Support Wars

From Dark Reading:

Adobe’s Reader and Acrobat PDF applications have been hit by a new attack exploiting an unpatched vulnerability in the pervasive tools. So far the exploit has been used mostly in targeted attacks, but researchers say it could soon spread now that the cat is out of the bag.

Adobe late yesterday issued a brief alert about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that’s being exploited in the wild. “We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information,” Adobe said.

So far, Adobe and security researchers around the industry have been tight-lipped on details about the newly discovered vulnerability involved, but ShadowServer today said in its blog that the flaw resides in a JavaScript function in Acrobat and Reader. The trick is that the vulnerable JavaScript is hidden inside a “zlib stream,” which makes it difficult for security scanners to detect it, ShadowServer says. The flaw is found in 8.x and 9.x versions of the software, according to ShadowServer, and researchers are currently testing earlier versions for the bug as well.

From SecurityFocus:

The cybercriminals behind the Zeus botnet used Amazon’s Elastic Computing Cloud (EC2) to host the central server used to control a portion of the compromised machines, security firm CA stated on Thursday.

The company found that infected machines would contact a server hosted in Amazon’s cloud to download updates and additional functionality to any infected computer systems. The malicious software would then steal data and banking login credentials, Methusela Cebrian Ferrer, senior researcher at CA, said in a blog post.

“The group behind this criminal activity is obviously doing it for financial gain –  stealing both your identity and your money,” Ferrer stated. “In this variant, we have learned how cloud on-demand — pay-as-you-use — offerings could be used to fuel such online cybercrimes.”

From Dark Reading:

Keyloggers and spyware are the most commonly occurring attacks in companies that suffer major data breaches, according to a report published today by Verizon Business.

The new report, “2009 Supplemental Data Breach Investigations Report: An Anatomy of a Data Breach,” offers a look at the 15 most common security attacks and how they typically unfold. The data is extracted from Verizon Business’ April 2009 study of its computer forensics service customers, all of whom have experienced a major data breach.

The report taps Verizon Business’ detailed investigative records to identify, rank, and profile the most common attacks. For each type of attack, the report provides real-world scenarios, the warning signs, how the attack is orchestrated, how attackers got in, what information they took, what assets the attackers targeted, what industries are commonly affected, and what countermeasures are effective. In total, the report details nearly 150 ways to detect and combat security threats. This latest installment in Verizon’s data breach study series is based on the “2009 Verizon Business Data Breach Investigations Report,” issued in April. That landmark study analyzed more than 90 forensic investigations involving 285 million compromised records

From ISC SANS:

The almost universally installed flash player of adobe has been update to version 10.0.42.34. Adobe air was upgraded as well to version 1.5.3.

Read more about it in the apsb09-19 bulletin from adobe.

The reason behind it are 7 vulnerabilities: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800 and, CVE-2009-3951 of which 6 lead to arbitrary code execution and the last one is a windows-only issue leading to unauthorized information disclosure, related to CVE-2008-4820.

“Upgrade!” is the loud and clear message should our audience need that encouragement.

At this point we have no guidance for users wishing to know more about version 9 of the flash player aside of considering an upgrade to the latest incarnation of version 10.

Thanks for the heads-up go to David and Andrew.

Patch thy self!

From Dark Reading:

An Israeli mobile security firm that a month ago offered $100,000 in gold to anyone who could hack its voice encryption technology has upped the ante to $250,000. Gold Lock posted a sample of an encrypted voice conversation on its Website and is offering the golden reward to any hackers who can crack it and send the company a transcript of the call.

Gold Lock, which sells military-grade mobile devices and data and voice encryption tools, says the voice call file has been downloaded more than 1,000 times in the Gold Lock Hacker Challenge contest. But that’s nowhere near the number the vendor had expected, so it decided to make the contest more attractive with a bigger bounty.

“Since 2003, we have been telling everyone how our products provide unbreakable protection for their voice and data transmissions, but talk is cheap. So now we are putting our claims to the ultimate test by inviting anyone that thinks they have the skills to take us down,” said Noam Copel, CEO of Gold Lock, in a statement.

From Ars Technica:

In a couple of years, crossing the 1Gbps threshold with a WiFi access point will be routine. That access point will likely have two radios, one for each major spectrum band, and support a host of older flavors for compatibility. Eventually, WiFi will approach the robustness and speed needed to make it a completely viable replacement for Ethernet for most users.

In today’s pipeline are optional enhancements to 802.11n that have been in the works since the standard stabilized at the IEEE engineering group nearly three years ago. These enhancements will increase range and performance by up to a couple orders of magnitude, offering raw data rates of 450 Mbps and 600 Mbps.

The slated improvements will also correct for black holes, where current 802.11n gear’s signals don’t reach unless an excessive amount of overlapping devices are installed at relatively high expense. Even better, the boosts to 802.11n are just the start. A new IEEE committee is working on fast WiFi that will hit a raw encoding rate of 1 gigabit per second (Gbps).

From Wired’s This Day in Tech:

1999: The Recording Industry Association of America sues Napster, the online, peer-to-peer file sharing service that’s allowing millions of computer users to score free, copyright music. The rules are about to change.

Napster founder Shawn Fanning won rock-star celebrity with the service. But music-industry heads were spinning.

So, the RIAA sued Napster and all of its financial backers in federal court in San Francisco. The outcome eventually defined the rules of online, peer-to-peer file sharing networks.

The case began 10 years ago today and dragged on for almost eight years.

A federal judge and an appeals court in San Francisco both ruled in 2002 that Napster was liable for contributory or vicarious copyright violations, because it was allowing millions of users to download music for free. Napster eventually shut down and went bankrupt, later re-emerging as a legitimate, online music service.

I found a nice guide on cleaning up all those nasty gadgets you have laying around the house and office.  From Gizmodo:

Hey, you, your gadgets are disgusting. And wiping them with your greasy shirt sleeve isn’t making things any better. Here’s how to clean your gadgets, the right way.

Found a great article on network broadcasts today on ISC SANS:

So Rob, you say, aren’t we done talking about protecting switches and the like at Layer 2 yet?  We talked about Man in the Middle Attacks in October, and Layer 2 remediation against Man in the Middle Attacks in November, that should cover it, right?

The short answer is “no” – we haven’t talked about Broadcast control or MAC address flooding yet !

Broadcasts are part of everyday life on most networks – they’re necessary for most networks to operation.  ARP and DHCP are both a great examples of protocols that use broadcasts for different reasons.    However, the problem with broadcasts is that they are received by every station on the subnet, each station has to actually read at least the packet header to then determine that the packet is or isn’t for them, then discard it if it’s not theirs.  This takes up a very small but measurable amount of CPU. It’s this CPU useage that gives broadcasts their bad name.

So what level of broadcast traffic on a network is “reasonable”?  A Cisco paper that I often refer to (http://www.cisco.com/en/US/docs/internetworking/design/guide/nd20e.html ) indicates that at 1,000 broadcasts per second, you can expect to lose on average roughly 1% CPU per host.  Now considering the age of this document (it references 25MHz 386 processors), you can see that we can probably go much higher than that these days.  But at 1,000 broadcasts per second, you’ve probably either got a very (very) large subnet, or some other problem that should be addressed !

From Taranfx:

Who was that someone shouting loud that only Jailbreaking makes iPhone insecure?  We now have a new App that makes even an UnModified/Virgin iPhone leak personal data like you have never seen before.

A Swiss iPhone developer has unveiled a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email accounts information, images, Safari Browsing history, youtube, keyboard logger, etc. all this using just the public API exposed by Apple’s SDK.

In oder for this application, SpyPhone,  to work, it does not need any exploits or any jailbreaking/firmware modification, attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unrestricted access to the large amount of the data and settings available on the device.