January 2010 Archives

There is a interesting podcast on the 365.rsaconference blog
concerning large cybercrime organizations, originally broadcasted on NPR about Joesph Menn's new book, Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet.

NPR Broadcast Fighting Cybercrime, One Digital Thug at a Time

As we approach Black Hat Washington DC Conference next week there seems to be more and more unraveling about the vulnerabilities recently discovered in Internet Explorer. The security firm Vupen's Security in France has said it has confirmed code execution with Internet Explorer 8 even with Microsoft's DEP enabled. The company has said it has not released the exploit code to the general public but encourages all users to Disable Active Scripting. The firm also recommended using IE 8 on Wiindows 7 over even IE8 on XP SP3.

Let's see if there are more discussions or disclosures happening about Operation Aurora next week at Black Hat. Infragard Security Organization also announced that it is holding a Webinar on Feb. 2nd to review Aurora and some security initiatives with Adobe, one never knows.

There are other researchers pointing out that there are organization specializing in in gathering intelligence on corporate, and government entities vulnerabilities and weaknesses in their control environments and making that information sale to others that might seek to gain a competitive advantage either technically or politically over their rivals and even providing Cloud Bot Services to deploy their objective. Researchers maintain that there are organizations active today that actively are gathering information whether externally or internally about the infrastructure and the control environments of industries or individuals with the hopes of selling that information or leasing time on distributed servers with access to gain intelligence on their competitors.

For those of us that have been lucky enough to hear Gordon Smith from Canaudit speak about using social and technical engineering to collect information for pen testing and/or auditing, by gathering up as much information as possible to obtain access through both methods is worthwhile.

While this all sounds very Swordfish vogue, there is a lot of information scattered across the world that is very valuable or can gain access to valuable things. If 90% of the systems are running common code, that reduces the amount of unraveling. There was a presentation by "javaman" in New York at the 5th HOPE conference that outlined his thoughts on "Security through Diversity" that I thought was very interesting as well as his talk on parallelism, how individual systems and large enterprises can improve their tolerance to massive attacks through this principle. If you're under attack why would you fail over your control environment to the exact same mirror control environment that was already compromised?

The first time I saw mshtml being utilized for deployments of software by the user accessing a URL and the whole process would happen in the background without the user knowing, I thought to myself that it could only be trouble and that was probably about 2000 - 2001, thanks Jon R. you were always workin it. Jon and Bjorn always had some cool Windows stuff going no matter if it raised the hairs on the back of your neck.


Click here for more information

Google recently accused the Chinese government of hacking into the Gmail accounts of certain Chinese citizens unpopular with the communist leadership. Google has retaliated by threatening to cease filtering search results in China at the behest of the Chinese government. Certainly by now this is news to no one.

What's noteworthy about the details of the yet-unpatched IE 6 vulnerability that allowed this exploit is that it isn't really that noteworthy. IE 6 is outdated by 2 versions already. This vulnerability, while serious, doesn't strike me as anything usual for MS products of that vintage. The response has been typical - the exploit is posted publicly, and the vendor is working on a patch.

So the lessons here are exactly what security pros (and plenty of other folks) already know - keep your OS and key applications up to date and configure software to automate this process. If you're still using IE6 for some reason, do you really need to be told "to be highly vigilant until a patch can be developed[?]"

France and Germany have gone a bit further than necessary, warning folks off of IE completely rather than just old versions. While I personally use Firefox and Chrome for features and speed, I wouldn't necessarily tell folks to abandon IE (though I'd recommend version 8 if you are going to use it). I don't believe other browsers are inherently more secure. It's just that non-IE users represent a slightly more tech-savvy attack vector. Perhaps that's reason enough to avoid IE for some.

YC27UCFX9322