The BBC program "Click" hired a botnet to demonstrate to the public how easy it is to gain control of the tools used to hold website owners to ransom.
The whole operation sparked a controversy of wether this was unethical or illegal to use a live botnet as a demonstration. What do you think?
Have a look at the following posts and have a look at the videos:
Some new interesting SANS papers have appeared in the last month. Check them out:
What has this to do with security? Nothing much except if you count in physical security. But this one happened in our backyard and is a long but really interesting read!!! I first talked about this story in 2007 as a social engineering attack (Social engineering with chocolate) but the details in the article were scarce. But the wired article has a lot more details.
In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can't explain exactly how it was done.
The loot was never found, but based on circumstantial evidence, Notarbartolo was sentenced to 10 years. He has always denied having anything to do with the crime and has refused to discuss his case with journalists, preferring to remain silent for the past six years.
Until now.
Read full story. Somehow, it reminded me of the Tiger Team. ;-)
Finally, one day ahead of schedule, we can finally patch Acrobat Reader.
You can find it here:
http://www.adobe.com/support/security/bulletins/apsb09-03.html
Related posts:
Well, so far for recommending people to switch to Foxit Reader to protect them against the JBIG2 library vulnerability for which Adobe has yet to release a patch. Although the exploits in the wild *might* not be effective against the foxit reader, there is a similar flaw in their reader as well.
Foxit released 3 security updates for their reader:
JBIG2 Symbol Dictionary Processing in Foxit Reader 2.3 and 3.0 |
Last week, Belgian security researcher Didier Stevens demonstrated that a pdf exploitation could be possible with the user only selecting the file (security4all).
Now he took it even a level further. In some cases, you can be vulnerable by just having an infected file on your harddisk. The problem lies with the Windows Indexing Service (among others).
Visit his blog for the details and countermeasures.
It's still two days before a patch will be released by Adobe. And the questions is: what will be the patch rate be of the average user? It may take months to see some serious adaptation.
Here is still a list of possible countermeasures:
Like in biology, we need some biodiversity. By not using the most widely used software, you have more immunity against attacks that target those that don't.
Related posts:
Belgian Security Researcher Didier Steven posted an interesting video on his blog. He showed us that because of the Windows Shell Extensions, opening an malware pdf isn't the only thing that will get the shellcode executed. Selecting a pdf with one click or hovering over it, is enough. He gives us some advice how to carefully handle these files. Read his post for more info.
The story hit security.nl, slashdot, theregister etc... soon after.
Didier is a Belgian security blogger and researcher. Apparently, he will be giving a workshop at the Brucon Security Conference in September. Follow the brucon blog for upcoming information.
(Photo under creative commons from saba♫dija's photostream)
Dark Tangent has uploaded the remaining Defcon 16 audio and video files. You can get them here.
Previous posts:
On the 24th of February, Microsoft released a security advisory for Excel (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx
Quoting my previous post:
Both McAfee and Symantec reported a Trojan attacking this vulnerability. According to McAfee, current attacks are very targeted and limited. When successful, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.Today, the patches for March were announced but they did not include Excel. Although not being exploited widespread, I still would be cautious against targeted attacks.
There is no patch against social engineering. Although user awareness might help, it's best to test the effectiveness of this training.
Have a look at this free webcast on March 10th called "Modern Social Engineering - A Vital Component of Pen Testing".
Chris Nickerson is the founder of Lares Consulting, and was on the Tiger Team TV show.
He talks about how social engineering is more important then ever to include in your penetration testing program.
As a bonus, have a look at his presentation at the OWASP NYC: Red And Tiger Team Application Security Projects
Previous posts:
An interesting survey with some scary observations. This survey was done by Oracle and the Independent Oracle Users Group. Patching is a best practice not performed by anyone. In this case Oracle admins. Apparently 11% have never applied a patch, and close to 50% were at least 2 cycles (6 months) out of patch.
The pdf of the rest of the survey can be found here.
Now go and ask your DBA when he last patched your (customer) database.
(Photo under creative commons from jonathan_moreau's photostream)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
