Kaspersky Kerplunk

Leave a reply

I am sure most of you will have read about last weeks security breach with Kaspersky Labs, the Russian AV vendor. Read more here.

So this has to raise the questions, who is securing the security vendors. Kaspersky say that no data was taken, although this is probably due to the ethical nature of the Romanian hackers, but no one really knows. The story goes that the hackers utilised Google queries to identify Kaspersky systems that were vulnerable to SQL injection, and I think this is really the problem here. We all know how excellent Google Hacking can be, and the power of the search engine queries available, and even though you might need some awesome Google-Fu for some searches, even the basics often yield excellent results.

What this re-emphasises is that if the hackers can resource themselves, and take the time to keep up with vulnerabilities, then organisations security teams should do the same.
So InfoSec professionals should be encourage to spend time keeping up to speed with vulnerabilities associated with their environment, as well as aquiring fundemental skills to carry out activities such as Google searches to understand the organisations risk factors.

Check out these 2 sites below for information on exploits, and patch releases as a first start.

  • Milw0rm – Exploits, Vulnerabilities, Papers, Code, etc
  • CPNI – Centre for the Protection of National Infrastructure (Patching Advisories)

No encryption for the masses

Leave a reply

A recent survey by Kroll Ontrack shows that over 90% of laptop hard disks they recieve for data retrieval are not encrypted.

I admit I dont really find this surprising, companies are not always really aware of the risk of data loss and theft, and especially with portable devices that are easily snatchable. Also with everything security related it can sometimes be difficult to convince the business of the Return On Investment.

Organisations should focus on the financial implications of data loss, the costs to inform their customer, brand damage, penalties to governing bodies and compliance implications.

With so many varying solutions available for partial and full disk encryption, now is an excellent time to consider technical solutions to significantly reduce the risk and exposure levels around data loss.

SSL Enabled, its got to be secure, right?

Leave a reply

This may be news to some, but a repetition to those already in the know.
In the past there has been evidence to show how MD5 collision can lead to the abuse of signatures from a certicate of authority.

A post by Jürgen Schmidt covers some new tests by some rich hacker folks who have 200 PS3’s and use these to carry out some SSL MD5 hash collision attacks.

Excerpt

Using a cluster of 200 Playstation 3 systems, it took the researchers two days to create two valid certificate requests with predetermined data fields that resulted in identical hash values. The researchers only modified the contents of unimportant fields, for example the Netscape comment extension. They got the RapidSSL Certification Authority to sign the first request, issued for a domain in their possession. Then they attached this digital signature to the second certificate that confirmed the identity of the fictitious “MD5 Collisions Inc.” Certification Authority. Since the second certificate’s hash value is identical to that of the signed original, no program can detect the forgery.

This approach is called a collision attack. Attackers can modify both the subsequently presented forged certificate and the pre-signature original, until two samples with the same hash value are produced.

This is all well and good and interesting, but what can you do about it? Well now there is a Firefox plugin aimed at helping to identify if the website you are visiting has suffered from this attack.

The Firefox extension that will alert you when visiting a potentially compromised site. The extension works a little magic in the background to determine if the SSL certificate you’re trusting to keep your transaction safe is one which could be dangerous, thus giving you a little added protection from the rough and ragged world of cybercrime.

You can download it here.

Paul Daniels style… Its MAGIC. The new Android phone exclusive to Vodafone.

Leave a reply

htc-magic
We all know about the first Google Android G1, exclusive on the T-Mobile network. Sadly this phone is abit of an ugly duckling, although functional and a great first OS release from Google.

Now we have the HTC Magic coming soon on Vodafone (we are not allowed to call it the G2).

Here are the specs below:

The HTC Magic is an Android™-powered mobile designed to turn heads with its chic design, and command attention with its advanced list of capabilities. Ready to always keep you in the know… it provides the Google suite of services like Mail, Search and Maps geared up for use in the palm of your hand. Further enhanced with video capture and support for tunes via Bluetooth wireless headsets, the HTC Magic is a true entertainment and media powerhouse.

Processor Qualcomm® MSM7201aTM, 528 MHz
Operating System Android
Memory ROM: 512 MB
RAM: 192 MB
Dimensions 113 x 55 x 13.65 mm ( 4.45 x 2.17 x 0.54 inches)
Weight 118.5 grams ( 4.18 ounces) with battery
Display 3.2-inch TFT-LCD flat touch-sensitive screen with 320×480 HVGA resolution
Network HSDPA/WCDMA:

  • 900/2100 MHz
  • Up to 2 Mbps up-link and 7.2 Mbps down-link speeds

Quad-band GSM/GPRS/EDGE:

  • 850/900/1800/1900 MHz

(Band frequency and data speed are operator dependent.)
Device Control Trackball with Enter button
GPS Internal GPS antenna
Connectivity Bluetooth® 2.0 with Enhanced Data Rate
Wi-Fi®: IEEE 802.11 b/g
HTC ExtUSBTM (11-pin mini-USB 2.0 and audio jack in one)
Camera 3.2 megapixel color camera with auto focus
Audio supported formats AAC, AAC+, AMR-NB, MP3, WMA, WAV, AAC-LC, MIDI, OGG
Video supported formats MP4, 3GP
Battery Rechargeable Lithium-ion battery
Capacity: 1340 mAh
Talk time:

  • Up to 400 minutes for WCDMA
  • Up to 450 minutes for GSM

Standby time:

  • Up to 660 hours for WCDMA
  • Up to 420 hours for GSM

(The above are subject to network and phone usage.)
Expansion Slot microSDTM memory card (SD 2.0 compatible)
AC Adapter Voltage range/frequency: 100 ~ 240V AC, 47/63 Hz
DC output: 5V and 1A
Special Features G-sensor
Digital Compass

Note: Specifications are subject to change without prior notice.

Windows Home Server, a MS product worth owning!!!

Leave a reply

whs

I first got my hands on Microsoft Windows Home Server back in 2007, it was a 30 day trial. I forget the issues, but I didnt get on to well with it, think there were issues with 64Bit OS. However I heard a Power Pack update had been released recently, so nearly a year on in December I set up a new box, and with a nice new 120 Day Trial from MS I set it up.

I have to say its runs very well, and the community following for it now is excellent, so many add in and options its superb.
I have set up a box, that automatically comes on and turns of at scheduled time for usage, and as needed can be accessed remotely. It streams all the content I need to PS3, XBOX 360, Streamium etc, and it works flawlessly so far.

It also carried out regular backups of all the Windows boxes on the network, and I have even done an over the network total recovery and it worked like a charm.

Its about £90 to buy online, but is soon coming to MSDN so if your a describer it might be worth the wait. You can now download the 120 day trial online, so if you have a spare box hanging about, its certainly worth a demo. The current version is based on Windows 2003 Server SP2
Also check out the We Got Served Forums for tips, downloads and advice.
Features:
  • Digital memories and media stored and organized in a central location
  • Home computers backed up daily, automatically
  • Simple restore of lost files or even entire hard drive contents
  • Complete access to files from both inside and outside the home
  • A secure and personalized website address for sharing photos and home videos
  • Easily add storage space and new software capabilities