Vulnerability

Critical vulnerability opens electrical grids to attack

Paul Mah — Fri, 26 Sep 2008 09:59:52 -0400

A critical buffer overflow bug has been found in yet another computerized control system that is used to run vital national infrastructure, such as electrical grids. Researchers from specialist firm C4 discovered the vulnerability in ABB Group's Process Communication Unit 400 (PCU400), a system that runs in varying configurations within its SCADA system. SCADA stands for supervisory control and data acquisition, a category of software applications typically used for long-range communications in power plants, telecommunications and transportation, among other things. In the case of this flaw, an attacker can compromise the server, which runs PCU400 to insert a generic electric grid malware that will result to harm to the grid. While a patch has already been issued by ABB, this advisory comes amid mounting concerns over the security risks posed to such infrastructure by terrorists and saboteurs.

For more on this story:
- check out this The Register article

DNS flaws opens the door to an array of attacks

Paul Mah — Fri, 08 Aug 2008 08:41:12 -0400

Security researcher Kaminsky, who first discovered the DNS exploit that had organizations around the world scrambling to patch their Domain Name Servers (DNS), spoke to a packed session at the Black Hat conference this week. He took the opportunity to describe a dizzying array of attacks that can result from an exploited DNS. Two attack vectors caught my attention: one is the fact that even SSL connections are not impervious to a DNS-based attack. Kaminsky noted that "[c]ompanies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates."

The second vulnerability is described as a "forgot my password" style attack. Criminals could claim to have forgotten a user's password to get a site to send out a user's password. DNS hacking techniques could then be exploited to trick the targeted site into sending the secret password to the hacker's computer.

To learn more about DNS-based attack vectors:
- check out this NetworkWorld article

Study claims that open source software is a security risk

Paul Mah — Tue, 22 Jul 2008 09:06:28 -0400

A study released earlier this week was critical of open source software after evaluating 11 such projects over the course of three months. "Open Source Study--How Are Open Source Development Communities Embracing Security Best Practices?" was put together by Fortify Software, together with consultant Larry Suto to gauge whether open source projects adhere to security best practices.

Various active projects were evaluated to determine their responsiveness to security questions, as well as vulnerability findings, among other metrics. Application server Tomcat came up tops, though all the other projects gave a dismal showing. Jacob West, manager of Fortify's security research group, summed up what he thinks of the problem: "In two-thirds of these cases, you didn't get a response at all."

To read up more on the security risks of open source software:
- check out this Network World article

Fundamental flaw in DNS protocol discovered

Paul Mah — Tue, 15 Jul 2008 04:02:54 -0400

If you haven't heard by now, a fundamental flaw in the DNS protocol has been discovered by Dan Kaminsky, director of penetration testing for IOActive. Specific technical details have been kept vague for now, though Kaminsky says the problem is solved by implementing port randomization. Article

Spending doesn't guarantee data security

Judi Hasson — Tue, 08 Jul 2008 22:34:07 -0400

InformationWeek recently polled 1,100 IT and business professionals about their plans for security and found that they believe their data is safer, even with budgets holding steady or increasing. Sixty-six percent of respondents said their vulnerability to breaches and malicious code attacks was either the same as last year, or even worse.

If money is not the issue, what gives? One answer is the need to focus risk management processes, carefully evaluating threats and placing the resources where the needs are the greatest. The survey found only about half of the respondents actually had risk management plans, and only 22 percent paid attention to such issues as code security. The survey also found companies behind in implementing encryption to protect customer and employee data.

All the while, viruses, phishing attacks, and worms continue to cause major headaches. What's the problem? Complexity was cited as the biggest security challenge by 62 percent of respondents. "More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use,'' the article stated.

For more:
- check out this InformationWeek.com article

Symantec: Watch out for new Word attacks

Judi Hasson — Tue, 08 Jul 2008 21:50:37 -0400

There's yet another potential headache for all those tethered to Microsoft, the ever-present software giant that seems to have a hard time getting things right. This time it's the Word software, according to an advisory from Symantec Corp. The security firm reported that hackers have been exploiting "what is possibly an undisclosed vulnerability affecting Microsoft Word." Few details were released on the attack. "Initial analysis suggests that some Microsoft Office versions, even when fully patched, are affected by this exploit," Symantec said in a statement. This is just the latest in a string of flaws found in Microsoft's Office software, including Word, over the past few years. Symantec said its antivirus software is detecting the attack, but the security company has recommended that users avoid opening unsolicited Word documents.

For more on Word problems:
- see this Computerworld.com article

New security holes found in Internet Explorer

Paul Mah — Fri, 27 Jun 2008 05:15:21 -0400

Two separate security holes were found in Microsoft's Internet Explorer this week, one in Internet Explorer 7 and another in Internet Explorer 6. The vulnerability in IE7 was discovered by "sirdarckcat" and is detailed at security firm Secunia's website. Rated as moderately critical, it can be exploited to perform spoofing by autonomously switching the location of another frame. The IE6 vulnerability, on the other hand, can be used by an unauthenticated attacker to execute code in the security context of another domain. Microsoft says that it is currently investigating both reports, and is not aware of any attempts, at the moment, to exploit them.

To read up more the two Internet Explorer vulnerabilities:
- check out this eWeek article

Tools to crack flawed cryptographic keys circulate

Paul Mah — Fri, 16 May 2008 08:22:23 -0400

A newly disclosed vulnerability in the random number generator used by the Debian Project to produce digital keys is making its repercussions felt around the world. The flaw makes it relatively easy to compute the correct cryptographic keys, which are used for services such as Secure Shell (SSH) and Secure Socket Layer (SSL). There are reports of 2048 bit keys being generated in two hours on a cluster consisting of just 31 Xeon cores. In the meantime, users and system administrators are urged to patch their systems and to regenerate all keys produced on Debian systems after September 2006--when builds that included the flaw were first made available.

For more on the random number generator flaw:
- check out the Debian Security Advisory

MacBook Air 'PWNED' in 2 min flat

Mehan Jayasuriya — Fri, 28 Mar 2008 13:25:12 -0400

Those of you with an interest in hacking likely will remember last year's inaugural "PWN to OWN" competition, wherein a scrappy hacker gained control of a MacBook Pro from scratch in only nine hours flat. Well, that feat doesn't seem quite so impressive anymore, as noted iPhone hacker Charlie Miller managed to "PWN" a MacBook Air in a scant two minutes, by directing the computer's user to visit a website containing his exploit code. While the nature of the exploit won't be revealed until Apple gives the green light, we can only presume that Miller took advantage of a vulnerability in OS X's built-in browser, Safari. For his troubles, Miller will be leaving the CanSecWest security conference with a MacBook Air and $10,000 in tow, not to mention a whole lot of notoriety.

For more on the contest:
- see this Infoworld article

Watch out for your IT security scorecard

Thu, 06 Mar 2008 06:59:58 -0500

A quarterly review of a company's information security is essential for top IT personnel trying to ensure their systems are airtight. While it's important for the IT department not to get lost in trivial details, it's key to recognize the company's vulnerability. And that means sharing the results of the information security scorecard with the IT team and moving quickly to seal any security holes. For most CIOs, it's essential to know about viruses and a system's susceptibility to an attack.

For more on the importance of the scorecard:
- see this ComputerWorld article