[SecurityRatty] tag: vulnerabilities

Summarizing Zero Day's Posts for August

Thu, 04 Sep 2008 03:40:10 +0000

Here's a concise summary of all of my posts at Zero Day for August. If interested, consider going through July's summary, subscribe yourself to my personal feed, or Zero Day's main feed, and stay informed.

Some of the notable articles are - Today's assignment : Coding an undetectable malware ; Coordinated Russia vs Georgia cyber attack in progress and Inside India's CAPTCHA solving economy.

01. Cuil's stance on privacy - "We have no idea who you are"
02. Phishers increasingly scamming other phishers
03. Today's assignment : Coding an undetectable malware
04. Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection
05. Fake CNN news items malware campaign spreading rapidly
06. CNET's Clientside developer blog serving Adobe Flash exploits
07. Coordinated Russia vs Georgia cyber attack in progress
08. Researcher discovers Nokia S40 security vulnerabilities, demands 20,000 euros to release details
09. Intel proactively fixes security flaws in its chips
10. 1.5m spam emails sent from compromised University accounts
11. Fortune 500 companies use of email spoofing countermeasures declining
12. China busts hacking ring, managed to penetrate 10 gov't databases
13. Scammers caught backdooring chip and PIN terminals
14. SpamZa - opt in spamming service fighting to remain online
15. FEMA's PBX network hacked, over 400 calls made to the Middle East
16. Typosquatting the U.S presidential election - a security risk?
17. Hundreds of Dutch web sites hacked by Islamic hackers
18. Twitter's "me too" anti-spam strategy
19. Malware detected at the International Space Station
20. Taiwan busts hacking ring, 50 million personal records compromised
21. MSN Norway serving Flash exploits through malvertising
22. Inside India's CAPTCHA solving economy

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October. While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done. I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA – organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

Early security issues tarnish Google's Chrome

Tue, 02 Sep 2008 20:00:00 +0000

Security researchers have reported finding vulnerabilities in Google's new Web browser a day after it was released in beta.

Carpet-bombing Vulnerability In Google Chrome New Browser

Tue, 02 Sep 2008 18:41:12 +0000

Hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities, a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference, to trick users into launching executables directly from the browser window. A harmless proof-of-concept demo of the attack is available. In the [...]

McIrony: An unexpected response from McAfee

Sat, 30 Aug 2008 09:04:00 +0000

Irony: incongruity between what might be expected and what actually occurs.

Right before Black Hat, I put together what I believed was a pretty strong arguement against McAfee Secure - Hacker Safe, at a level heretofore unexplored. I believe it was more damaging than anything I've said to date, and as such, presented potential risk for me. So I ran it by some friends before publishing it. Then a most extraordinary thing happened. I had a long chat with Nate McFeters, who described an awakening he'd recently experienced. He shared with me the belief that a better approach to potentially negative security research might be to try to create a positive outcome, and worry less about press cycles or exposure, the 15 minutes of fame if you will. He pointed to people like Mark Dowd as an example of people who conduct crushingly good research, and steer clear of the petty, ego driven bulls**t.
There I sat, repose like the thinking man, frozen for minutes. "Nate", I said, "I think you're right."
What do I aspire to as an information security professional; more readership or street cred than the next guy, or the respect of my peers for contributing to the greater good? Attention, press cycles, 15 minutes...it all has its allure, trust me on this.
But at the end of the day, I really do want to contribute to the greater good.
So I did something different. I sent my findings to McAfee and offered them an opportunity to respond, rather than publish first, ask questions later.
Here's the real kicker.
They responded.
I had a three hour lunch this past Thursday with two gentlemen from McAfee, who flew up from the Bay Area to Seattle to have a face to face with me. This, all by itself, speaks volumes to me. In addition to meeting with Kirk Lawrence, the new Director of Product Management for McAfee Secure, there I sat with, of all people, Joe Pierini, the very guy who has suffered more than his share of abuse, up to and including the Pwnie. As I have been a direct contributor and participant in heckling Joe, you can imagine our meeting could have been uncomfortable. It was not.
I have had expectations of McAfee and Scan Alert that to date have not been met, or my (your) perception has been that they have not been met.
This meeting was designed as an opportunity to voice some of these expectations, and see if McAfee, in turn, believed there was any merit to them.
Surprisingly, at least as spoken, we weren't all that far apart.
While, as a naive idealist, I believe that security should come before conversions, I am also grounded enough of a realize that the most attainable goal can be a marriage of both. This premise frames my expectations of McAfee.
Can they not be more of a "thought leader" for all the Ma & Pa websites who rely on McAfee Secure, first for a higher conversion rate, then security?
Can they not hold merchants to a higher standard, without alienating them and losing business?
Can they not embrace the security research community in a fashion that McAfee, the security community, the merchants, and consumers can all benefit from?
Can they not be more transparent in their approach, providing more details and feedback about their methods, their findings, and their vision?
I know McAfee Secure - Hacker Safe scans can find vulnerabilities.
I know they report the vulnerabilities to merchants.
What happens thereafter is where things begin to break down.
Can the scan engine be improved to find more vulns? Sure. That's really not that big a deal; technology can always be improved.
But, regarding holding merchants to a higher standard; therein is the whole point of this debate.
Anyone can throw a badge on a site.
But what happens when the site proves vulnerable is the key. I'll be candid here: I don't give a damn about the merchant at that point; it's the consumer who is at risk and needs something better from McAfee and their peers.
So, here begins a different approach. I know that making changes at a company the size of McAfee can be likened to the three miles it takes to turn around an aircraft carrier. I'm willing to work with them, and allow for a positive outcome.
I have been told that, in two or three weeks, we can expect a published standard, that clearly defines exactly what the McAfee Secure product offering adheres to, inclusive of their expectations for merchant remediation timelines, potential badge downgrades for unresolved vulnerabilities, and hopefully even a more clear stance on XSS.
I have been told that I will have the opportunity to discuss this standard, and invite feedback. Any standard is better than no standard.
I have also been told that this is just the beginning of changes that will lead to more of what I have hoped for in my expectations, over the next 6 months or so.
I am hopeful that we can take McAfee at their word, and even if slowly, see a positive outcome.

del.icio.us | digg

Web Services and XML Security Training at OWASP

Thu, 28 Aug 2008 04:55:59 +0000

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM. Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas. This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with."
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST"
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation"
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 16:53:17 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Thank you for listening and please do let us know what you think of the show.

SDL and the XSS Filter

Wed, 27 Aug 2008 11:35:00 +0000

Steve Lipner here. When the Internet Explorer team posted the announcement about the XSS Filter feature in IE8 I asked some other members of the SDL blog team “why aren’t we talking about the new XSS Filter feature on the SDL blog?” Bryan and Jeremy said something like “that’s a mitigation that only applies to specific clients and a subset of attacks”. So we didn’t cross-reference IE’s XSS Filter post on the SDL blog at the time. Instead, I agreed to write a subsequent post about the relationship of XSS Filter to the SDL and to the ways that our SDL and security science teams think about improving product security.

For those of you who aren’t familiar with XSS Filter, a brief summary is that it is a client-side defense against reflected cross-site scripting (XSS) attacks. It works by recognizing that reflected XSS attacks inject script into the string that the browser sends to the targeted web server. If the server doesn’t neuter or strip out the injected script, it gets sent back to the browser and executed in the context of the target web page. Bad things then happen. At a high level, XSS Filter remembers the string that the browser sent to the server, and looks at the server’s response to see if any of the script was actually in that string. If it was, then XSS Filter decides that it got there because it was injected by an XSS attack and blocks the script from executing. The rest of the web page renders as usual. This is a vastly oversimplified sketch of XSS Filter – for details, see the post by David Ross, inventor of XSS Filter on the Security Vulnerability Research and Defense blog.

So what does XSS Filter have to do with the SDL? Well, for almost nine years, since XSS was first discovered at Microsoft, we’ve been trying to figure out effective ways to reduce vulnerability to XSS attacks. Our focus has been on improving the ways that web page developers code their pages, and we’ve developed a lot of tools and techniques for making web content safer from XSS attacks and for detecting XSS vulnerabilities in live pages. The SDL requires the use of many of these tools and techniques, and we’re sure we’ve prevented a lot of XSS vulnerabilities from being introduced into Microsoft web pages as a result.

But while we identify (and the SDL requires) measures that allow developers to avoid classes of vulnerabilities, we also look to identify more sweeping solutions that can either 1) eliminate classes of vulnerabilities, 2) reduce their severity, or 3) reduce the likelihood of attacks being successful. The process usually starts from deep understanding of a class of vulnerabilities and attacks, and then we broaden defenses from there. In the case of XSS Filter, David’s years of work researching XSS led him to come up with an approach that blocks many of the most common vulnerabilities to reflected attacks found on the web today. The solution is compatible with existing web pages (doesn’t “break the web”) and thus we were able to enable it by default for users of Internet Explorer 8. Because it’s a client-side mitigation, it will help protect users from attacks even though the sites they visit may be vulnerable to XSS.

Our work on buffer overrun defenses follows a somewhat similar pattern – we started by prescribing coding techniques, banning the use of some APIs, and building tools that detect coding constructs that look like buffer overruns. As we gained a deeper understanding of how buffer overruns can be exploited, we enhanced the /GS compiler flag and added ASLR in a quest to cause classes of exploits to fail even if a buffer overrun remains. We’re not yet close to eliminating the SDL requirements for use of tools and coding techniques, but the SDL also requires the use of the mitigations to reduce the severity of vulnerabilities that slip past. Will we ever get to the point where the mitigating technologies are so strong that we can relax the coding requirements? Maybe not, but we will continue to introduce technologies that reduce the chances of a successful attack.

Similarly, in the case of XSS, even after IE8 ships, the SDL will continue to require the use of safe web site coding practices and tools such as the Anti-XSS library both to protect users of browsers other than IE8 and to provide protection in recognition of the fact that XSS Filter is a mitigation or defense in depth rather than a complete solution. But we’ll also be keeping our eyes open (and doing active research) in the quest for an even more effective defense – whether client or server side – that eliminates XSS for good.

This post is a little far afield from the normal content of the SDL blog, but I thought it was important to provide a picture of the role of security science and security research in defining SDL requirements and in making major improvements in software security. You can read more about our work in security science in the Security Vulnerability Research and Defense blog.

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Tue, 26 Aug 2008 16:16:43 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.