge

If you download and install the file offered up, horrible things will start happening to your PC. Let's put it this way - anyone expecting to see Michael Jacksons dog in a courtroom is going to be severely disappointed.

Before long, your desktop will look like this:

Click to Enlarge

You'll have warnings like these:

And a rogue antivirus product will magically appear on your desktop:

Click to Enlarge

Worst of all, look at the name of one of the fake infections they try to scare the user with.

There's subtlety, then there's this:

....if you want to avoid your computer contributing to the "terrorist threat", don't open up any emails claiming to contain CNN videos.

Even if its Michael Jackson and his dog.

Reporting Risk

Mon, 28 Jul 2008 06:18:29 +0000

The team I run at Microsoft is called the Connected Information Security Group and we build software that powers the corporate information security program. We had some funny videos made that liven up internal presentations and meetings. I thought I would share them with you. This one is called “Reporting Risk”. Enjoy ! [...]

Documenting Risk

Mon, 28 Jul 2008 06:07:43 +0000