Sponsored By:
I just received word from an authoritative source on this vulnerability (actually the person that found it) and was informed that version 4.7.2B does not fix the DoS vulnerability. The only way to mitigate the risk is to block TCP port 80 on your concentrator (or upstream router/firewall), otherwise an attacker could send a stream of packets that takes out the concentrator and forces you to power cycle the box to get it back. Ouch.
Thank you to Eldon Sprickerhoff for pointing this out.
.com
I just received word from an authoritative source on this vulnerability (actually the person that found it) and was informed that version 4.7.2B does not fix the DoS vulnerability. The only way to mitigate the risk is to block TCP port 80 on your concentrator (or upstream router/firewall), otherwise an attacker could send a stream of packets that takes out the concentrator and forces you to power cycle the box to get it back. Ouch.
Thank you to Eldon Sprickerhoff for pointing this out.
.com
We didn't think that this episode would ever make it to post-preduction (two dropped Skype calls and the primary and secondary recording devices failed. Good thing we were recording video, which we had problems with too). I think this episode officially has been cursed by ninjas, so listen at your own risk!
Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com
Direct Audio Download (It works now, sorry for the inconvenience, damn Ninjas...)
Direct Video Download (New!)
Video Feeds: Direct Video Download 
Audio Feeds: Direct Audio Download 
We didn't think that this episode would ever make it to post-preduction (two dropped Skype calls and the primary and secondary recording devices failed. Good thing we were recording video, which we had problems with too). I think this episode officially has been cursed by ninjas, so listen at your own risk!
Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com
Direct Audio Download (It works now, sorry for the inconvenience, damn Ninjas...)
Direct Video Download (New!)
Video Feeds: Direct Video Download
Audio Feeds: Direct Audio Download
For your viewing pleasure we have released the video version of Episode 11. We are still experimenting with the video and tweaking the process. We'd like your feedback so we know what works best for everyone with respects to video. So, what format should we offer the video in? Right now, we are targeting the video iPod, so its "H.264, 320 x 240, Millions AAC, Stereo (L R), 32.000 kHz". Also, should we include the video in the RSS feed? Should we have a separate feed for video?
Drop us a line at , and let us know what you think!
.com
For your viewing pleasure we have released the video version of Episode 11. We are still experimenting with the video and tweaking the process. We'd like your feedback so we know what works best for everyone with respects to video. So, what format should we offer the video in? Right now, we are targeting the video iPod, so its "H.264, 320 x 240, Millions AAC, Stereo (L R), 32.000 kHz". Also, should we include the video in the RSS feed? Should we have a separate feed for video?
Drop us a line at , and let us know what you think!
.com
"ThinkSECURE has discovered that certain well-known wireless chipsets, using vulnerable drivers under the Windows XP operating system and when configured to use WEP with Open Authentication, can be tricked by a 802.11-based wireless client adapter operating in master mode ("the attacker") to discard the WEP settings and negotiate a post-association conection with the attacker in the clear."
I'd like to start by saying that this attack is not known to work against WPA or WPA2(802.11i) protected networks. So, if you are still using WEP, its time to implement WPA. Of course, this may mean that you need a hardware upgrade. The cost of Wireless gear has dropped dramatically. You can get a completely new wireless setup at home for cheap:
Linksys WRT54G, $39.00 from buy.com
Linksys WPC54G PCMCIA 802.11G wireless adapter, $39.00 from buy.com
The above two items are also shipped free, so for $80.00 you can get an entirely new wireless setup. Not bad.
.com
"ThinkSECURE has discovered that certain well-known wireless chipsets, using vulnerable drivers under the Windows XP operating system and when configured to use WEP with Open Authentication, can be tricked by a 802.11-based wireless client adapter operating in master mode ("the attacker") to discard the WEP settings and negotiate a post-association conection with the attacker in the clear."
I'd like to start by saying that this attack is not known to work against WPA or WPA2(802.11i) protected networks. So, if you are still using WEP, its time to implement WPA. Of course, this may mean that you need a hardware upgrade. The cost of Wireless gear has dropped dramatically. You can get a completely new wireless setup at home for cheap:
Linksys WRT54G, $39.00 from buy.com
Linksys WPC54G PCMCIA 802.11G wireless adapter, $39.00 from buy.com
The above two items are also shipped free, so for $80.00 you can get an entirely new wireless setup. Not bad.
.com
I noticed not too long ago that iPodderx had gone away, so I have since removed it from the list of podcast aggregation services. It was sued by Apple and forced to change the name of their application. If it comes back, I will add it again because it was supposed to be a really good application.
I tested out another podcast aggregator called Juice, which hogged some serious resources on my laptop. It also was not very user friendly, didn't make it easy to find podcasts, etc... I have removed it from my system.
If anyone knows of or uses a podcast aggregation client or service and likes it, drop me a line at paul /at/ pauldotcom.com
.com
I noticed not too long ago that iPodderx had gone away, so I have since removed it from the list of podcast aggregation services. It was sued by Apple and forced to change the name of their application. If it comes back, I will add it again because it was supposed to be a really good application.
I tested out another podcast aggregator called Juice, which hogged some serious resources on my laptop. It also was not very user friendly, didn't make it easy to find podcasts, etc... I have removed it from my system.
If anyone knows of or uses a podcast aggregation client or service and likes it, drop me a line at paul /at/ pauldotcom.com
.com
Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com
Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com
We are proud to bring you our exclusive interview with Richard Bejtlich, owner and operator of the Tao Security Blog, independent consultant, and author of Extrusion Detection.
Richard talks with us about about:
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
We are proud to bring you our exclusive interview with Richard Bejtlich, owner and operator of the Tao Security Blog, independent consultant, and author of Extrusion Detection.
Richard talks with us about about:
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
At the recent Schmoocon security conference there was a presentation by "Simple Nomad" titled "Hacking the Friendly Skies" that described attack methods against Windows systems wireless configuration (a.k.a Wireless Zero Configuration). There has been much debate about whether these attacks are new or not, and there appears to be some duplicate efforts in this space. To my knowledge, there are three different tools/methods to take advantage of the way Wireless Zero Configuration works:
1) Hottspotter - This tools takes advantage of a flaw that was fixed in Windows XP Service Pack 1 where a client has an EAP/TLS connection to an SSID, but will connect to that same SSID with no encryption if there is a profile configured for "ANY" wireless network. Hottspotter will also go beyond just this flaw and hijack a users wireless connection. When a Windows system is disconnected from the wireless network it will begin to probe for wireless networks in its preferred networks list, allowing an attacker to listen for all the SSIDs that the client is trying to connect to. With that information the attacker can then become an AP and advertise one of the SSIDs in the clients list, and disconnect the client from the real AP with spoofed dis-association packets. When the client re-connects it will be connected to the attackers network, where you can then provide the client with DNS and DHCP and take it from there with your evil doings.
2) Karma - This toolset improved upon the technique describe above by allowing the attack to respond to any probe request. Using a modified Linux MadWiFi driver they are able to own the air and force the client to connect to an attacker regardless of the SSID. There are a few other enhancements and differences with the way Karma implements the attack as well. For example, if Windows cannot connect to one of its preferred networks it attempts to connect to a 32-character random SSID, which Karma will respond to. Karma also contains some built-in tools, including a DNS, DHCP, and HTTP making it easier to attack the client.
3) The "Simple Nomad" Method - This method takes advantage of the way Windows handles ad-hoc wireless networks. Once a Windows client associates to an ad-hoc network it will create that network upon the next boot if no other clients are in range, becoming an access point. So, if you were to advertise an ad-hoc network called "linksys" a user would associate to you, and the next time they fired up their laptop they would be an AP with the SSID linksys. All of these networks use the 169.254.0.0/16 address space and have that creepy worm-like effect.
UPDATE: One of the authors of Karma has made a posting to bugtraq that describes how Karma works and the differences between it and Simple Nomad's resarch. He went into more detail about Mac OS X, and how it is vulnerable to the attack scenario that Karma implements. I plan to do some testing.
Protecting Yourself:
.com
At the recent Schmoocon security conference there was a presentation by "Simple Nomad" titled "Hacking the Friendly Skies" that described attack methods against Windows systems wireless configuration (a.k.a Wireless Zero Configuration). There has been much debate about whether these attacks are new or not, and there appears to be some duplicate efforts in this space. To my knowledge, there are three different tools/methods to take advantage of the way Wireless Zero Configuration works:
1) Hottspotter - This tools takes advantage of a flaw that was fixed in Windows XP Service Pack 1 where a client has an EAP/TLS connection to an SSID, but will connect to that same SSID with no encryption if there is a profile configured for "ANY" wireless network. Hottspotter will also go beyond just this flaw and hijack a users wireless connection. When a Windows system is disconnected from the wireless network it will begin to probe for wireless networks in its preferred networks list, allowing an attacker to listen for all the SSIDs that the client is trying to connect to. With that information the attacker can then become an AP and advertise one of the SSIDs in the clients list, and disconnect the client from the real AP with spoofed dis-association packets. When the client re-connects it will be connected to the attackers network, where you can then provide the client with DNS and DHCP and take it from there with your evil doings.
2) Karma - This toolset improved upon the technique describe above by allowing the attack to respond to any probe request. Using a modified Linux MadWiFi driver they are able to own the air and force the client to connect to an attacker regardless of the SSID. There are a few other enhancements and differences with the way Karma implements the attack as well. For example, if Windows cannot connect to one of its preferred networks it attempts to connect to a 32-character random SSID, which Karma will respond to. Karma also contains some built-in tools, including a DNS, DHCP, and HTTP making it easier to attack the client.
3) The "Simple Nomad" Method - This method takes advantage of the way Windows handles ad-hoc wireless networks. Once a Windows client associates to an ad-hoc network it will create that network upon the next boot if no other clients are in range, becoming an access point. So, if you were to advertise an ad-hoc network called "linksys" a user would associate to you, and the next time they fired up their laptop they would be an AP with the SSID linksys. All of these networks use the 169.254.0.0/16 address space and have that creepy worm-like effect.
UPDATE: One of the authors of Karma has made a posting to bugtraq that describes how Karma works and the differences between it and Simple Nomad's resarch. He went into more detail about Mac OS X, and how it is vulnerable to the attack scenario that Karma implements. I plan to do some testing.
Protecting Yourself:
.com
We had some audio problems on this one, of course I went home and figured out what the problems were. In any case, we are continually improving, so please bear with us. This weeks show notes (Thanks Andy!):
Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com
We had some audio problems on this one, of course I went home and figured out what the problems were. In any case, we are continually improving, so please bear with us. This weeks show notes (Thanks Andy!):
Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com
Well, we are well on our way to getting this whole Skype thing figured out. Our official Schmoocon correspondent Nick gives us the scoop on the Schmoocon conference. Topics include:
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
Well, we are well on our way to getting this whole Skype thing figured out. Our official Schmoocon correspondent Nick gives us the scoop on the Schmoocon conference. Topics include:
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
SANS has been kind enough to post a paper that I wrote targeted at the end-user titles "Top Five Tips to Prevent Malware". I believe it is important to break it down for the end-user into short tips that they can do, which are:
1) Don't use Internet Explorer For General Web Browsing
2) Run as a non-privileged user
3) Run an Anti-Virus program
4) Use Anti-Spyware tools
5) Patch and upgrade your system often
This paper is a good read for those who do not have total control over the desktop machines in your environment and want something to send to their users, have users who use their home machine to VPN into the office, or to send to friends and family to help keep them from unknowingly participating in botnets.
You can find the paper in the SANS Reading Room in the Special Topics section:
http://www.sans.org/rr/special/index.php?id=preventmalware
As always, feel free to send me you comments/feedback (paul /at/ pauldotcom.com)
.com
SANS has been kind enough to post a paper that I wrote targeted at the end-user titles "Top Five Tips to Prevent Malware". I believe it is important to break it down for the end-user into short tips that they can do, which are:
1) Don't use Internet Explorer For General Web Browsing
2) Run as a non-privileged user
3) Run an Anti-Virus program
4) Use Anti-Spyware tools
5) Patch and upgrade your system often
This paper is a good read for those who do not have total control over the desktop machines in your environment and want something to send to their users, have users who use their home machine to VPN into the office, or to send to friends and family to help keep them from unknowingly participating in botnets.
You can find the paper in the SANS Reading Room in the Special Topics section:
http://www.sans.org/rr/special/index.php?id=preventmalware
As always, feel free to send me you comments/feedback (paul /at/ pauldotcom.com)
.com
From the Security Now! podcast:
Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error". It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor". We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
UPDATE: Well, this explains it http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx. I can't wait to hear Steve's response...
UPDATE: Okay, so the people who write exploits for a living have basically said Steve is flat out wrong. I believe they are correct because:
Come listen to PaulDotCom Security Weekly, where we don't make false accusations... Oh, and we're now sponsored by SANS, so you get discounted training, from real security experts :)
Is this really true? Is there no possible way that this was a bug or useful feature? Steve is essentially saying, well yes. He states that there is no legitimate purpose for the SETABORTPROC to accessible from a WMF file. Printing, yes, WMF files, no. He also states that he has to lie about the length of the record in order to get his code to execute. I have not tested any of these exploits in depth, if anyone can confirm this claim, please drop me a line. This essentially means that Microsoft is guilty of putting a backdoor into Windows.... Would it be the first time? Would it be the last time? Of course, Microsoft claims it is actively looking for similar flaws. Guess what, so is everyone else...
.com
From the Security Now! podcast:
Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error". It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor". We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
UPDATE: Well, this explains it http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx. I can't wait to hear Steve's response...
UPDATE: Okay, so the people who write exploits for a living have basically said Steve is flat out wrong. I believe they are correct because:
Come listen to PaulDotCom Security Weekly, where we don't make false accusations... Oh, and we're now sponsored by SANS, so you get discounted training, from real security experts :)
Is this really true? Is there no possible way that this was a bug or useful feature? Steve is essentially saying, well yes. He states that there is no legitimate purpose for the SETABORTPROC to accessible from a WMF file. Printing, yes, WMF files, no. He also states that he has to lie about the length of the record in order to get his code to execute. I have not tested any of these exploits in depth, if anyone can confirm this claim, please drop me a line. This essentially means that Microsoft is guilty of putting a backdoor into Windows.... Would it be the first time? Would it be the last time? Of course, Microsoft claims it is actively looking for similar flaws. Guess what, so is everyone else...
.com
The Sennheiser PC 150 headset is supposed to be a very high quality headset. It is an older model, replaced by the PC 160 (Which I have on order).
I researched headsets thoroughly before I bought one, and Sennheiser's got all good reviews. I also own a pair of regular Sennheiser headphones for the podcast which I love (and I actually where em' during the day at work too. CAUTION: When you wear noise canceling headphones at work, make certain you have a rear view mirror in your cube).
There was some debate about 1/8" jacks vs. USB. Mac users beware of USB headsets, they don't all work with OS (like the ones from Sennheiser). I opted for the 1/8" jacks because in a pinch they can plug directly into the mixer for the podcast. I also plan to use them primarily for Skype calls and playing music at work. Oh yeah, if you've got a powerbook or other Mac laptop, be certain to get an iMic2 and don't be a dumbass like me and try to plug a mic into the line-in port, because, well, it doesn't work :)
The Sennheiser PC 150 headset is supposed to be a very high quality headset. It is an older model, replaced by the PC 160 (Which I have on order).
I researched headsets thoroughly before I bought one, and Sennheiser's got all good reviews. I also own a pair of regular Sennheiser headphones for the podcast which I love (and I actually where em' during the day at work too. CAUTION: When you wear noise canceling headphones at work, make certain you have a rear view mirror in your cube).
There was some debate about 1/8" jacks vs. USB. Mac users beware of USB headsets, they don't all work with OS (like the ones from Sennheiser). I opted for the 1/8" jacks because in a pinch they can plug directly into the mixer for the podcast. I also plan to use them primarily for Skype calls and playing music at work. Oh yeah, if you've got a powerbook or other Mac laptop, be certain to get an iMic2 and don't be a dumbass like me and try to plug a mic into the line-in port, because, well, it doesn't work :)
"A user feature in Norton SystemWorks could offer cybercriminals a place to hide malicious software--just like a rootkit."
"Feature" huh, that's what I used to call bugs when I was a full-time programmer. This "feature" is a hidden folder, but not just any hidden folder, one that conveniently gets skipped by a Symantec Norton Anti-Virus scan. Care to place bets on where attackers are hiding malware?
.com
"A user feature in Norton SystemWorks could offer cybercriminals a place to hide malicious software--just like a rootkit."
"Feature" huh, that's what I used to call bugs when I was a full-time programmer. This "feature" is a hidden folder, but not just any hidden folder, one that conveniently gets skipped by a Symantec Norton Anti-Virus scan. Care to place bets on where attackers are hiding malware?
.com
A vulnerability has been discovered in the way Windows displays Embedded Open Type fonts. Similar to the WMF exploit, a user simply has to view HTML in their browser or email client to trigger an exploit. There is a big (okay huge) difference however, this is a heap overflow which is far more difficult to exploit that the WMF vulnerability. It still poses a threat and we will most likely see worms, bots, spyware, etc... take advantage of this vulnerability because the attack vector is easy to trigger.
You should:
The vulnerability was discovered on July 31, 2005. We get a patch for it today, January 10, 2005. The Microsoft Honey Monkey Project uncovered exploits for vulnerabilities that Microsoft knew about and was patching, but didn't think the public knew about. Does this one fall in the same category? It is quite feasible that evil people have been using this exploit for some time without our knowledge. Microsoft has to be able to produce a patch quicker than 163 days, that's far too long for us to be standing here with our pants down. Meanwhile attackers sit around and laugh at at us from behind their happy hacking keyboard collecting people's personal information like credit cards, bank account numbers, and passwords.
(Okay, so maybe attackers don't use the happy hacking keyboard, but it sounded good :)
Full Microsoft Bulletin
EEye Advisory
Internet Storm Center Posting
.com
A vulnerability has been discovered in the way Windows displays Embedded Open Type fonts. Similar to the WMF exploit, a user simply has to view HTML in their browser or email client to trigger an exploit. There is a big (okay huge) difference however, this is a heap overflow which is far more difficult to exploit that the WMF vulnerability. It still poses a threat and we will most likely see worms, bots, spyware, etc... take advantage of this vulnerability because the attack vector is easy to trigger.
You should:
The vulnerability was discovered on July 31, 2005. We get a patch for it today, January 10, 2005. The Microsoft Honey Monkey Project uncovered exploits for vulnerabilities that Microsoft knew about and was patching, but didn't think the public knew about. Does this one fall in the same category? It is quite feasible that evil people have been using this exploit for some time without our knowledge. Microsoft has to be able to produce a patch quicker than 163 days, that's far too long for us to be standing here with our pants down. Meanwhile attackers sit around and laugh at at us from behind their happy hacking keyboard collecting people's personal information like credit cards, bank account numbers, and passwords.
(Okay, so maybe attackers don't use the happy hacking keyboard, but it sounded good :)
Full Microsoft Bulletin
EEye Advisory
Internet Storm Center Posting
.com
Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the 'ExtCreateRegion' and 'ExtEscape' functions.These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data. Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well.
Well, it is quite possible that we could see yet another rash of WMF exploitation. I believe that it is going to take time before we fully understand all of the different attack vectors and how to defend against them. Then of course there is the whole Win 9x/ME problem, which doesn't seem to be a problem, yet...
SecurityFocus BID
Bugtraq Posting
ISC Posting
.com
Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the 'ExtCreateRegion' and 'ExtEscape' functions.These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data. Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well.
Well, it is quite possible that we could see yet another rash of WMF exploitation. I believe that it is going to take time before we fully understand all of the different attack vectors and how to defend against them. Then of course there is the whole Win 9x/ME problem, which doesn't seem to be a problem, yet...
SecurityFocus BID
Bugtraq Posting
ISC Posting
.com
[This is a rare off-topic post to take a break from tech stuff, which I figured many of us could use right now :)]
After a long week of reading about WMF, incident response meetings, blogging, podcasting, and just finishing removing a handful of infected hosts from the network I have some good news, especially if you like Kung Fu movies and/or Jet Li.
Jet Li is promoting his new movie called "Fearless" (well, that's the Hollywood title). He plays a very famous martial arts master from Chinese history called "Fok Yun Gap" (AKA, Huo Yuanjia), the founder of the Jing Wu martial arts schools.
There have been three other martial arts movies surrounding this story, "Fist Of Legend" starring Jet Li, "Fist of Fury" starring Bruce Lee, and "Legend Of A Fighter". The difference is that this time Jet Li plays the master...
I believe this will be the hottest Kung Fu movie to hit the screen in a long time (and I watch a lot of Kung Fu movies). Its got all the right stuff, the best action choreographer ever Yuen Wo Ping ("The Matrix" series, "Kill Bill" Series, and countless other martial arts classics), a great director Ronny Yu ("The Bride With White Hair"), and co-stars Michelle Yeoh (from "Crouching Tiger, Hidden Dragon") and Collin Chou (remember the fight scene in "The Matrix Reloaded" between Neo and the oracles body guard on the tables? Yeah, that's him).
Fearless movie web site (Check out the trailer!)
Fearless opens in Hong Kong on January 26th.
.grasshopper
[This is a rare off-topic post to take a break from tech stuff, which I figured many of us could use right now :)]
After a long week of reading about WMF, incident response meetings, blogging, podcasting, and just finishing removing a handful of infected hosts from the network I have some good news, especially if you like Kung Fu movies and/or Jet Li.
Jet Li is promoting his new movie called "Fearless" (well, that's the Hollywood title). He plays a very famous martial arts master from Chinese history called "Fok Yun Gap" (AKA, Huo Yuanjia), the founder of the Jing Wu martial arts schools.
There have been three other martial arts movies surrounding this story, "Fist Of Legend" starring Jet Li, "Fist of Fury" starring Bruce Lee, and "Legend Of A Fighter". The difference is that this time Jet Li plays the master...
I believe this will be the hottest Kung Fu movie to hit the screen in a long time (and I watch a lot of Kung Fu movies). Its got all the right stuff, the best action choreographer ever Yuen Wo Ping ("The Matrix" series, "Kill Bill" Series, and countless other martial arts classics), a great director Ronny Yu ("The Bride With White Hair"), and co-stars Michelle Yeoh (from "Crouching Tiger, Hidden Dragon") and Collin Chou (remember the fight scene in "The Matrix Reloaded" between Neo and the oracles body guard on the tables? Yeah, that's him).
Fearless movie web site (Check out the trailer!)
Fearless opens in Hong Kong on January 26th.
.grasshopper
Larry and I talk about:
- Blackberry vulnerabilities, users and servers are at risk
- Beer podcast, party foul - Larry's beer is empty
- Tape runs out on video, so no video this time. Check out the Christmas video in the mean time
- Larry's blog takes on a new format
- The anti-spyware conspiracy. Check out Adarware, Microsoft Antispyware. For advanced users, try Rootkit Revealer and Hijackthis
- Centralized antispyware tools? The market looks thin. Web filtering/proxy instead via blacklists.
- AIX Heap Overflow introduction by David Litchfield
- Security news flooded with Microsoft WMF Patch release. Patch your machines NOW!
- Feeding the dog (Rocco the pug) peanutbutter
- A follow up to fwknop - webknock. Remote access through monitoring Apache logfiles.
- What's coming: Interviews? Sponsors?
I think this is our best sounding podcast yet, but we'll let you be the judge. Send us some feedback!
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
Larry and I talk about:
- Blackberry vulnerabilities, users and servers are at risk
- Beer podcast, party foul - Larry's beer is empty
- Tape runs out on video, so no video this time. Check out the Christmas video in the mean time
- Larry's blog takes on a new format
- The anti-spyware conspiracy. Check out Adarware, Microsoft Antispyware. For advanced users, try Rootkit Revealer and Hijackthis
- Centralized antispyware tools? The market looks thin. Web filtering/proxy instead via blacklists.
- AIX Heap Overflow introduction by David Litchfield
- Security news flooded with Microsoft WMF Patch release. Patch your machines NOW!
- Feeding the dog (Rocco the pug) peanutbutter
- A follow up to fwknop - webknock. Remote access through monitoring Apache logfiles.
- What's coming: Interviews? Sponsors?
I think this is our best sounding podcast yet, but we'll let you be the judge. Send us some feedback!
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
Even with a patch in general circulation, there are still many aspects to the this vulnerability that we felt deserved some special attention. We cover the full details of the vulnerability, remediation steps, the unofficial patch, and more!
I wanted to provide some updated information about IDS and WMF. The latest Snort signatures do detect the WMF vulnerability (more specifically the escape() function call) and are provided by the bleeding snort folks. The latest rules can be found here.
There are known false positives associated with these rules and they do not detect attacks that have been gzipped. (Thank you Frank Knobbe)
For more information, check out our WMF related blog postings:
The WMF Patch Has Landed
Beating Microsoft to the punch: Ilfak Guilfanov Interview
How Bad is WMF
WMF Vulnerability & Exploits: Just The Facts
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
Even with a patch in general circulation, there are still many aspects to the this vulnerability that we felt deserved some special attention. We cover the full details of the vulnerability, remediation steps, the unofficial patch, and more!
I wanted to provide some updated information about IDS and WMF. The latest Snort signatures do detect the WMF vulnerability (more specifically the escape() function call) and are provided by the bleeding snort folks. The latest rules can be found here.
There are known false positives associated with these rules and they do not detect attacks that have been gzipped. (Thank you Frank Knobbe)
For more information, check out our WMF related blog postings:
The WMF Patch Has Landed
Beating Microsoft to the punch: Ilfak Guilfanov Interview
How Bad is WMF
WMF Vulnerability & Exploits: Just The Facts
Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com
Microsoft has made the smart decision and released the patch:
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Of course people still need to apply it (I was able to run Windows Update and get it installed without a problem). I am curious if this is going to cause the same printer problems as the unofficial patch.
So its official, the official patch has been released. You need to uninstall the unofficial patch to install the official patch, officially. :)
.com
Microsoft has made the smart decision and released the patch:
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Of course people still need to apply it (I was able to run Windows Update and get it installed without a problem). I am curious if this is going to cause the same printer problems as the unofficial patch.
So its official, the official patch has been released. You need to uninstall the unofficial patch to install the official patch, officially. :)
.com
Ilfak Guilfanov is far from a household name.
But that may soon change as the Russian software developer's unauthorized Microsoft security patch is increasingly installed onto computers worldwide.
My favorite part:
Guilfanov: No.
Did you install the unofficial patch? My take is that it is probably the same amount of risk as installing a Microsoft patch so why not be protected in the mean time.
.com
Ilfak Guilfanov is far from a household name.
But that may soon change as the Russian software developer's unauthorized Microsoft security patch is increasingly installed onto computers worldwide.
My favorite part:
Guilfanov: No.
Did you install the unofficial patch? My take is that it is probably the same amount of risk as installing a Microsoft patch so why not be protected in the mean time.
.com
There has been a flood of information about the WMF vulnerability and associated exploits. We plan to record a special 10-15 minute podcast episode dedicated to WMF tonight. Right now, here are some facts to present to management and help further assess the situation:
.com
There has been a flood of information about the WMF vulnerability and associated exploits. We plan to record a special 10-15 minute podcast episode dedicated to WMF tonight. Right now, here are some facts to present to management and help further assess the situation:
.com
Just getting back into the swing of things and reading all I can about the WMF vulnerability and exploits. I've summarized everything (I think) we know so far, if I'm missing anything please drop me a note (paul /at/ pauldotcom.com):
Update - 01/06/2006 - Added the official patch section, corrected the IDS statements, added the "other unofficial" patch info (use with extreme caution).
The Vulnerability
The Exploit
The Remediation
The Unofficial Patch
The Official Patch
Resources
.com
Just getting back into the swing of things and reading all I can about the WMF vulnerability and exploits. I've summarized everything (I think) we know so far, if I'm missing anything please drop me a note (paul /at/ pauldotcom.com):
Update - 01/06/2006 - Added the official patch section, corrected the IDS statements, added the "other unofficial" patch info (use with extreme caution).
The Vulnerability
The Exploit
The Remediation
The Unofficial Patch
The Official Patch
Resources
.com
Well, we are certainly starting off the new year in an exciting and scary way. In case you haven't come out from under your rock, there is a new zero day exploit in the wild that affects all versions of windows. Frsirt is lists two different exploits on their site. You can find them here and here.
All windows users should run the fix from Ilfak Guilfanov, located here. This version has been tested by the fine incident handlers from the SANS ISC.
More details to follow....
.com
Well, we are certainly starting off the new year in an exciting and scary way. In case you haven't come out from under your rock, there is a new zero day exploit in the wild that affects all versions of windows. Frsirt is lists two different exploits on their site. You can find them here and here.
All windows users should run the fix from Ilfak Guilfanov, located here. This version has been tested by the fine incident handlers from the SANS ISC.
More details to follow....
.com