- Oracle security vs. MS-SQL
- A new, unpatched Winzip10.0 vulnerability
- Update your wireless driver
- Winzip 10.0 Patch released
- Comments to my password contest column
- More information on MySpace exploit
- MySpace Password Analysis
- To patch or not to patch? DHS chose wrong
- Metasploit browser vulnerability detection evasion module
November 21, 2006 | Comments: (0)
David Litchfield presents a compelling paper.
Microsoft SQL appears many times more secure than Oracle based upon the numbers of announced exploits alone. The numbers are so startling, it's hard to say that the numbers don't mean something this time around.
Click here for David's report.
Posted by Roger Grimes on November 21, 2006 02:16 PM
November 20, 2006 | Comments: (0)
A new, unpatched Winzip10.0 vulnerability
New buffer overflow in Winzip 10.0
New Winzip buffer overflow exploit announced on www.milw0rm.com in the form of proof of concept code.
Works on Winzip 10.0 (7245) and below. 7245 is the latest version. Winzip has not yet released a patch. Unknown if exploit can be leveraged to remote complete control.
Posted by Roger Grimes on November 20, 2006 05:04 AM
November 19, 2006 | Comments: (0)
Many wireless LAN/WAN card drivers have been proven exploitable over the last few months.
Vulnerabilities have been found in Windows, Mac, Linux, and other machines. In most cases, the exploits allow a remote attacker to compromise your computer wirelessly and take complete control.
Because it's hard to worm this type of exploit, I doubt that this type of attack will become ultra-popular. Still, if you are using an unpatched wireless driver, it means you are subject to exploitation and attack. And who wants to tell management that you knew of the attack, but didn't patch against it?
If you haven't verified that your wireless drivers are safe, spend the time now and find out. If you're in charge of a large enterprise, you've got a lot work ahead of you.
I personally own a Dell 610 Latitude laptop. It contained one of the vulnerable wireless drivers, the BCMWL5.sys. I could not find the updated driver, which various Internet reading lists said was available, anywhere. Dell didn't have it in the Tech Support driver download section. Linksys, which I was told definitely had it, came up blank (their tech support was clueless to my request and said a search of their driver database came up empty), as did a search on Broadcom's web site.
Luckily, Dell responded to my email request within a day and sent me a link to the updated driver for many of their Wireless card products, including: Dell Wireless 1350, 1370, 1450,1390, 1490, 1500 series, and Dell TrueMobile 1300, 1400 series Mini Card, MiniPCI and PC Card devices (not USB).
Unfortunately, the downloadable file is 52MB big.
Kudos to Dell for responding to my email inquiry, although it would be great if it was available on the normal driver download page. Maybe it will be soon.
Either way, you can use the link above to update many of your Dell laptop wireless drivers.
And regardless of your wireless vendor or manufacturer, make sure the wireless drivers that you control and manage are not vulnerable.
Posted by Roger Grimes on November 19, 2006 08:47 AM
November 14, 2006 | Comments: (0)
Winzip has released a free patch to version 10.0 of their product for registered users.
I've been a registered user of Winzip for years. It's worth the money and provides many more features than the free versions of Winzip or Pkzip. (On a related note, I used to know Phil Katz, the creator of Pkzip (and what ultimately led to Winzip...but they are separate products now) back in the days before the Internet...the days of FIDONet and BBSs. Very interesting related story on employee intellectual rights I should share some day.
Back to the patch. I rec'd at the same time, an email alert from FRSIRT telling me about the exploit; and a second email from Winzip Computing alerting me, and offering the free patch. Kudos to Winzip for proactively contacting customers quickly. And Kudos to the Zero Day Initiative team for finding the hole and following responsible disclosure.
This is the way it's supposed to work.
One other kudo to the Winzip folks. When you install Winzip, it prompts the user to setup a regular autoupdate check schedule. You're allowed to disable it, but if you choose that option, it strongly cautions against it and explains the risk. Nice touch to a great product. Many other third party products just don't take the time for the small touches.
[Also, I want to thank Winzip for alerting me and allowing me to opt out of the Google toolbar install crap. I'd prefer that the defaults were not to install in the first place, and to ask the user to add those options; instead of default enables...but I won't ding you tonight because of all the other offsetting good security practices you displayed today.]
Posted by Roger Grimes on November 14, 2006 07:18 PM
November 13, 2006 | Comments: (0)
Comments to my password contest column
Readers write in about my password contest column
--------------
From: Bacchu, Anjan
Sent: Friday, November 10, 2006 9:15 PM
Hi roger,
Nice to know that your challenge was taken and [someone] succeed[ed].
"No one has cracked the two larger challenges as of press time, although I know there are several hundred computer teams -- one with over 1,000 computers --working on the challenges."
Sometime in the future, for those who cannot afford to have their own 1000 computer nodes OR use cracked machines on the 'net, the Amazon EC2 might be a good resort. Keep adding more machines till the problem is solved!
Can your 10 char password cracker tell you his methodology ?
Thank you,
BR,
~A
-------------
Roger's reply:
Tony used Linux-based John the Ripper on two machines with a custom john.ini
file.
-----------
Hi Roger,
Chunking is the key to a good password, in my humble opinion. String together a few obscure "chunks" of 4 to 7 characters-things like acronyms, numbers or misspelled words-and you can create devilish passwords that are not all that hard to remember. I routinely carry in my head at least four passwords of 16 characters or longer. I feel pretty safe from getting guessed.
MJH
------------
Posted by Roger Grimes on November 13, 2006 05:17 PM
November 11, 2006 | Comments: (0)
More information on MySpace exploit
In my previous blog entry I talked about the password exploit outcome of a recent MySpace phish attack. I neglected to mention links to related newstories.
The latest hacks are only one in an increasing series of related malicious hacks.
What's worse is that there doesn't appear to be an easy, quick fix to the hacking that's going on. MySpace allows regular end users to modify their home pages with HTML. That right leads to a lot of power and is difficult to secure appropriately against maliciousness while allowing legitimate things to run. I'm not a big MySpace user, but my advice to anyone is to avoid MySpace until they get their security act together.
My initial gut feeling is that, like a lot of vendors, MySpace is handing out functionality faster than they are thinking about security.
11/26-06 Update:
Another link to the exploit
http://www.caughq.org/advisories/CAU-2006-0001.txt
Posted by Roger Grimes on November 11, 2006 04:59 PM
November 11, 2006 | Comments: (0)
Analyzing 34,000 real passwords
A massive MySpace phishing attack allowed hackers to recover over 100,000 MySpace user logon names and passwords. Unfortunately, the hacker's saved their stolen password lists to publicly accessible web locations. For over a day, anyone could download thousands of user names and passwords.
I downloaded over 2 GB of files, and after cleaning up the dupes and trash, recovered over 34,000 real passwords. While the malicious hacking event is unfortunate, it allowed me (and other researchers) to do password symbol distribution analysis on a large number of accounts from a wide population of users. Here are the interesting results:
•As expected, English vowels are the most frequent occurring password symbols (E=48%,A=46%, I=34%, O=33%) by far
•Several other letters were high ranking (R=35%, S=32%, N=31%, L=28%, T=25%, C=21%, and M=21%)
•As expected, the letters Q (1%), X (3%), and Z (3%) were not the popular.
•Numbers were used in well over half the passwords. The number 1 appeared 45% of the time, followed by the numbers 2 (22%), 0 (16%), and 3 (15%). Numbers 4 to 9 appeared roughly 9-11%.
•As I’ve written many times, including in my last column, numbers are most often placed at the end of the password when used. For example, the number 1 only appeared 7% of the time as the first character when it was used, and only 15% of the time in the first four passwords characters.
•The ! (explanation point) at almost 3% was the most commonly used non-alphanumeric character, followed by the . (the period) at 1.6%.
•Almost 1% of the users had the word password as, or as part of, their password.
•Words, colors, years, names, sports, hobbies, and music groups were very popular.
•The color red was twice as likely as blue to be used.
•Sports names (e.g. golf, football, soccer, etc.) were as popular as professional sports teams and college team nicknames.
I'll have more details about the attack and more findings in my next weekly InfoWorld security column due out this coming Friday.
Posted by Roger Grimes on November 11, 2006 04:33 PM
November 05, 2006 | Comments: (0)
To patch or not to patch? DHS chose wrong
Many, if not most, companies have to struggle with how quickly to install a critical patch. Patch too quick and you risk breaking applications. Patch too slow, and the malware gets you.
In this article, the Dept. of Homeland Security and the Border and Customs Patrol learned two weeks was too late.
Interesting read.
[Thanks to my friend Steve for the story and link]
Posted by Roger Grimes on November 5, 2006 04:54 PM
November 02, 2006 | Comments: (0)
Metasploit browser vulnerability detection evasion module
Hackers create browser vulnerabilty detection evasion module for Metasploit
I'm a little late in reading about this, but in case you haven't heard, H.D. Moore, LMH, and Aviv Raff are developing a plug-in module for the Metasploit Framework that will allow browser exploit code to be obscured and malformed to increase the difficulty of detection by static content-based scanners.
Here's an excellent article on it. This referenced article summarizes the basic evasion techniques used and is worth the read.
Posted by Roger Grimes on November 2, 2006 06:27 PM
TOP STORIES
Microsoft's post-Yahoo optionsNet neutrality bill introduced
MS adds $3 million to Big Easy
AMD's Java improvement efforts
Leopard at 6 months
Intel still investing in WiMax
Yahoo tests aggregated search
Developers vs designers
Sun defends JavaFX Script
Botnet spams 60B a day
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
