[x]Blackmoor Vituperative

Friday, 2007-07-20

Mac worm incites death threats and intrigue

Filed under: Security — bblackmoor @ 12:23

A soap opera is playing out on the mailing lists of several security newsgroups this morning, complete with people hiding behind pseudonyms, people “outing” one another and rumors of death threats against the major players. At stake? A possible worm for Apple’s Mac OS X operating system.

(from CNET News.com, News of a Mac OS X worm incites death threats and intrigue)

Monday, 2007-04-02

Homeland Security wants master key for the Internet

Filed under: Security — bblackmoor @ 11:35

The US Department of Homeland Security is insisting that Verisign hand over the master keys of the Internet.

If it succeeds, the US will be able to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system’s root zone on the Internet.

Effectively it would mean that US spooks could snoop on anyone in the Worldwide wibble and place control of the Interweb tubes firmly in the paws of the US government.

(from The Inquirer, Homeland Security wants master key for the Internet)

Thursday, 2007-03-29

Yet another IE exploit

Filed under: Security — bblackmoor @ 13:32

Another day, another security hole in Internet Explorer.

Are you listening yet? Switch to Firefox.

Wednesday, 2007-03-28

IE exploit code recipe published

Filed under: Security — bblackmoor @ 11:20

Yes, there’s another security hole in Internet Explorer. In other news, water is wet, politicians are dishonest, and teen-agers are horny.

Switch to Firefox, you knuckleheads.

Open-source bug hunt project expands

Filed under: Security — bblackmoor @ 10:13

A year after its original launch, a U.S. government-backed project that scans open-source code for flaws is expanding.

The effort, supported by a research contract from the U.S. Department of Homeland Security, is now scanning code of 150 open-source projects, up from the original 50.

“This allows open-source developers to find and resolve defects introduced into the project,” David Maxwell, open-source strategist for Coverity, said in a statement. Coverity makes source-code analysis tools and shares the DHS contract with Stanford University and Symantec.

Since the start of the project, 6,000 bugs that were found have been fixed, according to Coverity. About 700 developers are now registered to access the bug data and 35 million lines of code are scanned every day, the company said.

(from ZDNet, Open-source bug hunt project expands)

On the one hand, I don’t think the federal government should be spending money on things like this. But that is because I don’t think the federal government should be spending money on anything other than what it is specifically given authority to spend money on by the US Constitution — and that ain’t much.

On the other hand, if it’s going to unconstitutionally rob Peter to pay Paul, at least Paul is doing something useful with it in this case. I’d much rather it fund debugging open source software than pay to put every American’s personal information on an expensive, insecure ID card where any identity thief who wants it can grab it.

MySpace wants to bar ‘spam king’

Filed under: Security — bblackmoor @ 10:03

MySpace.com on Tuesday said it has filed suit against Sanford Wallace, seeking to bar the “spam king” and his affiliated companies from the social-networking site.

In the suit, filed Friday in U.S. District Court for the Central District of California in Los Angeles, MySpace accuses Wallace of violating state and federal laws including the federal Can-Spam Act and California’s antispam and antiphishing statutes, the company said in a statement.

MySpace charges that Wallace launched a phishing scam in October to fraudulently access MySpace profiles. He also allegedly created profiles, groups and forums on MySpace, spammed thousands of users with unwanted advertisements and lured MySpace users to his Web sites, according to the complaint.

“Individuals who try to spam or phish our members are not welcome on MySpace,” Hemanshu Nigam, chief security officer for MySpace, said in the statement. The lawsuit seeks a permanent injunction barring Wallace and his affiliated companies from the MySpace site, in addition to unspecified monetary damages.

(from ZDNet, MySpace wants to bar ‘spam king’)

I think MySpace is a colossal waste of time and energy, but at least they are trying to do the right thing here. This guy Wallace is spamming, phishing, spyware-spreading scum.

Tuesday, 2007-03-27

Never log into a URL that’s been emailed to you

Filed under: Security — bblackmoor @ 10:30

Here’s a security tip. Never, ever log into any URL that has been emailed to you. Never.

Always go directly to the URL you have bookmarked (for your bank, let’s say), and log in there.

One of the most common scams I see nowadays is scumbags sending so-called “HTML mail” to their intended victims, and making that so-called “HTML mail” look like an official email from someone the victim does business with (eBay, PayPal, and various banks are the most common spoofed emails). In this so-called “HTML mail” there will be a Login button, or a what appears to be a web address. However, if you look at where this address actually goes, it goes to some scumbag piece of filth’s server, typically in China or Romania but it could just as easily be in Idaho, who then grabs your login and password and rob you of everything you have in that account, and then they sell it online to other scumbag pieces of filth on underground web sites.

There are two things you should learn from this.

1) So-called “HTML mail” is EVIL. Don’t send it. Don’t read it. Disable it in your email client if you can.

2) Never, ever log into a URL that has been emailed to you. Never, ever.

Thursday, 2007-03-22

How Apple orchestrated web attack on researchers

Filed under: Security — bblackmoor @ 09:46

Think differentLast summer, when I wrote “Vicious orchestrated assault on MacBook wireless researchers,” it set off a long chain of heated debates and blogs. I had hoped to release the information on who orchestrated the vicious assault, but threats of lawsuits and a spineless company that refused to defend itself meant I couldn’t disclose the details. A lot has changed since then: Researcher David Maynor is no longer working for SecureWorks, and he’s finally given me permission to publish the details.

The scandal broke when Jim Dalrymple put out a hit piece on security researchers David Maynor and Jon “Johnny Cache” Ellch, saying that their research was a “misrepresentation.” Dalrymple based his conclusion solely on the word of Apple PR director Lynn Fox. David Chartier went even further and said that, “SecureWorks admits to falsifying MacBook wireless hack” based solely on a SecureWorks disclaimer (it’s no longer there) that merely reaffirmed what the original video was saying all along — that the hack demonstrated in the video was based on third-party wireless hardware. I had personally interviewed the two researchers before this whole scandal broke out, and I specifically asked Maynor and Ellch if they were using Apple’s Wi-Fi hardware in their official Black Hat demonstration. They clearly said that no Apple Wi-Fi product was used for the exploit. That’s why I was shocked to see the researchers blamed for changing their story and “admitting” they made the whole thing up when no one changed the story and no one admitted to anything. Yet the headline from Chartier, along with Dalrymple’s story, was blasted all over the Web after it made Digg and Slashdot. Everyone simply assumed Maynor and Ellch were frauds because they supposedly “admitted it.”

[…]

So what was the end result of all this? Apple continued to claim that there were no vulnerabilities in Mac OS X, but came a month later and patched its wireless drivers (presumably for vulnerabilities that didn’t actually exist). Apple patched these “nonexistent vulnerabilities” but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple’s behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The result was that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007, including last week’s megapatch of 45 vulnerabilities.

Apple is a mega corporation that nearly smashed the reputation of two individuals with bogus claims of fraud. It didn’t matter that they weren’t the ones pulling the trigger because they were pulling all the strings. David Chartier should be ashamed of himself and his blog. Jim Dalrymple of Macworld and his colleagues who jumped on the bandwagon should be ashamed of their reporting. Frank Hayes was the only one of Dalrymple’s colleagues who had the decency and honor to apologize. Most of all, shame on Apple.

(from TechRepublic, How Apple orchestrated web attack on researchers)

This supports two things I have been saying ever since I had the misfortune of using a Mac PowerBook for a while and being exposed to the whole “cult of Mac” back in 2005:

1) Macs are not secure. The only reason that Mac users think Macs are secure is because the Apple marketing machine tells them so (as in the recent Mac vs. PC television advertisements) and because Mac users are willfully ignorant.

2) Apple is every bit as ruthless, monopolistic, and anti-consumer as Microsoft is, if not more so. The only real difference between the two companies is that Microsoft is better at it.

Thursday, 2007-03-15

File sharing a threat to children and to national security

Filed under: Security — bblackmoor @ 11:03

In today’s Let’s Be A Little Overdramatic file, a newly released report from the U.S. Patent and Trademark Office suggests that networked file and music sharing could harm children and threaten national security.

The November, 2006, report, entitled “Filesharing Programs and Technological Features to Induce Users to Share,” makes two main points across the span of its 80 pages:

  • that peer-to-peer networks could manipulate sites so children violate copyright laws more frequently than adults, exposing those children to copyright lawsuits and, in turn, make those who protect their copyrighted material appear antagonistic, and
  • file-sharing software could be to blame for government workers who expose sensitive data and jeopardize national security after downloading free music on the job

Interestingly, the report makes numerous references to RIAA and MPAA legal actions against file-sharing activity, as well as cites a 2005 Department of Homeland Security report that government workers had installed file-sharing programs that accessed classified information without their knowledge.

(from Shadow Monkey, File sharing a threat to children and to national security)

Well, now, we wouldn’t want RIAA and MPAA to appear antagonistic, would we? Why, that would be like making Wilhelm Marr look antisemitic. What a gross injustice that would be.

As for the danger to national security, anyone who has ever held a security clearance (me, for example) knows who is to blame for any such security breach: the nut behind the keyboard. Or, to put it another way, what we have here is a poor workman blaming his tools. I can’t even comprehend how anyone could put classified documents on a workstation connected to the Internet, and then install file-sharing software on that workstation, without being aware of the security ramifications. The very concept just baffles me. Were the InfoSec people asleep?

Anyway, here are links to the report. I wonder how much MPAA and RIAA spent to underwrite it?

PDF version
HTML version

Tuesday, 2007-02-06

New zero-day threat for Excel

Filed under: Security — bblackmoor @ 12:57

Microsoft zero-day vulnerabilities are increasingly so commonplace, the risk is lost with the message. On Feb. 2, Microsoft issued another security alert, this one for Excel, that largely went unnoticed.

In its security bulletin, Microsoft warned that “other Office applications are potentially vulnerable” to the zero-day flaw.

Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel vulnerability is Microsoft’s fifth zero-day exploit since December, and part of an increasingly troubling trend.

(from eWeek, New Zero-Day Threat Excels)

Does a house have to fall on you? Anyone still using MS Office after all this time and all these security vulnerabilities probably shouldn’t be permitted to use a computer. Switch to OpenOffice, you blockheads.

« Previous PageNext Page »