Thursday, May 27, 2010

Google Chrome 5.0.375.55 Released

Google has announced the release of Google Chrome 5.0.375.55 here.

From a risk perspective - as of this writing - the latest version of Google Chrome with known publicly available remote exploit is version 4.1.249.

References:
http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html
http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Review of Apricorn Aegis Padlock Hardware Encrypted Drives

There don't appear to be a large number of viable solutions available for secure hardware-encrypted hard external drives. I used to recommend the Maxtor BlackArmor for this type of application, but those are no longer available. The Seagate BlackArmor drives are NOT hardware-encrypted - so don't be fooled by the continued and confusing reuse of the BlackArmor name.

The best choice on the market right now appears to be the Apricorn Aegis Padlock drives. These drives offer features and security comparable to the Ironkey or Kanguru Defender/Elite USB thumbdrives, but in an external USB drive form factor.


Pros
1). Works with both Windows and Apple Mac (including Time Machine - you have to reformat drive for Mac use)
2). No special software required on client endpoint for either Windows or Mac
3). Has support for IT admin passkey and several user passkeys.  So an IT admin can recover data in case the user forgets their password or leaves the company.
4). No admin rights required on Windows for normal use, but is needed for initial setup

Cons
1). Not currently FIPS certified from what I can tell
2). 6-16 character password means keyspace is a a little small. This is mitigated by the brute force protections the drive has.
3).  Only has only USB connector and the cable is short.  Drives does come with longer Y-cable in the box.
4).  No enterprise management console is available if you are looking to manage and support a fleet of these.

Amazon has good prices on these. Links (affiliate tagged) to the 128- and 256-bit versions of the three largest capacity drives available right now are below:


















email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Wednesday, May 26, 2010

Restaurant Credit Card Skimming Alive and Well

From http://www.washingtonpost.com/wp-dyn/content/article/2010/05/23/AR2010052302921.html:


"Three servers at the Cheesecake Factory restaurant on Wisconsin Avenue in the District allegedly stole credit card numbers from patrons as part of a scheme that racked up more than $117,000 in fraudulent charges between 2008 and last year, authorities say.

Investigators with the U.S. Secret Service allege the servers were working for a larger fraud ring and were using electronic devices to "skim" the credit card numbers of customers they served at the restaurant. The devices were handed off to others, and the stolen numbers were used to make fake credit cards and later used to buy gift cards and merchandise in the Washington area, according to court records in U.S. District Court in Alexandria. "

The $40 street rate per stolen card quoted here for known good cards is much higher than the bulk rate for credit card data collected through mass malware infections.

This is an example of why I always pay in cash as much as possible in places like this. As economic conditions possibly worsen over time, I would expect to see more activity like this.


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, May 25, 2010

Oracle Java SE and Java for Business 'MixerSequencer' Remote Code Execution Vulnerability

From SecurityFocus:

"Oracle Java SE and Java for Business are prone to a remote code-execution vulnerability affecting the 'Sound' component.

Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition."

References:
Descritpion - http://www.securityfocus.com/bid/39077/discuss
PoC exploit code - http://www.securityfocus.com/bid/39077/exploit
List of affected versions - http://www.securityfocus.com/bid/39077/info


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Update to Java for Mac OS X

Given the growing use of Apple products in the enterprise, I will start covering Apple vulnerabilities in this blog. Apparently, Apple is here to stay in the enterprise.

Apple has recently released updates to Java for Mac OS X. These patches address several vulnerabilities. The worst one potentially allows an attacker to break out of the Java sandbox and execute code through an untrusted applet.

References:
http://support.apple.com/kb/HT4170

http://support.apple.com/kb/HT4171


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New Security Patches in Latest PostgreSQL Release

An update to PostgreSQL has been released that addresses several bugs including two security vulnerabilities. The patches in this release address a privilege escalation issue and another problem that allows an attacker to run arbitrary tcl scripts through the pltcl_modules table.

Even if you don't have PostgreSQL in production, your developers might have stood up PostgreSQL instances internally as a cost-saving measure for their own development and test platforms.


References:
http://www.postgresql.org/about/news.1203


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Patch Released for IBM AIX rpc.pcnfsd Integer Overflow Vulnerability

IBM has released a patch for the AIX rpc.pcnfsd integer overflow vulnerability. According to IBM, the vulnerability in the rpc.pcnfsd service could potentially be exploited to execute arbitrary code and this could be done by sending malicious RPC requests over the wire.

UPDATE 28 May 2010 - This bug also affects HP-UX and SGI IRIX.

References:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088

http://aix.software.ibm.com/aix/efixes/security/pcnfsd_advisory.asc

http://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02115103



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Security Updates in Fix Pack 31 for IBM Websphere 6.1 Released

Fix Pack 31 for IBM Websphere Application Server 6.1 has been released. According to IBM, the patched vulnerabilities are possible denial of service and information disclosure holes. The list of all security and bug fixes are in the link below.

References:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27007951


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Sunday, May 23, 2010

New US Law Regarding CallerID Spoofing

The US Congress has passed a law making certain types of malicious use of CallerID spoofing a felony. Please refer to the text of the new law for the specifics.

The law exempts law enforcement agencies, so the investigative technique described here remains valid for exempted US agencies. Below is the text describing the LE exemption:

"LAW ENFORCEMENT EXCEPTION.— This section does not prohibit lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of title 18, United States Code."

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, May 12, 2010

Impact of SSDT Argument Substitution Attacks (KHOBE)

A report was released recently describing "SSDT Argument Substitution Attacks" against certain Windows endpoint security products. The original report can be found at: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php.

In a nutshell, this problem seems to fall under Law #1 of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx).

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Of the security products vendors that have issued responses to this report so far, I believe this law is a recurring theme in their replies. If a KHOBE attack has gotten past your layered defenses and is running on your endpoint, then you already have malcode running on the endpoint. The other point the AV vendors are making is that other defensive layers (i.e. HIPS/HIDS and newer reputation-based protection endpoint security technologies ) should help with the detection and prevention.

The statements made by some in the media about KHOBE not affecting Vista SP1 and above and Windows 7 due to Microsoft's Kernel Patch Protection (Patchguard) is only true of 64-bit versions of those operating systems - not 32-bit versions.

Once we as an industry have swallowed Windows 7 32-bit and migrated the entire software ecosystem around Windows to work properly alongside the security improvements in Windows 7 32-bit, is it time to hasten the move to 64-bit Windows to address new types of attacks against the Windows architecture like KHOBE?

email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Adobe Fixes Three Security Issues in Latest ColdFusion Release

References:
http://www.adobe.com/support/security/bulletins/apsb10-11.html


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Adobe Closes 18 Security Holes in Adobe Shockwave Player 11.5.7.609 Release

The CVEs for all 18 bug fixes are in the article listed below. The Adobe Shockwave player is a relatively easy upgrade to deploy, just remember to make sure all old versions of the player software get removed so that follow up vulnerability scans and your software asset inventory data are clean and show only fully patched versions.

References: http://www.adobe.com/support/security/bulletins/apsb10-12.html

Let us know if you need any help packaging up this for deployment.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Tuesday, May 11, 2010

Guidance Software to Acquire Tableau

Guidance Software is buying Tableau. I am still trying to figure out if this is a good thing or not. I don't know what your experience has been like recently, but Guidance has been hounding me with sales calls so I had assumed they were having financial challenges.

The press release is here.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

U.S. Secret Service Setting Data Sharing Example for Other Law Enforcement Agencies

According to this Verizon blog entry, we will see sanitized intrusion data from the U.S. Secret Service alongside Verizon Business Service's own data in their next Data Breach Investigations Report (due later in 2010).

Apparently the U.S. Secret Service started using Verizon's VerIS framework and has decided to share at least some of their casework data.

Very cool. Maybe this will set a precedent for others in the law enforcement world to start sharing real world data (where they can) so that system defenders everywhere can benefit from knowing more about the tactics and true offensive capabilities of the parties coming after them.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

R.I.P. Dojosec

I really enjoyed the Dojosec series of monthly meetings that Marcus J Carey put together, and I am sad to see it has gone away. Dojosec was a security meetup in the southern Maryland area.  The last Dojosec that had speakers was in November 2009. Some of the videos from various Dojosecs are online, so you can still see some of those great presentations.

Hopefully Dojosec will resurface again sometime in the future.

UPDATE 24 August 2010 - Great news! It looks like Dojosec (and Dojocon) may be returning soon.
UPDATE #2 November 2010 - Never mind. Dojosec is dead for good.

email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity