I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.
The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video.
Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.
What is striking is that both cases involved the use of a person's image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man's image was placed in a newspaper, without his consent, to sell insurance.
Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person's "name or likeness" for commercial use.
The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.
I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.
When it was first leaked, Microsoft tried to scrub it from the Internet. But they quickly realized that it was futile and relented.
MOUNTAIN VIEW, CA?Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday.
"We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some privacy concerns as of late, and judging by some of the search terms we've seen, along with the tens of thousands of personal e-mail exchanges and Google Chat conversations we've carefully examined, it looks as though it might be a while before we regain your trust."
Google expressed regret to some of its third-generation Irish-American users on Smithwood between Barlow and Lake.
Added Schmidt, "Whether you're Michael Paulson who lives at 3425 Longview Terrace and makes $86,400 a year, or Jessica Goldblatt from Lynnwood, WA, who already has well-established trust issues, we at Google would just like to say how very, truly sorry we are."
In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show.
The article wasn't explicit about this -- odd, as it's the main question any reader would have -- but it seems that the man's digestive tract did not destroy the evidence.
Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.
In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.
The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.
News article. Moral: anonymity is really, really hard -- but we knewthat already.
Warning: MagpieRSS: Failed to fetch http://leo.users.sonic.net/sn.xml (HTTP Response: HTTP/1.1 404 Not Found
) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
It's been a long time, but that doesn't mean we have not been busy. I'm going to go ahead and do what I should have done a while back, so here's where our up-to-date project website is now at. At...
Aidan Lynch and Daragh Murray from Dublin City University have written a cool new extension to the honeyclient which they call the email honeyclient. This extension allows you to use Outlook to grab email URLs and send them back to...
Recently, a whole bunch of World of Warcraft (WoW) player accounts were compromised via a keylogger being installed on the users' machines. The infection epidemic was so bad that Blizzard Entertainment set up customer service lines for weekend support. This...
Dan Hubbard of Websense also gave a talk on honeyclient technology at ToorCon 7. It's good to see this technology area talked about in the security community. We really need to move away from reactive intrusion detection technologies, given that...
I've just posted my slides from the latest honeyclient talk at ToorCon 7. The slides can be downloaded here. I had a great time at ToorCon, and will talk more in detail about that on my personal weblog soon....
I will be speaking about honeyclients at the upcoming ToorCon 2005. If you are planning on attending ToorCon, or if you're in San Diego, please stop by and say 'hi'. There will be new information presented at ToorCon, and I...
Microsoft released a technical paper, entitled Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. The paper can be downloaded here. I read the paper and thought it was very interesting. 'HoneyMonkeys' is Microsoft's term for...
Since RECON, I've been busy with my day job, and with travelling. Finally, over the long weekend, I was able to fix a bug in the previous honeyclient release. Namely, the MSIE browser caching mechanism was giving me some problems....
I just posted the slides that were used during yesterday's honeyclient talks at RECON. They are now downloadable off the main page. I am still in Montreal today, and will be returning home tomorrow. Today, I enjoyed sightseeing around the...
I gave a talk today at RECON on honeyclients. Also, the world's first open-sourced honeyclient has just been released during my talk. Download the latest tarball from the download section on the main page. Talking to the people at RECON...
I thought that this article from eWeek highlighted only the beginning of what we will start to see with increasing frequency - multi-staged attacks. I just called this attack 'Cerberus-like' because it is a three step attack. Basically, the first...
How could it be that a company in Russia is building a business around infecting other people's machines? 'No way!', you say. Well, this article from Information Week has the details. This Russian company (which I will not link directly...
According to this Slashdot post, Microsoft has their own version of a honeyclient, which they call 'honeymonkeys'. I have to say, that's a cute moniker. More importantly, though, this goes to show that it's becoming increasingly important to actively seek...
Next time you try and access Google, be careful how you type. This article in eWeek points out that typing 'googkle' instead of 'google' lands you at a malicious site that then attempts to install beasties such as backdoors and...
This article talks about how attackers are now using fake weblogs to entice users to click on certain links. Once those links are accessed, malware such as keyloggers and trojans are uploaded to the victim host from the malicious server....
SANS Internet Storm Center, InfoCON: green (03/10/10)
It has been brought to our attention that a number of security vulnerabilities have been noted in SQL-Ledger. Several of these affect earlier versions of LedgerSMB, and three hotfixes have been released for problems that continue to affect the LedgerSMB codebase.
Piwik unserializes() user input which allows an attacker to send a carefully crafted cookie that when unserialized utilizes Piwik's classes to upload arbitrary files or execute arbitrary PHP code.
Invision Power Board has a PHP file inclusion vulnerability that is trivial to exploit with a web browser and a known location of a php file residing on the target system. Authorisation is not required. The SQL injection vulnerability is somewhat tricky to exploit as there are quite a few restrictions that make creating a successful sql attack vector difficult. Nevertheless a crafty attacker might issue a series of requests that might allow him to gain some information about the target system or even read files from the disk depending on permissions granted to the db account that is used by the forum.
The U.S. Defense Information Systems Agency (DISA) publishes Security Readiness Review scripts (SRRs) to ensure systems and software meet security baselines required by the Department of Defense. Unprivileged local users can obtain root access on Unix systems where the DISA SRR scripts are run.
A remotely exploitable vulnerability was found in the framework core component. Exploitation of this bug does not require authentication and will lead to remotely exposed potentially sensitive information from the Publique! database. Particularly, an attacker can extract usernames and passwords needed to authenticate to the administrative interface and gain full control of the web site and (depending on certain conditions) the server itself.
The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass authentication and access sensitive information stored on the device.
A potential security vulnerability has been identified with HP-UX running Apache v2.0.59.12 and earlier. The vulnerability could be exploited remotely to inject unauthorized data or to create a Denial of Service (DoS).
An unauthenticated remote attacker could cause the KDC to crash due to a null pointer dereference. Legitimate requests can also cause this crash to occur.
Vulnerabilities have been discovered in AproxEngine, which can be exploited by malicious users to manipulate certain data, conduct spoofing, SQL injection, and script insertion attacks and by malicious people to conduct SQL injection and script insertion attacks.
The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code to run on users systems when opening specially crafted content.
A potential security vulnerability has been identified with HP Discovery & Dependency Mapping Inventory (DDMI) running on Windows. The vulnerability could be exploited remotely by an authorized user to execute arbitrary code.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. Authentication is not required on certain configurations to exploit this vulnerability.
Currently there is a flaw in the authentication mechanism of these radios which, if an attacker knows some details, can allow interception of ethernet packets broadcast from the Access Point to the Subscriber Unit and potentially allows injection into the communication from the Subscriber Unit to the Access Point.
VideoCache is a Squid URL rewriter plugin written in Python for bandwidth optimization while browsing video sharing websites. Version 1.9.2 allows a user with the privileges of the Squid proxy server to append semi-arbitrary data to arbitrary files with root privileges, upon the administrator's execution of the 'vccleaner' utility.
Thomas Duebendorfer Google Switzerland GmbH and Stefan Frei Communication Systems Group, ETH Zurich, Switzerland looked into the performance of Web browser update mechanisms. The analysis of anonymized Google Web server logs allowed us to compare and rank the update strategies deployed by Google Chrome, Mozilla Firefox, Apple Safari, and Opera.
This paper sheds light on a modified approach to triggering web attacks through JavaScript protocol handler in the context of opening a PDF in a browser.
This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.
This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.
The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing: * Linksys WRT160N
According to a paper released by McAfee at the RSA Conference, the attackers who breached systems at Google and other companies went after source-code management systems.......
Speaking at the RSA Conference in San Francisco, Department of Homeland Security Secretary Janet Napolitano described steps the government is taking to develop a strategic approach to cyber security.......
If home users were to apply every security patch available for applications on their Windows PCs, they would be facing roughly 75 instances of patching every year, or one every five days, according to Secunia.......
Speaking at the RSA conference in San Francisco this week, former Homeland security Secretary Michael Chertoff said that effective computer security is too complicated for average computer users.......
Germany's Federal Constitutional Court has overturned a law that allowed the retention of telephone and email data for anti-terrorism investigations.......
A class action lawsuit filed last month alleges that The Open Door Clinic of Greater Elgin (Illinois) leaked confidential patient information through a peer-to-peer file sharing network.......
Details are sketchy at this point, but is Facebook undergoing an XSS worm attack? I checked with my Aunt, and she thinks someone may have stolen her password and hijacked her account to send out those messages to all her...
With the recent Orkit worm, and a few MySpace worms, web/XSS worms are a very interesting topic. Here's someone's attempt on the Ph4nt0m group discussion site who is trying to create a sustainable, growable XSS worm. It seems that the...
The Virus Bulletin conference is coming up later this year, but the call for papers closing is only a month and a half away. VB is a nice, fun conference where a lot of top - and rising - AV...
The First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) has a CFP that closes soon. From the CFP: Overview As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive...
A friend pointed this out to me. Evidently the Sla.ckers.org website is hosting a "Diminutive XSS Worm Replication Contest". Their mission: to see who an write a new XSS worm (like the MySpace one, the recent Orkut one, etc). The...
Morning, everyone. I know Wormblog has been very, very silent lately as I've been very busy with work. However, I'll wake it up and post a conference call for papers that applies here. I'm on the PC for WORM07, so...
This isn't the first time a worm (self replicating code) has hit a a large online game, and it wont be the last. Via various news outlets (like this BBC story, Slashdot, and the official Second Life blog: [PST 2:44PM]...
A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from. This paper attempts to document an...
I can't let another week go by and not post a paper on worm modeling. This one looks at a more rigorous model of how a "Flash Worm" would work. Some decent math, it's worth the effort to make sure...
I had a great time at WORM06 in Fairfax last week, and in my scramble to get work done in preparation for a day out of the office Wormblog updates slipped. This paper comes from a conference on swarm intelligence...
Vulnerability in Internet Explorer Could Allow Remote Code Execution Published: March 09, 2010
Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.
Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.
The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Please do not download security updates from other sources (email, other website). Get the security updates from Microsoft Update website. You can also get the updates using Automatic Update feature in Windows. Other sources of Microsoft security updates are Microsoft Download Center and Microsoft Update Catalog.
While financial institutions still top the phishing radar, cybercriminals are now moving beyond to top brands, with one of the recent victims being a hardware manufacturer, according to the latest Anti-Phishing Work Group report.
Released on Sunday, the Anti-Phishing Work Group (APWG) Phishing Activity Trends Report for the fourth quarter of 2009 revealed that 356 brands were hijacked in October, an increase of 4.4 percent over the previous high of 341 recorded last August. The study was compiled using data from APWG and its members MarkMonitor, Websense and Panda Security.
PayPal is asking UK customers to download software from Iconix to help identify genuine e-mails sent by the eBay unit and weed out phishing messages.
PayPal, which has long been a favourite target for phishers, says Iconix eMail ID can help protect customers by visually identifying genuine messages. After a customer installs the software, they'll see an icon (a gold lock with a tick) next to a PayPal logo whenever they receive authentic e-mails from the firm.
The free program works with most of the major e-mail services like Gmail, MSN Hotmail, Windows Live Hotmail, Yahoo Mail, Outlook and Outlook Express.
Garreth Griffith, head, risk and security, PayPal UK, says: "Staying safe online needn't be a headache. By taking a few simple steps you can outsmart the fraudsters and protect your money and your identity.
According to recent research carried out for PayPal by Opinium, 58% of Brits have responded or clicked on a phishing e-mail link while only 58% make sure they look for the padlock icon when carrying out financial transactions.
Phone had three different types of malicious software programs on its internal memory
A Panda Security employee discovered three malware programs on a recently purchased HTC Magic phone when it was plugged it into a Windows computer.
Upon further investigation, Panda found that the employee's phone contained three malware programs: a client for the now-defunct Mariposa botnet, the Conficker worm as well as a password stealer for the Lineage game, said Pedro Bustamante, Panda's senior research adviser.
The malware programs were on the phone's 8GB microSD memory card, which mounts as an external drive when plugged into a PC, Bustamante said. When plugged into a Windows PC, the Mariposa botnet client would automatically run, Bustamante said.
Security company McAfee has cut just under two percent of its global workforce.
ZDNet UK understands that about 100 people have been made redundant from various parts of the company. Before the cuts, McAfee employed about 6,100 staff. Most of the redundancies involved engineering employees. McAfee has over 350 researchers globally.
McAfee played down the cuts in an email statement sent to ZDNet UK on Friday.
Every so often we hear about a random blog or website that freaks out and claims that ad blockers are "stealing" or somehow damaging websites. But it's quite a surprise to see a similar argument from a site like Ars Technica -- one of the top techie sites out there, which is now owned by Conde Nast. Over the weekend, Ars wrote an odd post claiming that ad blocking "is devastating to the sites you love." Ars decided to run an experiment where it blocked access to its content to any user using an ad blocker (with no warning or explanation). Not surprisingly, this pissed off a bunch of readers, and Ars now admits that it was a mistake in how it was handled -- but that it still believes ad blockers are harming sites.
Frankly, such a position is insulting (though, even more insulting was the way Ars staff responded to complaints in its comments, dismissing people who don't like their ads as not adding anything and actively telling them to go away). If you're reading Techdirt, and the ads we serve are not good, you have every right to use an ad blocker. It's your browser, do whatever you want with it. I, personally, do not use an ad blocker because I don't find most ads annoying -- but if you do, more power to you. You're absolutely welcome here on Techdirt.
The vulnerability was reported as an integer overflow when processing the "Content-Length" header and accompanied by a PoC that always crashed when copying memory due to an overly large size. Based on the provided PoC and report, it immediately seemed like the crash would always occur and executing code would not be possible.
Before issuing a Secunia advisory, a security specialist was tasked with thoroughly analysing the vulnerability report, cause of the crash, and potential impact. It turned out that the vulnerability is not caused by an integer overflow error. Instead, in certain cases when a 64-bit "Content-Length" value is interpreted as negative, the higher 32-bit value is ignored and lower 32-bit value is used to copy data. It is, therefore, possible to manipulate the size value in a manner to successfully corrupt memory and occasionally cause conditions where it is possible to gain control of the execution flow. [...]
Adding to the confusion, Opera Software's initial analysis of the vulnerability concluded that it was not a vulnerability and this was communicated on the Opera Software forum and to the media. Opera Software also contacted Secunia, asking us to update our advisory or alternatively that we provide them with additional information.
During the past days, we have, therefore, been working with Opera Software and providing them with details to clarify that the threat is not just a crash, but has code execution potential. Opera Software has acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible.
Google's Chrome OS Netbook will feature a host of built-in security technologies designed to protect users from malware and other threats, a Google engineer said at the RSA Conference last week.
Will Drewry, a Google software security engineer, said the fact that the company's Chrome OS is an open source project allows for constant feedback from developers regarding security design. This, he said, should reassure those acquiring a Google Netbook about the product's security.
Google plans to release a consumer version later this year and a business version featuring more management muscle in 2011, Drewry said.
Criminals like to attack the biggest target because BIGGER generally provides a better Return On Investment (ROI). Windows is a good example. Mac is indeed safer than Windows but it isn't necessarily because Mac is more secure. Windows has a larger market share and that equals more potential victims.
How about search engines? What is the biggest search engine on the block? Google ? and the bad guys know it. The result?
It's becoming less and less safe to search via Google.
Movie-lovers at risk of infection from fake anti-virus traps
IT security and control firm Sophos is warning that hackers are exploiting interest in last night's Oscar film awards ceremony to infect the computers of unsuspecting computer users.
Movie-loving internet users are searching the web for information and gossip about the Academy Award winners, making phrases like "Oscars Winners" one of the most commonly searched for phrases on the internet. However, using SEO (search engine optimisation) techniques, hackers have created webpages stuffed with content which appears to be related to The Oscars - but are really designed to infect visiting computers.
China has pledged to punish hackers who attacked Google if there is evidence to prove it, but said it has yet to receive any complaint from the world's top search engine.
Google sent shockwaves across business and political circles in January when it declared it would stop censoring Chinese search results, and threatened to pull out of China - the world's largest online community with 384 million users at the end of last year - over hacking and censorship concerns.
Google had never filed a report to the Ministry of Industry and Information Technology over the cyber attacks or sought negotiations, Vice Minister Miao Wei was quoted as saying by state news agency Xinhua late on Saturday.
"If Google has had evidence that the attacks came from China, the Chinese government will welcome them to provide the information and will severely punish the offenders according to the law," Miao said.
"We never support hacking attacks because China also falls victim to hacking attacks," he said.
Gamers playing Assassin's Creed 2 on their computers were locked out this weekend after hackers shut down servers required for the game to work.
Ubisoft, the game's publisher, on Monday confirmed it had been targeted by hackers waging a denial-of-service attack, which rendered Assassin's Creed 2 and lesser-known title Silent Hunter 5 unplayable over the weekend.
"Our servers didn't go down but five per cent of the overall people attempting to connect received denial of service errors," the company told website Ars Technica. "This is, of course, unacceptable and our teams are working around the clock to ensure it doesn't happen again."
Late last week cybersecurity firm McAfee and start-up Damballa both released new assessments of the high-profile hacking incident revealed by Google in January.
But while McAfee continues to describe the digital intruders as a sophisticated example of cyberespionage's "advanced, persistent threat," Damballa counters that the gang behind the so-called Aurora attacks were "amateurs" who used "old-school" techniques to create a run-of-mill collection of hijacked computers typically used for identity theft and spam. (See "Google Hackers' Unexpected Backdoor" and "Researchers Call Google Hackers Amateurs.")
One of those conclusions, it seems, must be wrong. But that doesn't mean the facts from the two companies aren't both accurate, says Nart Villeneuve, a researcher with the University of Toronto's Citizen Lab. Given the complexity of a modern cybercriminal operation, he says, the two reports might be looking at opposite ends of the same animal.
Villeneuve points out that McAfee has been most vocal about how the hackers accessed their victims' networks, moved between servers and planted hidden software. Damballa, meanwhile, says it has focused on the spyware samples themselves and the so-called "command and control" servers that the software communicated with to receive orders and steal data.
Software that can be downloaded for use with the Energizer Duo USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.
"The installer for the Energizer Duo software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory," the U.S. Computer Emergency Readiness Team said in an advisory on Friday. "Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs."
The Windows software was made available via a download with the Energizer Duo Charger, Model CHUSB, Energizer said in a statement.
For systems with the software installed, US-CERT recommends removing the Energizer Duo software and Arucer.dll file, as well as blocking access to port 7777 via network perimeter devices or firewall software.
Somebody is trying to pose as us. If you see an email like the one below, please ignore it:
From: security@f-secure.com Reply-To: securitysupport@hotxf.com Subject: Security Maintenance.F-Secure HTK4S Date: Fri, 5 Mar 2010 18:11:05 -0000 To: undisclosed-recipients:;
Dear Email Subscriber,
Your e-mail account needs to be improved with our new F-Secure HTK4S anti-virus/anti-spam 2010-version. Fill in the columns below or your account will be temporarily excluded from our services.
E-mail Address: Password: Phone Number:
Please note that your password is encrypted with 1024-bit RSA keys for increased security.
Management.
Copyright 2009. All Rights Reserved.
Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either.
Facebook founder Mark Zuckerberg has been accused of hacking into the email accounts of rivals and journalists.
The CEO of the world's most successful social networking website was accused of at least two breaches of privacy in a series of articles run by BusinessInsider.com.
As part of a two-year investigation detailing the founding of Facebook, the magazine uncovered what it claimed was evidence of the hackings in 2004.
In the first instance, it said that, when Zuckerberg discovered that Harvard's student newspaper The Crimson was planning on running an article on him in 2004, he used reporters' Facebook logins to hack into their accounts.
The Internet Industry Association (IIA) will press ahead with its new internet service provider security code, with plans to launch a "quarantine" proposal for infected computers by around June this year.
The voluntary code for internet service providers (ISPs) will attempt to address the threat of computers that have been hijacked as part of a spam or phishing operation. That is, computers that have been lured into a botnet operation that has command and control functionality.
The decision on whether to proceed with the code was based on privacy questions.
One measure the IIA plans to introduce in its ISP code is that a customers' connection be "quarantined" if it becomes infected, otherwise known as "walled garden" approach to security. The technique allows the infection to be remediated in isolation from a botnet's command centre.
But to introduce the measure, the IIA wanted clarity over whether permission to carry this out could be granted by a customer in writing, for example, in an ISP's customer relationship agreement. The agreement would allow the ISP to use information gleaned from specific accounts for the purpose of identifying whether connected computers were zombie machines, and then take actions to resolve the issue.
Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key.
The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.
"Wherever you need to verify the origin of a piece of software or a piece of information, those building blocks come in handy," said Karsten Nohl, an independent security researcher who in unrelated attacks has broken encryption in widely used smartcards and cordless phones. "The OpenSSL library provides much more than just SSL."
The scientists, from the University of Michigan's electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic "salt" to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible.
The server that this blog used to run on has suffered a hardware failure. Please use the alternative server here momusings.blogsome.com. Apologies for any issues this may cause.
Where will you be at midnight tonight? May I suggest that you may want to consider being at your computer at that time? Why? Because Facebook has something going on at that time that is vital for you personally and your business that's far more important than sleeping ever will...
A great deal of your success on Twitter is based on what you choose to Twitter about. We covered this a bit in last week's article, but it's worth reconsidering and going deeper. The key is to recognize that every follower you have on Twitter is earned, and that every...
I sometimes wear ties. Mind you, I'm dragged kicking and screaming into the ancient and abominable art of male torture through neck binding, but I still occasionally put one on. And I get bored with them, so I'm always on the lookout for good looking ones. So when I saw...
Are you actively using http://www.twitter.com to build your business? If you're not, you're probably making a huge mistake. Twitter, in case you're not aware, is a service where people post up to 140 character updates on topics of interest to them. Those updates go out to the people who have...
Boilerplate language: Boilerplate language is a media release refers to what is traditionally the final paragraph of the release, which provides generic information about the company. It usually tells whether the company is publicly or privately traded, its stock ticker, where it's based, the brands it owns, what it does,...
It seems you can?t turn anywhere today without bumping into talk of economic stimulus. Whether you?ll be entitled to some of that money or not, you can use it to build your business. How? Through using it to get more PR! Here are some story pitches that astute marketers like...
?The power of bloggers to influence thought, to reach large numbers of people and even to eclipse the impact of traditional media is huge and will grow even larger in the near future,? Blogging and Social Media expert Don Crowther announced today at the 2007 Blogword and New Media Expo...
Using outrageous online video to promote your business When Andy Jenkins wanted to promote the product improvements in his online traffic and conversion training system called StomperNet, he decided to use a powerful new online tool - online video. As a marketing professional, you're probably already aware that: - Video...
I was shocked this week to see an ad by Ford for their Mustang. It shows a father and son in a dark parking lot. The son's driving, he peels out, runs a bit, then stops. The father turns to him and says "That's what I'm talking about. This is...
Want to use a picture of a person in your marketing? Here's how to make your choice. Psychological and marketing studies tend to reveal similar results, which state that when you choose a picture for an advertising or publicity campaign look for: (Please don't consider this sexist or get offended,...
Here's an announcement about a 40th wedding anniversary: "Mr. And Mrs. Ron Tennell of Flat Rock are celebrating their 40th wedding anniversary. She is taking a trip to Europe while he will be gambling on a riverboat in southern Indiana." Isn't it nice to see a close couple? :...
Those of you who have been in contact with me for awhile know that I'm a huge fan of pay per click marketing. It's one of the greatest marketing tools currently available to generate huge numbers of targeted potential buyers to your webpage or online sales letter. One of the...
I like my neighbor, with one small exception - he raises pit bulls. He's got 8 of them, with 3-4 rotating in to live right next door all the time. Justified or not, the entire neighborhood is scared of them, with parents being unwilling to let their kids play outside...
One of the most frequently asked questions we receive is which press release distribution service we recommend. First, let me make a distinction. We have found that there are two types of press release distribution services. - Ones that get your release out to lots of different sites on the...
A recent study designed to measure whether people perceived men or women to be safer drivers came up with an interesting answer: "As a passenger, I feel safer with: 35% a male driver 23% a female driver 42% other" What's an other? Apparently, whatever they are, they drive really safely!...
Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s. A simple three step process to achieving a Security...
Learning about security means understanding types of risk, and investors, specifically value investors, have a long demonstrated track record of framing ways to think about asset protection and making it actionable. Recently I've been reading James Montier, very impressed with his approach which is based on a pretty rigid process and objective checklists, here is an excerpt from a recent interview: Miguel: Let?s talk about the concept of seductive details?can you give us an example of how investors are trapped...
At RSA conference this week, I gave two talks on building a margin of safety into your software. In various conversations during the week at least 25 different people brought up to me (unprompted) that they "just used SSL for security on their web services". Chris Walsh immediately picked up on the preposition that says it all - "security on your web services" instead of course security in your web services. Of the legions of vendors on display, I could...
At RSA, I found out that Gerry Gebel left Burton Group and is now working with Axiomatics a company looks focused on access control in general and XACML specifically. If you are interested in learning more about XACML they are holding public classes in DC and SF ?This is a two day XACML introduction course, including hands-on training. It will be provided by leading XACML experts with in-depth experience from some of the world?s largest XACML deployment projects. Based on...
A very interesting and meritorious effort on stock spam from the folks at Motley Fool. First off a little background, the Fool has a game called CAPS, you can think of this like fantasy baseball, but its for picking stocks. So you pick a stock like say MMM and you enter whether or not you think it will out perform or under perform the S&P index over some period of time. Then you get points if you are right and...
Interesting annual shareholder letter from Eddie Lampert at Sears Holdings: Making Sense of Business and Policy I just finished Thomas Sowell?s most recent book, Intellectuals and Society. For those not familiar with his writings, Thomas Sowell is one of the clearest and most insightful writers of our era. I look forward to every book and column he publishes. In this book, he discusses the ?vision of the anointed? and how their views shape society regardless of their merit. He describes...
Speaking at RSA on the following: Dealing with the Wildness That Awaits in Software Security The starting point for assessing Margin of Safety at design time is to combine Threat Models - how a system may fail - and Attack Surface - where a system is vulnerable. The output is a Countermeasure Model, which identifies and locates the Countermeasures in the system. This session will review the Margin of Safety and examine how these are applied in deployment, runtime policies...
Here's a report that should surprise nobody - people pick predictable passwords (say that five times fast). After the security breach, database security firm Imperva analysed the passwords used, publishing a report entitled Consumer Password Worst Practices. The data found that the most common passwords were: 1. 123456 2. 12345 3. 123456789 4. Password 5. iloveyou 6. princess 7. rockyou 8. 1234567 9. 12345678 10. abc123 The analysis revealed a large amount of users had chosen "easy-to-crack" passwords, the most...
Historians (especially economic historians) widely believe that nations that discover a single huge natural resource (e.g., oil or gold) always rue the day. For several reasons (in addition to the crippling corruption that always occurs), the natural resource skews (screws...
The other day, there was a bunch of news coverage (here's the article in the Financial Times) of a recently-released report from Shop.org about how consumers (in the U.S.) spent more in 2006 on clothes and accessories (e.g., shoes) than...
Time is the entrepreneur's most precious commodity. For most entrepreneurs, the VC fundraising process is very time-consuming. Bad combination. In an attempt to help, I have previously offered tips to entrepreneurs on navigating the VC process -- The Ten Commandments...
I'm looking for advice on prudent use of the Unsubscribe button on commercial spam. As does everyone these days, I get a lot of spam (and that, even though, here at Mayfield, we have deployed every anti-spam technology known to...
There is a well-known lament by advertisers: I know half of my advertising spend is wasted; I just don't know which half. This is usually attributed to one of three famous, early entrpreneurs of mass consumer product companies and retailers,...
Recently, I?ve been considering investment opportunities in entertainment media (as part of some broader thinking about how brand advertising (as opposed to performance-based advertising) will move online). In connection with that, I?ve been also musing about whether there is a...
I spend a lot of time with internet consumer services startups. Currently, a meme circulating in this area is whether something fundamental has changed in the paths to liquidity open to startups in this space ? a fundamental change that...
Some more thoughts on carefully choosing your co-founders. Startup teams form in many different ways. Often, the ?core? founder does some homework and recruits the founding team. Sometimes, teams are, more or less, recruited by a VC who has a...
In my last post, I advised entrepreneurs seeking VC funding to think carefully about choosing their co-founders. I claimed this decision is often gotten wrong and that, not infrequently, one or more co-founders leave the company with an amount of...
If you want to raise money from VC?s, here?s a really tough, really important question you ought to ask yourself very early in the process: ?How many co-founders should I have?? Having the wrong ?answer? to this question can make...
Warning: MagpieRSS: Failed to parse RSS file. (mismatched tag at line 83, column 147) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
Came across a cool tool today for Linux firewall admins: cutter. Heard of it? It allows you to "cut" internet connections on a firewall. Something like:
# cutter 192.168.2.55 3400
That kills all network connections from 192.268.2.55 using port 3400. A simple tool, but something I could use several times a week. Link - via digg.
On an unrelated note, I hope to transition this feed over to the main site, under a specific article category. I recommend subscribing to the new feed now so you don't miss the switch.
This report seems to be generating a lot of buzz, I'm not sure why. I guess most don't understand the cellular infrastructure enough to know this has been going on for years. Certainly real time tracking is possible, but I'd be more curious to see the log retention policies of the large wireless companies. Since most people leave their cells on 24/7 (thanks to extended batteries), it's quite possible that a company w/ a 6 or 12 month archive could create an amazingly accurate map of your life. I'll have to research the technical aspects of the 3rd generation wireless rollouts happening now (EVDO, EDGE, etc) - but my initial guess would be that these require more towers creating a denser coverage map. This increase certainly generates an even more accurate tracking model.
Hey all - it's been a while. In case you didn't notice, we redesigned the main site. I'm not sure how this will affect the security blog just yet, I might move the feed over to the new site based on sections - we shall see. But I'll post any changes here. Please check it out. Also - starting a new feature: podcasts. The first episode of Taming Tech deals with content management systems, but security themed episodes are forthcoming. Check it out!
Bruce Schneier nails the Sony rootkit story. I didn't pay much attention to it, because I haven't purchased a CD in close to 2 years (thanks iTunes). But I skimmed the news stories coming out and each time my jaw dropped a little further: 500k machines infected including government boxes, cloaking software, Sony's CEO making silly statements... But the real story, as Bruce Schneier points out - why the hell didn't any Antivirus software (or IDS for that matter), detect this software sooner? We are collectively paying these companies billions of dollars for what?
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.
But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.
Thanks Bruce, for shining a light on the overlooked aspect of the Sony story. It's really making me rethink our industry's so called defense mechanisms.
An OK article that reiterates what I have feared for quite some time. We've moved passed the nerdy age of hacking. They're becoming more sophisticated and zeroing in on profit...
Forget the outdated hacker image of a spotty anarchic teenager holed up in his bedroom defacing the Web sites of global organisations, today's hackers are not only older but more determined than ever to claim your cash and identity.
...ran a heroin distribution ring that was violent and tightly knit, making it difficult for informers to penetrate it, federal authorities say.
The gang also had a secret weapon: It cultivated a police officer to dig into a law enforcement database to figure out which of its customers might be undercover informers...
But I'm not sure I agree with the chief of police's comments:
"This case personifies exactly the effectiveness of the system," the chief said. "We had intelligence that somebody was running people's names involved in narcotics cases without a legitimate reason, and we ran those names and found out who it was, and took the appropriate action."
Mokwa said officers use REJIS on a daily basis, and tightening security would be burdensome. "You have to rely upon the integrity of officers to use the system properly," he said. "To change it, you would have to restrict their access."
To suggest that there's no room for improvement in security is silly. Sure - they found out that someone was running inappropriate queries - but how long did it take them? What kind of details were they able to reveal? How could the whole thing have been prevented? Such an attitude cannot be comforting to undercover officers in the field...
This made me smile. Glad to see he's back on his feet.
Michael Lynn, the hacker who hit the headlines in July for exposing a Cisco router flaw is now employed by arch-rival Juniper, according to the vendor. Juniper declined to reveal what role Lynn is occupying.
The security researcher was dramatically sued by Cisco earlier in the year after he discovered a Cisco router IOS flaw and defied the networking giant and then-employer ISS to publicise the flaw at a hacking convention in Las Vegas.
Lynn was widely regarded as a hero by many in the internet community in the wake of the scandal but many doubted if he could again find gainful employment as a security researcher.
For its part, Cisco was widely castigated for its heavy-handed tactics in stopping Lynn from further publicising his findings, with some commentators suggesting that the internet could be at threat if similar whistle-blowers are discouraged to come clean on flaws.
Location: A security area with access control. Two pentesters need to get (legitimate) access to the area, which requires three things: An authorisation token, your signature, and your identity card. The token is ready, the paper sheet signed and… access is granted. Wait, what about the identity card? The friendly security guard is stumped.
“Well, the [...]
Another year passed by and it’s time again for the annual DFN-CERT workshop. It’s taking place for the 17th time, and this year, Lutz will talk about emulation based unpacking of runtime packed malware in his (German) talk
“Emulationsbasiertes Entpacken von laufzeitgepackten Schadprogrammen und darüber hinaus”
He’ll show you his project “Pandora’s Bochs”, based on the popular [...]
Apparently, the guys at Acunetix were tired of examining their JBoss Application Servers manually for vulnerabilities. In their Web Vulnerability Scanner from Version 6.5 build 20091215 on, they integrated various checks for the stuff from our JBoss paper.
To give you a little reminder: Always check for
http://www.example.com/jmx-console
http://www.example.com/web-console
http://www.example.com/web-console/Invoker
http://www.example.com/invoker/JMXInvokerServlet
and any open JBoss Remoting / RMI ports. See the [...]
RedTeam Pentesting published three new advisories today. During a pentest, we found security vulnerabilities in the Geo++(R) GNCASTER NTRIP Caster:
RT-SA-2010-001: Insecure handling of long URLs
RT-SA-2010-002: Insecure handling of NMEA-data
RT-SA-2010-003: Faulty implementation of HTTP Digest Authentication
All vulnerabilities have been fixed by the vendor in version 1.4.0.8, so if you happen to run this software, please update [...]
“So, you hack companies and then tell them that you found security vulnerabilities? And afterwards they hire you to show them what is wrong?”
This is one of the questions you get asked surprisingly often when you explain to people what you do for a living (and the answer is no: we don’t proactively hack companies [...]
As promised, the TLS Renegotiation vulnerability Python PoC is now publicly available on our websites:
http://www.redteam-pentesting.de/publications/tls-renegotiation
RedTeam wishes you all a Merry Christmas. Be sure not to use the code for something naughty, Santa will know ;).
You might have noticed the SSL/TLS authentication gap vulnerability that was announced publicly in November. If not, you can find the original whitepaper at phonefactor.com. Thierry Zoller also published a detailed analysis and description of the problem.
Like many others, we have spent some time on that vulnerability. Unfortunately, the original Proof-of-Concept code is [...]
We finally came around to translate and release the 27+ pages of our JBoss paper (see also this post). That was quite some work, the first versions of my translations always read like a one-to-one translation from German. Then I read it again and correct those horribly sounding sentences to what I hope is [...]
The English version of the paper we released yesterday is now also online, title: “Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System”:
http://www.redteam-pentesting.de/en/publications/MitM-chipTAN-comfort
Have fun.
As promised, we have released information about the attacks we developed against chipTAN comfort today. Have a look at our website:
http://www.redteam-pentesting.de/de/publications/MitM-chipTAN-comfort
You’ll find our press release (in German) and a paper (also in German) there, giving you all the details about the three attacks we came up with. I’m sorry that I didn’t get the [...]
RedTeam is on TV again:
Sunday, 22. November 2009, SAT1 Planetopia: Gefährliches Onlinebanking (Dangerous Online Banking)
Online banking is still a hot topic, with all the new systems cropping up after the traditional PIN/TAN and the more recent PIN/iTAN (indexed TAN) systems.
We already showed in 2005 that Man-in-the-Middle attacks on iTAN-based systems are possible and predicted that [...]
We’re back from hack.lu and as every year, it was a blast. Very nice and smart attendees from all around the world, good talks and entertaining evening events. Try finding a restaurant for about 50 hackers in the inner city of Luxembourg sometime. It’s fun :).
Much happened this year, apart from the usual exchange of [...]
Wow, time flies. It seems like only yesterday that we attended BruCON and now hack.lu will start the day after tomorrow.
We’re all set and ready to go. We are also very curious about the further unravelling of the Crypto Challenge. We’ll of course stay close on the terrorist’s heels, as we already decrypted the first [...]
We found the following funny config setting in our new LANCOM device:
For those with only limited German language knowledge (or a textmode-only RSS feed reader or browser): It reads
Admin Gender
unknown
male
female
geek
Sometimes, there’s just nothing more to say. It’s also a really nice touch to add this in the “expert configuration” area. Like they wanted to say [...]
BruCON already happened more than a week ago and I didn’t have time to write about it, as work took over immediately after we came back :). We had a great time at BruCON, it was organised very professionally, especially for a conference held for the first time. There were interesting talks, discussions and [...]
I have already mentioned in this blog post that there’s always standard stuff you have to do in a pentest. Finding all the standard security issues is important for the completeness of the pentest and should never be neglected. You will look rather stupid if you find the remote root exploit that can only be [...]
I really didn’t know that Winnie-the-Pooh is now working in telecommunications:
For the visually impaired or those using a text-only RSS feed reader like me: Apparently, the contact person we had at Victorvox goes by the name “teddybaer”. At least the invoice says so. And yes, “had”. This is old, so don’t get any silly ideas [...]
In two and a half months it’s Hack.lu time again. Everybody is registered and accommodations are organized. We are looking forward to a great conference and can’t wait for it to start. If you haven’t already done so, register here and get the early bird rate until September 1st. See you there!
It’s advisory time again:
RT-SA-2009-005: Papoo CMS: Authenticated Arbitrary Code Execution
This one’s nice because you can do your exploit development in Gimp. The idea is to plant your exploit code (in this case, PHP code) in a file with a valid GIF header and the file extension .php. Papoo CMS only sees the valid GIF header [...]
First of all, please excuse the lack of blog posts in the last weeks. We are currently on a very busy schedule, which is good for business but bad for blog posts and related stuff :). I hope I’ll be able to post more regularly in the next weeks.
On August 22nd, we will present our [...]
We at RedTeam are really looking forward to BruCON which is bound to happen in a little less than three months, so we eagerly follow the BruCON Blog. Maybe that’s why we were the first to solve the the PDF reverse engineering challenge they posted a couple of days ago. Apart from the fun diversion [...]
When you’re doing a lot of pentests, you have your standard procedures on how to approach a new test. There is of course always the creative approach, finding the unusual bugs and vulnerabilities, the whole “thinking outside the box” thing. But let’s be honest: A thorough pentest is not all fun and games. There’s also [...]
When RedTeam finds vulnerabilities in some generally available software, we go the usual way of writing advisories. These findings usually occur during pentests. We of course do not immediately release whatever we found to the public, but go through a process I want to describe in a little bit more detail here. I’m doing [...]
Last weekend, members of RedTeam, of the mwollect Alliance and a few other people from Aachen participated in the DEFCON 17 CTF Qualifiers. The team hosting the DEFCON CTF this year provided fun challenges of varying difficulty. Minor quirks were the Java-Applet based scoring system that was quite unresponsive at times, the fact that only [...]
We finally released the Whitepaper for our JBoss Application Server talk (the one we held e.g. at the hack.lu 2008 and the 16th DFN-CERT).
The paper gives you a more detailed overview about the JBoss AS internals we used in the attacks, as well as a complete description of the individual exploitation techniques.
The only catch [...]
On June 17th 2009, we will give the talk “Sicherheit und Industriespionage: Ein Realitätsabgleich” (in German) at the IHK Aachen. The event happens together with the Verfassungsschutz NRW (North Rhine-Westphalian office for the protection of the constitution) and the Landesinitiative secure-it.nrw.
The talk focuses on examples from penetration tests and real cases of industrial espionage. [...]
As seen on a hoster’s website explaining how to use PuTTY on Windows to connect to their serial console:
I’m convinced greying out the server’s key fingerprint will make sure those pesky hackers won’t mess with the system…
The new design for RedTeam Pentesting’s homepage is finally online. Took us a while, as normal office life is quite busy and we did the whole technical stuff ourselves (especially Lutz, who’s apparently not only very skilled in breaking websites, but also in building them ;). I guess we all owe him for making our [...]
“Hi, my name is John Doe.”
“Hi John.”
“I work for company X. We are currently planning a penetration test for company Y and need some good pentesters for this. Are you interested?”
“Well, sure. So you want RedTeam Pentesting to conduct a pentest for your client?”
“No, we just need one of your pentesters. He’ll be working under [...]
RedTeam released 4 new advisories today, concerning vulnerabilities in the IceWarp eMail Server:
RT-SA-2009-001: IceWarp WebMail Server: Cross Site Scripting in Email View
RT-SA-2009-002: IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader
RT-SA-2009-003: IceWarp WebMail Server: SQL Injection in Groupware Component
RT-SA-2009-004: IceWarp WebMail Server: Client-Side Specification of “Forgot Password” eMail Content
We found those during a [...]
On May 19th 2009, we will give our JBoss talk (in German) at the Center for Computing and Communication of RWTH Aachen University (see their announcement). As we have more time than at the DFN CERT, we will be able to demonstrate all attacks live and generally go into a little bit more detail. You [...]
The Technology Centre Aachen, where our offices are located, is celebrating its 25th anniversary on May 8th, 2009.
RedTeam will support the event by joining the exhibition in the foyer with our booth. We’ll show how to eavesdrop on DECT phones, so feel free to come by. Bring your own DECT phone for added fun, so [...]
The Eindhoven Institute for the Protection of Systems and Information (EiPSI) celebrated its first anniversary last Friday. The opening in 2008 was already a very nice event, and I was looking forward to the announced talks for the anniversary.
As expected, I wasn’t let down this time either. The first speaker was Andy Clark from [...]
Explaining to others what you do for a living is complicated enough as it is if you’re a pentester. Whoever invented the term “penetration tester” must never have thought about the consequences for all those poor girls and guys having to tell their job’s official name to other people. The reactions normally range from “you’re [...]
As you may have noticed, I finally came around to at least change the ugly default theme to something more suitable. There were so many more important things to do here at RedTeam, I just didn’t have the time to set up the blog and pretty much left it in its default state.
I still have [...]
We are happy to announce that as of April, a new member is reinforcing our pentesting team. Alexander Neumann[0] is the new man on board who will live the glorious life of a penetration tester: Working night shifts, not getting your exploits to work, abusive use of caffeine, finding the final vulnerability to root the [...]
Generally, dealing with vendor support sucks. Either you have someone who doesn’t understand your problem or they tell you that it is not covered by the support contract. We were therefore pleasantly surprised that this is not always the case.
Some weeks ago, we had a problem with the laser printer at RedTeam’s headquarters. It started [...]
The 16th DFN-CERT Workshop is over and it was again a very nice event. The talk about JBoss Application Server insecurities we gave seemed to be well received, as we got a lot of positive feedback. The German slides are now online at our publications page, btw.
The other talks were quite interesting, as always. Dr. [...]
On March the 17th, we’ll be delivering a talk at the 16th DFN Workshop “Sicherheit in vernetzten Systemen” (security in networked systems) in Hamburg for the third time in a row. This year, it’ll be the talk “Bridging the gap between the enterprise and you – or – Who’s the JBoss now” which was already [...]
The last time our printer broke down (which happened for the first time, so this is not about bashing our printer manufacturer) it showed these messages in the display:
Which reminded me why we always tell our clients to treat their printers like servers, security-wise. Additionally, never trust a machine with a LIBDecisionImpl.cxx. Who knows if [...]
Yesterday, I gave a talk at the Eindhoven Institute for the Protection of Systems and Information (EiPSI) in the context of their seminar with the title “Practical Security and Crypto: Why Mallory Sometimes Doesn’t Care”. The EiPSI is a research institute at the Eindhoven University of Technology.
The talk has real world examples of mistakes made [...]
Seems like all those stories about people getting hacked because they’re using their hotel’s un- or WEP-encrypted wireless made some markedroids think. One of our last hotel rooms provided the following service:
The first three German lines roughly translate to
fast – comfortable – secure
[X] tap-proof
[X] free of radiation
Good ol’ ethernet cable. Now they just need someone [...]
The German Linux Magazine kindly asked us to give a talk at the CeBIT this year, and we are of course happy to join in.
The talk (in German) will be held at the Open Source forum on March 06, the security day, at 2:30 – 3:15pm, with the title “Überraschende Angriffsvektoren: Weit verbreitet, oft übersehen” [...]
A new customer, about some experiences with other companies:
“Well, sometimes they find five vulnerabilities and report only four, so they have something ready for the next time.”
This is something that always bothers me, this attitude that a pentest is only successful if you can show new vulnerabilities. If we test a system for a second [...]
There’s a new security conference coming up this year, located in Brussels. BruCON will have its debut from September 18-19 2009 and aims
to become the best and most fun hacking (*) and security event in Belgium and W. Europe.
The Call for Papers is open since January 25, so you still have time to submit. [...]
As I’ve stumbled across this phenomenon more than once in the last time during work, I’d like to write a little bit on Flash, how to pass parameters to it and why this is important from a security perspective.
Flash applications (you know, those pesky little buggers ending in .swf that are always crashing your browser [...]
Holy sh*t, this really works. Thank you guys, well done!
BTW, tests with our own DECT equipment (no, we don’t use DECT telephones for work. So don’t even think about it) showed that it suffices to press buttons like “internal call” or “dial” to make the telephone open the microphone and send to its base station.
When travelling by train, you often have the problem that you occasionally want to leave your place without taking all your luggage with you (coffee in the morning, a six hours drive with the train, you know the drill).
So you either need some travel companion having an eye on your valuable stuff, like your laptop, [...]
Last Sunday, two of us went on a journey to Brussels, to attend an aircrack-ng workshop organised by its main author Thomas d’Otreppe. Driving through Brussels was quite an adventure, but we got rewarded with a nice parking lot nearby okno, were the workshop took place. Across our parking lot, we also found some [...]
You have probably noticed, that our blog farm moved to a new software. Instead of antville, our blog is now based on wordpress thanks to Max. It’s true, that the old blogging software did itch a little, but now with a PHP based solution, we fear worse to come. ;-) In case you wonder: Yes, [...]
Now for the 2^2th time some of us are going to the hack.lu security conferrence, taking place from October 22nd to October 24th in Luxembourg, Luxembourg.
We really enjoyed being there in the past and are looking forward to the CTF this year. This year, all of us will attend the conference, so maybe we [...]
The last weeks we have been busy moving to a bigger office. More details will be posted soon. Until then, here is a picture of our awesome new front door:
When we went to New York for a meeting with one of our customers, we used the public transportation system there (as parking a car in NYC is suicide). If you’ve never been to the states and experienced their overuse of silly warning labels, you won’t believe what you’ll find on the MetroCard backside:
Right, who’d [...]
These days, one of our pentesters wanted to get some money at an ATM. Being in this business for some time makes you notice things others would miss, though:
Doing skimming at an ATM frequented by a pentester? Tough luck ;).
Of course, he immediately notified the bank and the police. You’ll never guess what their comment [...]
Recently, we had to test something for its physical security. Thus, we needed to produce a highly customised attack tool in our laboratory:
But as this weapon of mass hacking awesomeness could not be used for everything, we also needed to do some good old hacking by hand. Literally. Unfortunately a major line of defense of [...]
As you may know, we have been at the EiPSI grand opening. The egg we got as a giveaway 0wn3d my mobile phone:
So, who says cryptographers only break theoretical constructs? ;-)
As we are usually not allowed to talk about where we are working, we cannot publish comments or photos about the cities we visit. But last time, we were invited for a shooting with the second german television (ZDF) in Kiel at the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), so we can publish some [...]
One of the reasons we were so busy the last week is that we were in Kiel at the Independent Centre for Privacy Protection
Schleswig-Holstein. There, we had a shooting for the german TV show ZDF Frontal21 about the security of MFPs (Multi Function Peripherals). The show will air on June the 3rd, 9:00pm. Oh, and [...]
We are rather busy these days, but could not help sharing the fun:
This morning, we wanted to rent a car, like many times before. So, we logged in with our corporate account:
And now, have a look at the brand new source code of the login form:
Sixt effectively removed the login for all of their business [...]
The situation: We had a client application, binary only. With a lot of voodoo, one can trick it into displaying secret stuff (including passwords). But we could neither use copy and paste nor the printing button.
The problem: We need to get the complete list and (like always in pentests, we had not much time). You [...]
What have Whitfield Diffie, Bruce Schneier and Dan Bernstein in common? They were all present at the opening of the new Eindhoven Institute for the Protection of Systems and Information, short EiPSI. A good friend of mine who is working there told me about the event and that it would definitely be worth to [...]
Here it is, the easter bunny greeting card (see the previous post). I didn’t want to withhold this one from you, as it only got such a short air time.
Oh, and I dare you to click it! ;)
Tomorrow (2008-03-26), the WDR will broadcast a report in its Servicezeit Familie program about the dangers of online banking.
They asked us for an interview and a live demonstration of a real attack against online banking systems using the iTAN, which we kindly provided. The (Windows XP) box of the victim gets trojanised by us (via [...]
In two weeks, we‘ll be attending the Sicherheit 2008 security conference in Saarbrücken.
We’ll be presenting in two tracks. The first presentation is a peer-reviewed paper about a graph-theoretic approach to estimating the costs of penetration tests and how to efficiently distribute the given time for the tests, which will run in the academic track. The [...]
Another banking story:
Day 1: Got my new account data.
Day 2: Everything works as expected. Changed the initial password (5 digits) to a more secure one (more chars).
Day 3: Everything works as expected (with new password).
Day 4: Everything works as expected.
Day 5: Can’t login. Account has been disabled. Called the bank.
The answer: “Well you have [...]
After having noticed several intrusion attempts on their intrusion detection system (IDS), this city decided to upgrade to an intrusion prevention systems (IPS):
Some days ago, we had an on site pentest for one of our customers. The test was an internal pentest, meaning that we got an office inside the building to simulate an internal attacker. So every day, we went there, entered the building, went to "our" office and tried to hack their network from there [...]
There will always be people who leave the keys on the car door in a in a public parking lot:
Funniest thing about it: “Nett” is the german word for “amiable/nice”.
Once ago last year a member of our team went to a medium size company for an appointment. Some weeks later one of my friends told me the following:
“(Smiling). Do you have an actual business connection with $medium_size_comany?”
- “You know, we generally do not talk about our customers. But why are you asking?”
“Well, an employee [...]
You may remember this story. These days, we had to upgrade a little bit…
Chaos in the laboratory, or: what’s cooking?
Harvesting fingerprints produced with wood glue and graphite.
Mixing dental compound…
…to produce a finger form.
Heating up some gelatine for producing fake fingers.
As I can assure you, the team had much fun not staring at their screens exploiting [...]
About this time of the year in 2005, RedTeam Pentesting moved into the offices at the center of technologie in Aachen. Browsing through my archives, I found several pictures that made me feel as if we moved in just yesterday.
Getting the internal cabling of the office and the internet uplink working:
Buying furniture…
…and assembling it.
Well, time [...]
Now, you might think that companies ordering a pentest are really happy if the penetration testers are not able to hack their systems.
Wrong! Recently, after a pentest, a CEO told us this:
Tuesday morning the admin rushed in the CEO’s office. He even forgot to knock on the door. The admin spluttered: “They are in!” and [...]
This week we went to Munich for the SYSTEMS fair.
Luckily we did not get caught in the strike that hit the German railway system shortly after. This years visit was not only for meeting some of our customers and prospective customers. We were also thinking about having a booth at the fair in 2008.
Unfortunately the [...]
As announced in the blog we were at hack.lu in Luxembourg last week. As every year we made this a team event booking a mini van for the ride and a room for five persons to stay. The atmosphere at hack.lu was great like in the last years. It is a rather small conference with [...]
Next week, a(n) (in)famous security conference will take place in Luxembourg. Last year, HackLu2006 was a highlight and I was really happy that we had the chance to be there. Not only the conference itself, but a cool CTF and a lot of nice people let us have a really good time all three days.
We [...]
Recently I talked to a sysadmin of a rather big company on the phone. He offered to send a configuration file to us by e-mail. I remarked that this file might contain passwords and that it should at least be encrypted before sending it, because everyone knows “e-mails are the postcards of the internet”. He [...]
As you might know from former entries in this blog, we often use rental cars for travelling. Sometimes, people forget things in the cars. The other day, I opened a small compartment for coins inside a car and found this:
Yes, it’s a Maestro card. If you know the PIN, you can get money from ATMs. [...]
We’ve released a new advisory today:
Alcatel-Lucent OmniPCX Remote Command Execution
It’s the same old story: unfiltered user input gets passed to the ping command on the host system over the web interface. You’d think that this type of vulnerability became extinct after the 80’s. But who am I kidding.
So, don’t skip testing for this because it [...]
Recently, RedTeam Pentesting was asked to answer a list of questions regarding ways to measure and manage IT security. The article (in German) can be found online at All About Security, an independent IT security portal.
As a major part of the questions were related to pentesting we spent some time to answer them in [...]
On a quite regular basis we receive applications for jobs, diploma theses or internships. Seems like we are doing an
interesting job.
Most of these applications reach us via e-mail and have a CV and references attached. As pentesters we tend to examine these documents closely, so here are some examples of what you should avoid [...]
It is always a very hard task to rate the risk of a security issue. When we started doing pentests some years ago, we used a rating from 1 to 5 (very low, low, medium, high, very high). It turned out fast that it is hard to tell wether a vulnerability has to be rated [...]
We published two new advisories about security vulnerabilities in Fujitsu-Siemens products found during a penetration test:
rt-sa-2007-002: Fujitsu-Siemens
ServerView Remote Command Execution
rt-sa-2007-003: Fujitsu-Siemens
PRIMERGY BX300 Switch Blade Information Disclosure
Heise also runs a news item:
German: Lücken in
Server-Produkten von Fujitsu Siemens
English: Holes in
Fujitsu Siemens’ server products
Today we are trying to reach the security contact of a big IT company. First attempt: We called the main number and got connected to the network security guy.
“… are you responsible for security issues?”
-”No, but I can give you the direct number of our CEO”
Woah, the CEO’s number? For security issues? Okay, called [...]
… are all pentesters terrorists?
London Police has a new Anti-Terrorist Hotline on air. Now take a look at this poster and decide yourself: Are we all supected beeing terrorists now?
- We are making pictures of security arrangements!
- We need transport a lot!
- We are traveling a lot and you can be sure, we are vague [...]
Max Moser has released a paper called Busting The Bluetooth Myth – Getting RAW Access. In this cool piece of paper, he explains how to transform a normal USB bluetooth device into a sniffer. Yeah, looks like you do not need these very expensive sniffers any longer!
Now we just have to wait for some free [...]
Security is always a compromise – usually between best possible protection and both required effort and usability of the resulting system (short: your laziness). If you do some password cracking its not so much one’s own effort, but the effort of the box doing it that counts. And with CPUs, effort comes with heat [...]
Core published a security advisory about an icmp6 packet crashing OpenBSD. The timeline is interesting. heise-security has an article about the reaction of the OpenBSD team online: “Report states that OpenBSD developers played down critical vulnerability”.
Customer Care(tm) with RedTeam Pentesting: Mileage after a two-day trip across Germany.
Good thing that all kilometers where inclusive in the contract of the rental car we had.
Warning: MagpieRSS: Failed to parse RSS file. (not well-formed (invalid token) at line 16, column 203) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
Windows Security Logging and Other Esoterica (10/09/09)
I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond.
In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.
The exceptions are the logon events. The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096). The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).
Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change). These are all new instrumentation and there is no ?mapping? possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can?t say that the old event xxx = the new event yyy because they aren?t equivalent. The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.
Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is "+4096" instead of something more human-friendly like "+1000". The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn't know the version of Windows that produced the event. We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.
So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4. You can do this in your head.
However if you're trying to implement some automation, you should avoid trying to make a chart with "<Vista" and ">=Vista" columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you'll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).
I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works. But, I still get questions on how to reduce noise from object access events. The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I'd clean up the answer a bit and share it with the world. In general the same is true for any type of object, although there are a few more knobs to control for DS objects.
Object access audit is generated when the system access control list (SACL) on the object matches the access that was performed on ALL of the following conditions:
Object - the object that was accessed must have either an explicit or inherited SACL. The access performed is compared against the ACEs in that SACL.
Success or failure of activity - every audit access control entry (ACE) in a SACL will be either of type AUDIT_SUCCESS or AUDIT_FAILURE. The access performed must match the access type of the ACE for the rest of the ACE to be considered.
User account - the accessing user's token is compared against each ACE matching the access type. If the user, or a group the user belongs to, matches the SID in the ACE, then an audit might be generated.
Access - the access being performed must match the audited accesses in the access mask in an otherwise matching ACE.
The specific auditing algorithm is discussed here.
So the way to reduce the number of audit events (566 on Windows Server 2003, 4662 on Windows Server 2008, or one of the new DS Change events on Windows Server 2008) is to cause one or more of those conditions to fail, except in the specific cases that you care about.
The SACL which will generate the most audit events is "Everyone:Success & Failure:All accesses" on the domain head with OI,CI (object inherit & container inherit flags) for all object types. This SACL matches all of the above conditions in all cases. (Incidentally I think that this is pretty close to the default SACL- with the exception of failures- for Windows 2000 Active Directory installations, and SACLs are not updated when DCs are upgraded from version to version. Windows Server 2003 has much more conservative SACLs for new installations of AD.)
To reduce noise, I offer the following suggestions, addressing each of the above conditions:
Audit only the objects that you care about. User accounts and groups already are well-audited with "Account Management" auditing, so don't audit them with DS access. Perhaps audit OUs, or other DS objects. Use the Object Type and attribute type restrictions that you have in DS Access auditing. Also, in Windows Server 2008, you can affect auditing on a per-object basis by adjusting the SearchFlags attribute in the AD schema for the object. SACLs are more easily reversed so are probably a more acceptable method of controlling audit for most organizations.
Audit successful accesses only. Failed accesses are common and are NOT indicative of any security problem; in fact many failures are not even explicit requests by the user but are just normal requests made by the OS, and the OS will re-try with less access if the operation fails. In my experience failure auditing is primarily useful for troubleshooting, not for security.
Audit the "Everyone" group. Although this matches any user, you will not accidentally miss any accesses that you care about due to failing to audit a user account who has access to the objects in question. The only time that you would NOT audit "Everyone" is if you had an application or service account which was very noisy; in that case you'd need to create a group with all accounts EXCEPT the noisy accounts, and audit that group.
Audit only the accesses that you care about. Specifically, read accesses occur much more often (in my experience, a conservative estimate is about a 100:1 ratio) than write accesses. If you restrict your auditing to "write" type accesses (including change, delete, change permissions, create, etc.) then you will end up generating far fewer events. Auditing for read access is very noisy. If you must audit for reads, consider auditing fewer objects, perhaps only auditing reads on the container object instead of the objects in the container, or on one "interesting" object in any given container as a "canary".
I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off.
As I have written about previously, this method of user activity tracking is unreliable. It works in trivial cases (e.g. single machine where the user doesn't have physical access to the power switch or power cord), and it works most of the time in simple cases where there is good network connectivy and the user is not trying to evade detection. If the user has physical access to the machine-- for example, can pull out the network or power cables or push the reset button-- and if the user is actively trying to evade time tracking, then the only reliable solution is to surreptitiously put a video camera (subject to local laws) in a place that can monitor the user's presence in front of the keyboard (yes I am aware of research done to track sound of keyboard clicks, etc.).
There is no way to instrument the OS to account for someone who just backs away from the keyboard and walks away. The screen saver, if configured, will come on after a configurable delay since the last keypress or mouse movement. Yes, if you know the SS delay then you could just work that into your calculations. However the workstation does not lock until the screen saver is dismissed (some of you might have noticed that when you bump the mouse to dismiss the screensaver, sometimes you see your desktop for a fraction of a second- that?s because your machine isn?t locked while the screen saver is being displayed). And the events don't tell you whether the workstation was locked or auto-locked so you don't really know whether to add in the screen saver delay factor. Plus, prior to Windows Vista, there is no workstation lock event at all, only an unlock event, which is constructed in a way which makes it difficult to correlate with the original logon event.
So the bottom line is, I don't advocate or recommend this method for tracking the time a user spends at the keyboard. If I were hypothetically called as an expert witness, I would testify that such a method is unreliable and trivially circumvented. You have been warned, I've beaten that dead horse enough I guess.
Given that you are disregarding all my contrary advice, how are you going to accomplish this?
First, we need a general algorithm.
Use time (for a given logon session) = Logoff time - logon time
Now, what about the cases where the user powers off the machine, or it bluescreens, or a token leak prevents the logoff event from being generated, etc.? We can use the BEGIN_LOGOFF event to handle token leak cases. We can use the shutdown event in cases where the user does not log off. And in case of crashes, the only event we can use is the startup event. Note that each of these introduces increasing levels of uncertainty.
Logoff time = (logoff time | begin_logoff time | shutdown time | startup time)
This is good, but what about the time the workstation was locked?
Workstation lock time = unlock time - lock time Total workstation lock time (for a given logon session) = SUM(workstation lock time)
How about remote desktop & terminal server sessions, and fast user switching? You can connect and disconnect from logon sessions, during which time the user technically isn't using the computer.
Session idle time = session connect time - session disconnect time Total session idle time (for a given logon session) = SUM(session idle time)
How about times when the machine was idle? We can estimate that by looking at the time the screen saver was in place and adding the screen saver timeout.
Console idle time = (screen saver dismiss time - screen saver invoke time + screen saver delay) Total console idle time = SUM(console idle time)
Putting all of this together and modifying our original formula, we get:
Use time (for a given logon session) = Logoff time - logon time - SUM(workstation lock time) - SUM(session idle time) - SUM(console idle time)
When we expand it, it is not quite so pretty:
Use time (for a given logon session) = ( (logoff time | begin_logoff time | shutdown time | startup time) - logon time ) - SUM(unlock time - lock time) - SUM(session connect time - session disconnect time) - SUM(screen saver dismiss time - screen saver invoke time + screen saver delay)
You have to be very careful that you only look at events that are properly contained chronologically between two other appropriate events, to avoid accidentally pairing the wrong logon and logoff events, or pairing a lock workstation event from one logon session with a different logon session. The best correlation field is the Logon ID field, the next best are timestamp and user name. At various times you need to examine all of these fields.
Now, which event IDs correspond to all of these real-world events?
They are all found in the Security event log. The pre-Vista events (ID=5xx) all have event source=Security. The Vista/WS08 events (ID=4xxx) all have event source=Microsoft-Windows-Security-Auditing.
* prior to Windows Vista, there was no event for locking the workstation. Unlocking the workstation generated a pair of events, a logon event and a logoff event (528/538) with logon type 7. These events had the same user name as the "original" logon session and were completely enclosed chronologically by the logon/logoff events for the "real" logon session, but did not contain the Logon ID of the original logon session or other unambiguous correlator. This makes correlation of these events difficult.
All of these events are generated in the Logon/Logoff audit policy category, although on Windows Vista and Windows Server 2008 they are scattered among the various subcategories in this audit policy category. The audit event spreadsheet that Ned wrote has all the policy subcategory mappings as well as the event descriptions.
Sorry that this is more of a do-it-yourself than a solution-in-a-box, but this is pretty difficult to script and so far I haven't worked on a project that required this.
I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I can just answer with a link :-)
There are two DWORD registry values which affect backlog transmission. Both are on the collector machine under HKLM\System\CurrentControlSet\Services\AdtServer\Parameters.
EventRetentionPeriod, if present, is expressed in hours (I forget the default). It takes precedence over MaximumEventAge, which is in days (default=1). Both of these values control the backlog of events that will be sent from agents to the collector on agent connect, but as mentioned, EventRetentionPeriod wins any conflict. MaximumEventAge used to control database retention in early beta builds but does not anymore, since the database moved to a partitioning mechanism. You might encounter MaximumEventAge if you are migrating from ACS beta to Operations Manager 2007 ACS.
Grooming is now governed entirely by the grooming algorithm. The grooming algorithm is simple: partitions will be deleted by the next grooming job as soon as they are eligible for deletion.
Think of (partitionDuration * numPartitions) as the retention period before data is groomed from the database.
partitionDuration = dtConfig[5]
numPartitions = dtConfig[6]
Note that dtPartition[<partitionId>].LastCreationTime defaults to 12:00am 1/1/2000 (collector local time). After successful execution of the close partition script, this field?s value is set to max(dtEvent_<partitionId>.CreationTime) for the partition in question. There is an implication here that if you update status to 2 without updating LastCreationTime, then the partition is immediately eligible for grooming assuming your clock is accurate.
The partition switch offset (time of day to switch partitions) value in dtConfig has no effect on grooming, other than that grooming will not occur during a partition switch.
Grooming runs at startup and immediately after checkpointing. The default checkpoint interval is 198 seconds but this interval can be configured by the DWORD registry value CheckPointInterval on the collector, in the same location as the other registry values. A successful checkpoint logs an event in the database, event ID 0 with a source of ?_acs? (you might have seen these on an ?idle? ACS and wondered how they got there?)
We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don't properly get looked up.
Some background: the event log in Windows prefers to log invariants such as message IDs, parameter message IDs, SIDs (security IDs which represent users and groups, etc.), and GUIDs (globally unique IDs which represent objects in Active Directory), rather than the actual names of the objects. At view time the viewing application is expected to look up the name associated with the invariant and display it to the user.
The reasons that Windows does this are (1) that it enables localization, so that English speakers can see "Administrator" and French speakers can see "Administrateur", and (2) that it provides rename safefy- many objects are rename-able, such as domain accounts and other AD objects.
Anyway in ACS we had to solve the problem of how to store mountains of log data in a database, make it queryable in meaningful ways, preserve original format, present to users in a recognizable/understandable format, etc.
The way we chose to solve our several problems was to take strings that contained an invariant and append the translated name or string.
For example: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9} would be translated to: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9}=?dnsNode?
and %%7685 becomes: %%7685=?Write Property?
As I mentioned, though, we ran into a problem recently. Some of our customers were monitoring AD objects with ACS and noticed that ACS was not translating the GUIDs for certain objects. When they manually looked up the GUIDs they noticed that they were for AD-integrated DNS objects.
After investigation, we found that AD was logging certain audit events for the objects, before all the attributes of the objects had been populated- DNS was populating the objects in multiple operations per object and each operation causes a separate event. So ACS, which operates as close to real-time as we could get, was actually noticing the first event and asking AD "what's this?" before DNS had finished updating AD with things like the object's name. The difference in time was literally only milliseconds.
Anyway I didn't really feel it was an ACS bug and wanted to file a bug against Windows DNS Server. However the Operations Manager team has prototyped a configurable behavior for the ACS agent that lets it wait a very short time (configurable number of ms) and retry, when it fails to look up an AD object because the object doesn't exist. This might be released as a public patch and/or in a future Service Pack.
I thought you might appreciate stories of the kinds of weirdness we run into.
A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man's future prospects. See the story here.
Well duh. The whole theory of crime and punishment is that if you do something bad, you get punished, and punishment is something that is unpleasant, so you try to avoid it, hopefully by not doing the crime. See? One would hope that a judge would understand this concept.
I could understand if the judge said "this is just a stupid kid, he doesn't deserve to do 20 years", and gave the kid probation, community service and a big fine. I don't know if New Zealand has such options, or if the judge has latitude in sentencing. There is probably more to the story than is being told. But you don't take over a million computers that don't belong to you, personally making tens of thousands of dollars, and not realize that you're doing something wrong. Unless you're a sociopath. And in either case, you either need punishment (for doing something you know is wrong) or separation from society for the protection of society while you get treatment (if you are a sociopath). So whatever the case, the judge got it wrong, and as a result is practically encouraging future behavior of the same sort.
If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks around getting field delimiting correct.
The tool's command to query events from a log is "qe", and takes a log name as a parameter.
If you want to specify a query expression, then you can use XPath with the /q switch. The easiest way to do this is to use Event Viewer to build a filter for just the events that you want, and then copy just the XPath expression out of the XML tab of the filter dialog in Event Viewer. Be careful to copy only the filter expression and not the XML that surrounds it.
Finally, the default output format of wevtutil is XML. However it dumps each event as XML, but does not include a root element- in other words it's not well-formed XML by default. To include a root element you need to include the /e switch and a root element name.
I put this all together in a batch file, with an example XPath filter that just gathers interactive logon events (event ID=4624, logon type=2). You can save this as a .cmd file and run it as an administrator on Vista or WS08 and it will pull up a list of your interactive logons in Internet Explorer (or your default XML handler application if you've changed the registration). It has to run as admin because it accesses the security event log.
If you're really good (better than me, which is not hard) you could write an XSL style sheet and put this into a report format.
Good luck!
@echo off
REM (C) 2008 Microsoft Corporation
REM All Rights Reserved
set outputfile=%temp%\interactive-logon-events.xml
if "%1" NEQ "" set outputfile=%1
REM The next command is all one line and has no carriage returns
REM The only spaces in the XPath are around the AND keywords
wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > %outputfile%
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.
Even better, they documented all the events in spreadsheet format, and that's propagating to the Microsoft Download Center. I'll publish the link when it's online.
2008-04-17 UPDATE: Brian just sent me the link: here is the spreadsheet.
There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in Auditing in Windows Server 2008?"
Well, funny that you brought that up. My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Resource Kit, and he invited me to write a chapter about auditing for it, which I did. So you, dear reader, are getting information straight from the horse's mouth, so to speak.
Anyway I think the book hits store shelves on March the 10th. A number of distinguished individuals contributed to the book: Susan Bradley, Darren Canavor, Kurt Dillard, Roger Grimes, Brian Komar, Alun Jones and others.
I'd also like to send out special props to my auditing posse: Raghu (who was the primary developer for auditing for Vista & WS08) and Ned (who is the resident guru for auditing in Microsoft Customer Support Services), both of whom made significant contributions. Raghu introduces the new "special group logon tracking" feature, and Ned contributed a spreadsheet mapping all the events (360-ish) to the policy category and subcategory and giving other key information about each event; this is included on the CD bundled with the book, along with an XML file defining the schema for all the events and event messages. Ned's also working on getting a version of the spreadsheet available for download from the Microsoft download site.
In other news, the Windows Server 2008 Security Guide is also out, and yes, yours truly contributed in small part to the auditing guidance in there too, although I seem to have been overlooked in the credits (in all fairness my work delta from the Vista Security Guide was really small so maybe it did not meet their "credits bar").
Anyway, download the security guide and buy a copy of the book. Buy more than one copy of the book, and give copies to your friends and loved ones. Nothing says "Happy Anniversary, Honey" quite like a book or white paper about computer security. OK, so maybe I should stick to computer security and stay away from relationship advice. Flowers work well in my experience.
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS.
Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. Transformation instructions are all stored on the collector in a file called EventSchema.xml which is in the AdtServer directory (%windir%\system32\security\adtserver). This file is pointed to in the collector?s registry and is read during startup of the collector service; failure to successfully read and parse this file at startup is a fatal error for the collector (the debug log will complain about parsing).
The collector reads EventSchema.xml and builds in-memory binary tables of event transformation instructions and event string types by OS version/event log/event source.
The collector (as explained elsewhere) also reads AcsConfig.xml to get its persistent state and configuration for all known agents, to know what logs/sources to collect for each agent/agent group, etc. This is all read into in-memory state for each agent.
At connect time, the agent sends version information- what the OS and agent version and service pack are, etc. The collector first looks in its in-memory agent state to see what configuration applies to the agent. Then it looks in its transformation tables and extracts the appropriate version-specific transformation instructions for the events that the collector is configured to collect from that agent. Then it packages these instructions and sends them to the agent.
The agent starts reading events, transforming them according to its instructions from the collector, and sending the transformed events to the collector. The collector finishes the transformation, services real-time subscriptions and loads the events into the database as appropriate.
If the agent encounters an event that is it configured to send (by log/source) but does not have transformation instructions for, then it simply builds a copy the event string for string and sends the copy of the event to the collector as an ?unschematized? event. The collector will handle this event without problems but will not extract non-header user fields (no primary/client/target user fields) and will not add string type information.
I?ll take Windows Server 2003 (build 3790), Event Log: Security, Event Source: Security, Event ID: 644 as an example.
Here?s the WS03 schema for 644 (excerpt from %systemroot%\system32\security\adtserver\EventSchema.xml in the path ?Schema\Log[@Name=?Security?\Source[@Name=?Security?]\Version[@MinBuild=?3790?]\Event[@SourceId=?644?]?).
The instructions are all applied in order. ?Call? instructions are executed agent-side; ?Param? instructions are executed server-side.
These instructions can be translated as:
·Take string 1 from the original event and make it string 1 in the new event. It is of type ?typeUserDn?.
·Take string 3 from the original event and make it string 2 in the new event. It is of type ?typeComputerName?. Note that we are doing reordering here by appending original string #3 before original string #2. Nifty, eh?
·Take string 2 from the original event and make it string 3 in the new event. It is of type ?typeTargetSid?.
·Take string 4 from the original event and make it string 4 in the new event. It is of type ?typeClientUser?.
·Take string 5 from the original event and make it string 5 in the new event. It is of type ?typeClientDomain?.
·Take string 6 from the original event and make it string 6 in the new event. It is of type ?typeClientLogonId?.
·Take string 4 from the original event and treat is as a user name, and take string 5 from the original event and treat it as a domain name, look up the associated SID and make it string 7 in the new event. The new string is of type ?typeClientSid?.
·Take string 3 from the new event, treat it as a SID, look up the user/domain name associated with it and append the user name as string 8 to the new event and the domain name as string 9 to the new event. String 8 is of type ?typeTargetUser? and String 9 is of type ?typeTargetDomain?.
See the reordering? Now here is an instance of the event with the original event data. If you?re not familiar with the XML, it?s the XML output of Crimson, the new eventlog service introduced in Vista/WS08, but this is a WS03 [pre-Crimson] machine; we're looking at a saved event log (evt) file.
<Data>SERVER34</Data> // String 2 ? looks like a machine name, confirmed by string 4
<Data>%{S-1-5-21-5998314728-109421381-169156293-611111}</Data> // String 3 ? definitely a SID
<Data>SERVER34$</Data> // String 4 ? definitely an account name (machine account)
<Data>CONTOSO</Data> // String 5 ? looks like a domain name
<Data>(0x0,0x3E7)</Data> // String 6 ? definitely a logon ID
<Data>-</Data> // String 7 ? empty null string at the end of the event (ignored by ACS)
</EventData>
</Event>
When the event arrives at the collector, type information is applied, and then the user fields (typePrimary*, typeClient*, typeTarget*) are extracted from the string data section and the strings that are left are re-numbered starting at 1 (no reordering occurs).
Here?s a chart of what the event looks like at the various points in the system. The changes at each step are shown in red.
Original Event in Event Log
Client-Side Transformation at Agent
Server-Side Normalization (WMI/SQL output)
Field
Content Description (implicit)
Field
Content Description (implicit)
Field
Content Description (explicit)
Client User
Client User
typeClientUser
Client Domain
Client Domain
typeClientDomain
Client Sid
Client Sid
typeClientSid
Client Login Id
Client Login Id
typeClientLogonId
Target User
Target User
typeTargetUser
Target Domain
Target Domain
typeTargetDomain
Target Sid
Target Sid
typeTargetSid
String01
typeUserDn
String01
typeUserDn
String01
typeUserDn
String02
typeTargetSid
String02
typeComputerName
String02
typeComputerName
String03
typeComputerName
String03
typeTargetSid
String03
String04
typeClientUser
String04
typeClientUser
String04
String05
typeClientDomain
String05
typeClientDomain
String05
String06
typeClientLogonId
String06
typeClientLogonId
String06
String07
String07
typeClientSid
String07
String08
String08
typeTargetUser
String08
String09
String09
typeTargetDomain
String09
To finish off a description of transformation, there are 7 transformation functions, each of which can optionally take 2 integers as parameters. Note that there is no ?destination event? field specifier; all references are only to the original event. That?s because when constructing the destination event, any data added to the event is always appended- it is constructed from beginning to end- so the implicit destination field is ?at the end of the event as it is now?.
Function
Parameter 1
Parameter 2
Description
AppendString
Reference to a string parameter in the source event in the event log
Unused
Appends the referenced string to the event which will be sent to the collector
AppendStringFromTable
Reference to a constant string in the statically defined <Strings> table (1-based) in the relevant Source\Version element in EventSchema.xml
Unused
Appends the referenced constant string to the event which will be sent to the collector
AppendProcessNameFromPid
Reference to a string parameter in the source event in the event log (source string is expected to be a numeric process ID)
Unused
Looks up the process image path name for the referenced PID and appends it to the event which will be sent to the collector
AppendTimeFromDatetime
Unused
Unused
Not Implemented/No Action
AppendSidFromNames
Reference to a string parameter in the source event in the event log (source string is expected to be a user name)
Reference to a string parameter in the source event in the event log (source string is expected to be a domain name)
Looks up the SID for the account represented by the specified user and domain names, and appends the SID to the event which will be sent to the collector
AppendNamesFromSid
Reference to a string parameter in the source event in the event log (source string is expected to be a security ID)
Unused
Looks up the user name and domain name for the account represented by the specified SID, and appends the user name and the domain name as separate strings to the event which will be sent to the collector
AppendNumber
Unused
Unused
Not Implemented/No Action
Out of range params cause the transformation instruction to be ignored and skipped. Non-integer params or other XML formatting/malformation problem (including non-UTF8 formatting) cause an EventSchema.xml parsing error at collector startup which in turn causes collector startup failure.
So that?s ACS transformation in a nutshell. I hope this helps you guys understand ACS functionality a little better.
Shortly I will finish my write-up on AcsConfig.xml but that is a simple file and not too hard to figure out if you are into experimentation.
Here are some cool things that you can try with the event schema file if you are adventurous:
1.Drop fields. We have modified eventschema.xml successfully to cause it not to collect certain fields (e.g. logon GUIDs) of certain events:
<CallName="AppendString"Param1="1"Param2="0" />
<CallName="AppendString"Param1="2"Param2="0" />
<CallName="AppendString"Param1="3"Param2="0" />
// try deleting a line here
// or, to preserve ordering of subsequent strings
// try replacing ?AppendString? with ?AppendStringFromTable (param1=1)?
<CallName="AppendString"Param1="4"Param2="0" />
<CallName="AppendString"Param1="5"Param2="0" />
<CallName="AppendString"Param1="6"Param2="0" />
2. Add an event source. Some caveats are:
·You must have a unique, well-formed GUID for the new source
·You have to get events of the new source into the log (try ?AuthzReportSecurityEvent? from MSDN)
·You have to modify AcsConfig.xml to tell the agent(s) to collect the new source
NB I have used the C/C++ comment syntax throughout this post but note that ACS does not support either C/C++ nor XML style comments in the XML config files it uses
Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong.
The logon event (528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field called a Logon Type. This is a code that is passed into the logon API that tells the authentication system in Windows which policy to check the logon against. Windows has separate policy checks for network logons, interactive logons, etc., so that you can allow users to access a system in some ways but not in others.
The logon type code is, in C/C++ parlance, an enumerated value- it's an ordered list of numeric values, each with an associated name, and these are defined in a publicly available file in the source code (ntsecapi.h). In the source code, the values are always referenced by name.
Today on one of the internal aliases someone actually found a logon event with a logon type of 0- I have never personally seen one of these before and 0 is not defined in the SECURITY_LOGON_TYPE enumeration, so I would have assumed that it was a bug- but it turns out that we are aware of this case and use it occasionally for system logons.
Two more of our partners, Enterprise Certified and NetPro, have released compliance solutions on top of ACS.
Another of our partners with ACS-based compliance solutions, SecureVantage, has started a new blog where ACS is a frequent topic.
Anyway I'm pleased to see that ACS is becoming a successful platform and I'm happy to answer ACS questions! To you ISV's out there, Joseph and I welcome your questions as well (if we aren't already talking to you). Let us know who you are so we can stay in touch with you!
OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere.
In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the auditing message file. I'm guessing that it was one of our localization engineers, but I don't know- I was over in the support side of things at the time. I stumbled across the message one day while looking at source code.
Here's Björn's momentous message: "Björn grüßt den rest der welt". Basically Björn says hi to everyone. He's a friendly guy.
This is string resource zero in the message table resource- it's not a code resource, it's properly formed and it's not used by the code anywhere. You would not know it exists unless you slog through source code (like me) or use a hex editor or string dumper to analyze binaries AND happen to be so bored that you pull out an NT 4.0 RTM German CD and examine msaudite.dll. NT4 RTM CD's are pretty rare, btw, because we replaced them with slipstream SP1 CD's very shortly after release.
If I remember correctly somebody else came along in a later service pack and changed Björn's name to their own (maybe it was Ulli? I can't remember and I'm too lazy to find the source- it requires a lot of effort to dig that far back). I do remember that shortly thereafter there was a huge Easter Egg crackdown here at Microsoft probably brought to a head by the Excel 97 Flight Simulator. Björn's message of goodwill to mankind was erased forever.
I did a search using the Officially Santioned Search Engine and the other one too; evidently the internet has forgotten Björn's message. But I still remember, Björn.
Anyway I thought you might like this bit of arcana. If you are bored, have a hex editor and a German NT4 CD, knock yourself out...
I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined.
The short answer is, by design. (Yes, bad design.)
The longer answer is that the shell team is working around the fact that there is no "tell me if this user account has a blank password" API.
When in a workgroup (not domain joined), Windows XP displays a welcome screen that has little pictures (called "tiles") for each user who is permitted to log on to the computer.
The shell team wanted the experience that when you click on a tile, that you will immediately be logged on if your password is blank (we have good data that a large percentage of home users have blank passwords). They only want you to be prompted for a password if you actually have a password. Fair enough, and it also helps with accessibility for people for whom typing is challenging.
The XP Welcome Screen, when it is initialized each time it is to be displayed, attempts to log on each user for which a tile will be displayed, using a blank password. Users with non-blank passwords will cause failures in this case (other users will cause logon success events followed by logoff success events). [2007-11-21 correction]
The Welcome Screen uses the result of these logon attempts to decide whether to display a password box when you select a user's tile. If the user has a blank password, they will be logged on instead of being prompted for a password.
Why are they logging on the account? Well it turns out to be the easiest way to tell if your password is blank. We don't have a "is your password blank" API- that would be a security disaster- and we would prefer that the shell team not go mucking about in the SAM, retrieving hashes and computing the blank password hash for each account so that it could compare them.
I asked for this behavior to be changed prior to XP's release. Specifically I asked that the blank password check be moved from Welcome screen initialization to tile selection- this would still cause logon failures but many fewer of them. I was declined. I asked for fixes to it in SP1 and SP2 and was declined. At this point we will not be revisiting this "feature"; the Welcome Screen was redesigned to eliminate this problem.
The shell team who designed the Welcome Screen did not feel that auditing was a common scenario for workgroup machines, and I didn't (and still don't) have any business case to dispute that.
The Microsoft Security Response Center (MSRC) (03/09/10)
Today we are releasing two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of ?1? so we recommend that customers deploy these updates as soon as possible. The Microsoft Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins. A summary of today?s security updates can be found on the Microsoft Security Bulletin webpage.
MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension.
The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.
MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited.
Since both of today?s bulletins require user interaction, we give them both a ?2? on our deployment priority scale:
Our Severity and Exploitability Index slide offers additional guidance to help customers prioritize this month?s bulletins:
In the following video, Adrian Stone and I give a brief overview of today?s bulletins:
Today we also re-released MS09-033 to add Virtual Server 2005 to the affected products list. Customers who have already installed the update for affected products do not have any additional actions.
Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.
Please join us tomorrow for a public webcast where Adrian Stone and I will go in to detail on these bulletins and answer customer questions with the help of the engineers who worked to produce them so please plan to join us.
Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.
At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to "high", configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.
As always, we are investigating this issue and will take appropriate action to protect customers when we have finalized a solution. This may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY).Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.
We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.
Please review the advisory for additional details and if the situation changes, we will provide an update here on the MSRC blog.
Jerry Bryant Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Today we are providing advance notification to customers that we will be releasing two bulletins this month affecting Windows and Microsoft Office products. Both bulletins are rated Important and address a total of 8 vulnerabilities.
We recommend that customers review the Advance Notification webpage and prepare to deploy these bulletins as soon as possible. To provide additional guidance for deployment prioritization, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.
We?re also continuing to monitor the situation with Security Advisory 981169, the VBScript issue disclosed on Monday. There are no known attacks but we encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.
As always, we will be hosting a public webcast where we will go in to details about the bulletins for March and where customers can ask questions. We will have a room full of engineers on hand to answer those questions live during the webcast. Here are the details:
A couple of months ago, I started including information about products that are reaching the end of their product lifecycle. It is extremely important for customers to move to supported platforms because after the dates below, those products/service packs, will no longer receive security updates.
Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
Windows Vista RTM will no longer be supported after April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
Extended support for Windows 2000 will also be retired as of July 13, 2010. After that time, we will no longer provide security or any other updates for Windows 2000.
Hope to see you at the webcast!
Jerry Bryant Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
I am writing to let you know that we have revised the installation packages for MS10-015 with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist. Such conditions could be the result of an infection with a computer virus such as the Alureon rootkit. If these conditions are detected, the update will not be installed and the result will be a standard Windows Update error. If a user receives this error, they should go to the following landing page for additional help:
At this time, we have resumed offering the update to all affected systems via Automatic Updates.
We have also released a Microsoft Fix It as a standalone scanning tool that reports on the compatibility of a system with the MS10-015 update. The scanning tool can also be deployed through enterprise deployment systems allowing administrators to detect compatibility with the update before deploying broadly. The Fix It and deployment information are available at Microsoft Knowledge Base Article 980966.
Today we released Security Advisory 981169 to address the VBScript issue involving Windows Help files that we blogged about yesterday. To reiterate what we said in that post, we are not aware of any active attacks at this time and the following operating systems are not affected by this issue: Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista.
Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out-of-band. We will provide further updates as they become available.
Thanks,
Jerry Bryant Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.
The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ?unsafe file types?. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link.
Once we have completed our investigation, we will take appropriate action to protect customers. To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of ? and work to exploit ? a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge (for computer security related issues) using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Customers outside of the United States can visit http://support.microsoft.com/international to find local support information.
We continue to encourage customers to follow the ?Protect Your Computer? guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect.
We will provide more information on this issue as it becomes available.
Thanks,
Jerry Bryant Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
We wanted to provide you with an update on our ongoing investigation into the ?blue screen? issues affecting a limited number of customers who installed MS10-015.We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.In every investigated incident, we have not found quality issues with security update MS10-015.Our guidance remains the same: customers should continue to deploy this month?s security updates and make sure their systems are up-to-date with the latest anti-virus software.
Customers continue to emphasize the importance of quality updates, and that high quality updates encourages quicker deployment.While the issue customers are experiencing with MS10-015 was caused by a malware infection and not a problem with the security update, we wanted to use this event as an opportunity to explain why this issue was not caught during testing, and how we respond to reported issues in our security updates.
This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state.These types of infections often leave the machine in such an unstable state that it cannot be reliably tested.This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded.The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine.Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed.On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.
Microsoft has taken steps to deter tampering with the Windows Kernel using technologies like Kernel Patch Protection (sometimes referred to as PatchGuard) and Kernel Mode Code Signing (KMCS), both of which are enabled in 64-bit systems.These technologies make it possible to detect when integrity checks fail. The different versions of Alureon that we have investigated only infect 32-bit systems and would fail to infect 64-bit systems. That said, it is important to note that running as a standard user instead of using an administrator account is a best practice that in most cases will prevent kernel mode malware from infecting a system. Similarly, keeping anti-virus signatures current will also prevent most malware from infections. Additionally, since we have determined that 64-bit systems are not affected, we are opening Automatic Updates for these platforms.
Customers who are interested in additional technical details of what the Windows Kernel is can learn more here.
Even after security updates are released, the Microsoft Security Response Center?s job is not done.In conjunction with Microsoft Customer Service and Support (CSS), we monitor forums and track customer calls to ensure we respond to reported issues as quickly as possible.On Wednesday, February 10th, we became aware of reports regarding Windows XP SP2 and SP3 systems becoming unable to restart successfully after the installation of MS10-015. The reports were first identified by the MSRC?s monitoring of various online community support forums, a spike in support call volume and telemetry from our Consumer Security Support Center.After reviewing the information we had available, we stopped offering Automatic Update distribution of MS10-015 in order to minimize the potential for widespread customer impact while we investigated these reports.Even though we have stopped distribution through Automatic Update, we have seen a large number of deployments as customers can still deploy the update through Windows Update, WSUS or SMS.
In this situation, our teams needed to get information directly from the affected systems in order to understand the cause.Because we had so few reports and needed to examine the state of the affected systems, the CSS team even drove to customer locations to retrieve machines for analysis.
This past weekend, we worked with the Microsoft Malware Protection Center (MMPC) on the systems that were delivered to Redmond last Friday, and confirmed that all of the affected systems had the Alureon Rootkit installed. The Windows Engineering team then began working to build a test matrix to determine if the malware was related to the reports we have been receiving.To ensure we had identified the root cause of the issue, Windows Engineering tested machines using the test process covering all 32 bit versions of Windows.While this issue could impact any 32bit Windows system that was infected with the malware, since reports are predominately on 32bit versions of Windows XP this test process is described at a high level focusing on that version in the below table:
Phase
Actions
Result on Test Machines
Debug Phase 1
Install Supported Versions of Windows XP
Install all previous updates to bring the Windows Kernel prior to the version updated by MS10-015 to version 5.1.2600.5857.
Install the Alureon Root Kit.
Install MS10-015 / KB977165 Kernel Version 5.1.2600.5913
The system enters a repeated reboot / blue screen
Debug Phase 2
Install Supported Versions of Windows XP
Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857
Install all previous updates to bring the Windows Kernel to Current Version prior to the version updated by MS10-015.
Install the Alureon Root Kit.
Successful boot
Debug Phase 3
Install Windows XP SP3
Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857
Installthe MS10-015 security update the Kernel version to version 5.1.2600.5913
Install the Alureon Root Kit.
Successful boot
Debug Phase 4
Install Supported Versions of Windows XP
Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857
Install MS10-015 to bring the Windows Kernel to version 5.1.2600.5913
Install the Alureon Root Kit.
Uninstall KB977165 setting the Kernel to version 5.1.2600.5857
The machine goes into a rolling reboot
As indicated in the table, the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.
A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Customers who believe they are experiencing this reboot issue after installing MS10-015, or require support removing it or repairing their systems, are encouraged to contact their Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.
While we cannot predict how malware writers will author or modify their code, we are committed to finding new ways to detect issues like this on infected systems. We?re also working on a simpler solution to detect and remove Alureon from affected systems which should be released in a few weeks, as are several other third party vendors.
We will keep you updated here on the MSRC Blog as we have more data and information on the malware and automatic remediation tools.
Mike Reavey
Director, MSRC
*This posting is provided "AS IS" with no warranties, and confers no rights.*
In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating. Please review our blog post from yesterday for additional information.
One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.
We encourage customers to follow our ?Protect Your PC? best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.
This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.
Keep an eye on this blog for more updates as we have them.
Thanks,
Jerry Bryant Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
As we do every month following our public webcast, we have posted the questions and answers (which you can find here) and the recorded webcast below.
This month there were no particular themes that emerged in the questions. They ranged from wanting clarification of what it means when we say something is ?public? to questions like ?Will applying Enable_SSL_Renegotiate_Workaround.js cause IIS 7 to break SSL VPN connections?? You can find the answers to these and many other questions at the link above.
Earlier today I made a post about a potential issue with MS10-015. We are still investigating this but I wanted to provide some additional clarity on what I mean when I said we stopped offering the update via Windows Update. To be more precise, we basically turned off the Automatic Update system for this bulletin. This means that computers that have our recommended setting to automatically look for, download, and install high priority updates, will not pull this update down. They will still get all the other relevant updates. You can still go to Windows Update and manually select and install the update and you can still obtain the update package from the Download Center.
Please check back here for more updates on this issue as we will post additional information as it becomes available.
Thanks!
Jerry Bryant Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
I am writing to let you know that we are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.
As you may recall from previous blog posts, MS10-015 is an Elevation of Privilege that would require the attacker to have valid credentials in order to be able to leverage the vulnerability in an attack. Several other updates in this release were identified as having a high priority for deployment and we continue to encourage customers to thoroughly test the updates and deploy them immediately. At this time, we are not aware of any issues with the other updates that were released this month and we continue to encourage customers to install them as soon as possible in order to help ensure that they protected from the vulnerabilities they address.
While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here: http://support.microsoft.com/kb/979682.
As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.
In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID?s:
As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (?Consistent Exploit Code Likely?).
MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.
MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.
MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.
MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.
You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.
With that, here are the Severity and Exploitability Index and Deployment Priority slides:
In the following video, Adrian Stone and I talk a little more about this month?s top priority bulletins:
I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:
Today we released February bulletin information through our Advance Notification Service (ANS). This month, we will be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office. More information about the upcoming security updates can be found on the Advance Notification Service (ANS) webpage.
As we started to do in December, we want to give customers a peek at what our deployment guidance will be next Tuesday. This month, we will be giving four of the bulletins a deployment priority rating of 1. In the ANS, those are bulletins 1, 2, 3, and 6. We recommend that customers test and deploy all security updates as soon as possible but you should prioritize these first.
To further help customers prioritize, I have pulled the Windows information from the ANS into a summary table so depending on the version you are running, you can see how many bulletins you need to prepare for:
Version
Critical
Important
Moderate
Low
Total
Windows 2000
5
3
1
0
9
Windows XP
5
2
1
0
8
Windows Server 2003
4
3
2
0
9
Windows Vista
3
3
0
0
6
Windows Server 2008
3
4
0
1
8
Windows 7
3
2
0
0
5
Windows Server 2008 R2
3
1
0
1
5
The Office related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file). The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have not actions this month.
We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products.
I also want to give a summary of the three open Security Advisories so customers know what to expect on Tuesday:
·Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a ?Fix It? available so customers in non-default configurations can protect themselves.
·Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.
We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.
Last month I started including important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:
Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updates for Windows 2000.
Finally, please plan to join Adrian Stone and myself next week for our regular live webcast where we will go in to detail on each bulletin to give you even more information and guidance:
Today we released Security Advisory 980088 to address a publicly disclosed vulnerability in Internet Explorer that may allow Information Disclosure for customers running on Windows XP or who have disabled Internet Explorer Protected Mode. At this time we are not aware of any attacks seeking to use the vulnerability.
Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue. Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems.
We are working to produce an update for this vulnerability and when that is complete, we will take appropriate action to protect customers, which may include releasing an update out-of-band. As with any update, we have to balance overall quality and ensure application compatibility before we release it.
Microsoft is also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
We continue to encourage customers to upgrade to Internet Explorer 8 to benefit from the increased protections provided in the newer version. In addition, customers should continue to follow our ?Protect Your Computer? guidance at http://www.microsoft.com/protect.
Thanks!
Jerry Bryant Sr. Security Communications Manager ? Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Yesterday Adrian Stone from the Microsoft Security Response Center (MSRC) and I hosted a live webcast to discuss Security Bulletin MS10-002 and Security Advisory 979682 in more detail with customers.
Below is the video of that presentation and you can find the question & answer transcript here. We spent over an hour answering customer questions during the webcast. They were all good. Below the video, I am including a set of links to resources we referred to during the presentation.
Today we released Security Bulletin MS10-002 out-of-band to address vulnerabilities in Internet Explorer. All customers using currently supported versions of Windows and Internet Explorer should apply this update as soon as possible. Once applied, customers are protected against the known attacks that have been widely publicized. For customers using automatic updates, this update will automatically be applied once it is released.
I also wanted to clarify some information that we included in our update to Security Advisory 979352 yesterday. We let customers know that there are other applications that may use mshtml.dll as a rendering engine and if those applications allow active scripting, they can be used as an attack vector. Customers who install today?s update are NOT vulnerable and are protected from all known attack vectors. These applications are NOT vulnerable and no security updates are needed for them. Installing today?s Internet Explorer update addresses the vulnerability across all applications.
As we noted in our blog post yesterday, this Internet Explorer security update was already planned for release in February. When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.
For a detailed review of today?s bulletin, please join Adrian Stone and I today for a live webcast where we will try to answer your questions in real time. Registration information:
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Warning: MagpieRSS: Failed to parse RSS file. (not well-formed (invalid token) at line 1, column 2) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
I really like how Tumblr publishes some key stats publicly every month in their own stylized dashboard. I also like the way they foreshadow upcoming product features: As the old saying goes, a picture is worth a thousand words. Related...
I'm making up the curriculum for MBA Mondays on the fly. The end game is to lay out how to look a businesses, value it, and invest in it. We started with the time value of money and interest rates,...
A couple weeks ago I went down to Miami for Future of Web Apps (FOWA). It was a great event and I highly recommend it to web developers and entrepreneurs. I did a keynote talk and the next day I...
There's been a battle going on between the "broadcast" TV networks and the cable networks over something called "retransmission fees." Cable networks have traditionally paid for "cable network programming" but not "over the air programming." But that is changing and...
InSITE is a group of business and law school students from Columbia and NYU who provide free consulting services to startup companies. I'm a big fan of InSITE for a bunch of reasons but particularly because it is one of...
Antivirus programs vary in effectiveness, and "how good is my AV protection" has less to do with whether you are using free or commercial ware and more about how frequently you update virus signatures and how aggressively you set the virus inspection. Certain antivirus software offer an advanced feature that allows you to specify the level of detection and at higher levels, you should expect some false positives, i.e., that some files that are not viruses may appear enough like a virus to be flagged as one, even if the file is perfectly benign. Let's consider an example...
The Privacy Toolbox offers a list of 100 resources and guides to help users protect consumer and business identities and sensitive information. Toolbox is something of a misnomer. This is really a resources page - a good one, mind you - with links to guides that discuss all matters related to privacy,
Susan Crawford, a visiting associate professor at Yale Law School, was recently asked to give testimony to the U.S. House of Representatives' Committee on the Judiciary, Task Force on Competition Policy and Antitrust Laws. The subject of the hearing was, broadly, net neutrality and free speech on the Internet, or specifically, whether Internet access network providers should be allowed to discriminate based on the origin and content of traffic they transport. In her testimony, Susan speaks to three issues that form the bases of the net neutrality issue...
Users have a longer "product" life cycle to manage than vendors, one that includes hype cycle management. The hype cycle begins before a product announcement. Hype that sparks the cycle takes many forms: new standards and regulations, demonstrations of prototypes at trade shows, trade pub and street talk. Soon, *THIS NEW THING* is widely heralded as the most disruptive technology since, well, the last most disruptive technology. Consider this tale of two C*Os and their experiences with the iPhone...
Senior editor Kelly Jackson Higgins interviews me, Rod Rasmussen (Internet Identity) and Joe Nazario (Arbor Networks) on the potential impact ICANN SSAC's Advisory, Fast Flux Hosting and DNS, could have in shaping future countermeasures to fast flux attacks.
WebProNews reporter Jason Lee Miller does an admirable job of characterizing the debate over the existence or non-existence of domain name front running in his article, Domain Frontrunning: A Ghost In The Machine. I like this guy...
In BlogID 671, I mention that a simple NS query on any root name server will confirm that IANA has included IPv6 addresses of 6 authoritative root name servers in the hints and root zone files. The simple "dig" example I gave will only return as many complete resource records as the root name server can fit into an RFC 1035 compliant, UDP-encapsulated DNS response. If you want to see all the resource records for all the root name servers...
IANA has implemented the recommendations of ICANN's Security and Stability Advisory Committee (SAC 018) by adding AAAA records for six the thirteen listed authorities for the root zone.
Who is Cary Duffy Marsan and why is she so interested in IPv6 when (apparently) few others are?
Cary Duffy Marsan is Senior Editor, Enterprise Applications for Network World magazine. Why she is interested in IPv6 is a mystery, but she has done some "responsible journalism" by publishing a series of articles on IPv4 address exhaustion (February 2008) and transition (switching) to IPv6 (December 2007)...
ICANN's SSAC has published the results of its study and analysis of domain name front running. The report (SAC 024) reviews 120 claims submitted by Internet users following an Advisory SSAC issued in October 2007 where the committee defined domain name front running and identified the many ways one could (theoretically) obtain information about an Internet user's interest in a domain name and use that information to preemptively register the domain.
My SSAC committee's Advisory on Fast Flux Hosting and DNS is now available. The SSAC Advisory describes variations of fast flux hosting, identifies current measures to detect and combat fast flux, and offers additional measures...
Imagine my amazement when I received a call from a reporter asking for an interview regarding the Internet disruption in Egypt from the New Jersey Star Ledger. In addition to discussing how businesses should react to disruptions of this sort (calmly, they are rare and recoverable events, largely due to the fact that *survivability* was one of the most important, original design objectives for the Internet), I wandered off topic with staff writer Kelly Heyboer about the role her newspaper played in my high school days.
SANS Internet Storm Center, InfoCON: green (03/10/10)
Warning: MagpieRSS: Failed to parse RSS file. (syntax error at line 1, column 54) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238 Warning: MagpieRSS: Failed to fetch http://loop.interop-comdex.com/index.xml (HTTP Error: connection failed () in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
