A university in Australia is developing a Linux Live CD called SImPLE (I have no idea if that stand for anything or if it's a typo) that scans for illicit images on a computer. It never writes anything to the hard drive, so the evidence can be used in court, but they don't say how it scans for the images.
It's primary purpose is apparently to search for child porn, but I really cannot understand how it works. Does it scan video? Does it look for flesh tones? How does it tell the difference between "acceptable" porn and child porn? Does it scan internet history? Does it just look for file names?
The list of questions is miles long and leaves a lot of doubt in my mind. It sounds like a simple (no pun intended) tool for computer illiterate cops to do a quick scan of JPEGs and view any possible matches without any real training. I guess that's why they call it SImPLE? Even the name is terrible to type.
They're also considering a fraud version of the CD to search for financial documents. That seems to reinforce the idea that it searches for quick matches hoping to get lucky. This image version probably search for file names hoping the criminal is stupid and the fraud version will probably search for all Excel documents.
It doesn't even search deleted items.
Sounds like an overrated beginners forensics tool to me.
Source
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
2008-11-04
2008-08-19
A Good Reason to Use Gmail's SSL Option
If you use Gmail and read my post about Google's new "Always use HTTPS" Gmail option (or heard about it elsewhere) and did not enable immediately, here's your (yet another) reason to do so.
A tool was presented at Defcon that can steal your Gmail credentials. It was created by Mike Perry, a reverse engineer from San Francisco and it works like this:
You may have noticed that when you're logged into Gmail and then browse to, say, www.blogger.com you're automatically logged in. That's because a cookie is already present that gets sent to anything and everything Google related even images you click on). This cookie is cleared whenever you manually click a Google Sign Out button.
That means if you log into Gmail on your ultra-secure home wireless using https:// and then use your University's open WiFi later to visit a Google website your cookie is still sent over an unencrypted connection. Anyone else have their iGoogle page set to their homepage?
However, this can be easily defeated with 3 clicks from Gmail's home page.
Source
2008-08-07
Updated: DNS Vulnerability Worse Than Originally Thought
A while back I posted about the DNS vulnerability that was discovered. It was a large vulnerability to begin with, but now it has been officially revealed at Black Hat this week by Dan Kaminsky. Now we know it's much worse than originally reported.
It is not only possible to poison DNS caches, but the attack can also affect a wide array of other protocols and servers. That includes FTP, mail servers, or even your spam filter. Even worse is the attack could potentially be used against software update servers, including Microsoft and Apple OS update servers. This could potentially trick users into downloading and installing malicious patches.
Dan talked a lot about the domino affect of a hacked DNS server. It's very interesting, but also unnerving. Tools have already surfaced for exploiting this flaw.
One of the examples Dan gave involved an attacker intercepting mail and copiyng it, corrupting it or even removing/replacing attachments with malicious software. Not a pleasant man-in-the-middle scenario.
The source article covers Dan's talk a bit and gives some disturbing statistics about the current state of patched and protected DNS servers.
If you're interested in understanding DNS and the attack and have some free time I also suggest listening to the latest "Security Now" podcast (#155). If you aren't already subscribed to the podcast on your device-of-choice, you can download the episode from here.
Update: I want to flesh this out a bit more with a better explanation. Lets use one of the most likely target of an attack like this, www.paypal.com.
Lets say your ISP is vulnerable to this attack and an attacker poisons the DNS server(s) with a record for www.paypal.com with a fake IP address. The attacker can increase that records TTL (Time To Live) to such a high value that the record will never expire.
Then, an unsuspecting customer of that ISP will try to visit www.paypal.com and get the fake site. Since PayPal redirects you to a secure page for login and most people would never think to double-check that they were redirected correctly there is no need to spoof PayPal's security certificates. The user is simply redirected, they log in ignorant to the fact they are not on the real www.paypal.com and supply the attacker with login information.
Phishing filters won't pick this up because the browser is on www.paypal.com. The domino effect is obvious here. If the ISP does not patch the vulnerability then very single one of their customers is liable to pick up this bad record and be redirected to a fake site.
The really scary thing is the ISP has no way of detecting a poisoned cache record on their own until customers begin complaining about something being wrong with www.paypal.com, www.amazon.com... whatever.
It's interesting to note that this exploit is only available on Linux currently and it's being brought to Mac OSX because it requires raw ports capability. Windows does not have this capability because of just this sort of thing.
You can test your ISP's DNS servers by visiting this site (http://snipurl.com/dnstest). Thanks to Steve Gibson of Security Now for setting up that simple URL for the test.
Source
It is not only possible to poison DNS caches, but the attack can also affect a wide array of other protocols and servers. That includes FTP, mail servers, or even your spam filter. Even worse is the attack could potentially be used against software update servers, including Microsoft and Apple OS update servers. This could potentially trick users into downloading and installing malicious patches.
Dan talked a lot about the domino affect of a hacked DNS server. It's very interesting, but also unnerving. Tools have already surfaced for exploiting this flaw.
One of the examples Dan gave involved an attacker intercepting mail and copiyng it, corrupting it or even removing/replacing attachments with malicious software. Not a pleasant man-in-the-middle scenario.
The source article covers Dan's talk a bit and gives some disturbing statistics about the current state of patched and protected DNS servers.
If you're interested in understanding DNS and the attack and have some free time I also suggest listening to the latest "Security Now" podcast (#155). If you aren't already subscribed to the podcast on your device-of-choice, you can download the episode from here.
Update: I want to flesh this out a bit more with a better explanation. Lets use one of the most likely target of an attack like this, www.paypal.com.
Lets say your ISP is vulnerable to this attack and an attacker poisons the DNS server(s) with a record for www.paypal.com with a fake IP address. The attacker can increase that records TTL (Time To Live) to such a high value that the record will never expire.
Then, an unsuspecting customer of that ISP will try to visit www.paypal.com and get the fake site. Since PayPal redirects you to a secure page for login and most people would never think to double-check that they were redirected correctly there is no need to spoof PayPal's security certificates. The user is simply redirected, they log in ignorant to the fact they are not on the real www.paypal.com and supply the attacker with login information.
Phishing filters won't pick this up because the browser is on www.paypal.com. The domino effect is obvious here. If the ISP does not patch the vulnerability then very single one of their customers is liable to pick up this bad record and be redirected to a fake site.
The really scary thing is the ISP has no way of detecting a poisoned cache record on their own until customers begin complaining about something being wrong with www.paypal.com, www.amazon.com... whatever.
It's interesting to note that this exploit is only available on Linux currently and it's being brought to Mac OSX because it requires raw ports capability. Windows does not have this capability because of just this sort of thing.
You can test your ISP's DNS servers by visiting this site (http://snipurl.com/dnstest). Thanks to Steve Gibson of Security Now for setting up that simple URL for the test.
Source
2008-07-25
Crackers Get Hold of Critical Internet Flaw
It's always nice to hear about new critical flaws that open up your system(s) to attack. I took the liberty of changing the articles headline to crackers instead of hackers since this has nothing to do with hackers. If you disagree, you clearly need to read more and watch less Hollywood movies.
I swear there wouldn't be nearly as many crackers and software pirates if we didn't give them such cool names and bad ass sounding jargon. Who doesn't want to be called a pirate or try their hand at "cache poisoning". I propose we change the pirate terminology and separate them into two groups. Music Ninjas and Software Pirates. Awesome.
The article is short, but it gives the necessary details. If you're familiar with DNS then you know how this attack works. If you don't, DNS is like the Internet's Yellow Pages full of all the addresses for every website.
The attack poisons your DNS cache and changes the data stored in it. Essentially this isn't a big deal if you're aware of Phishing and pay attention to where a poisoned cache may be redirecting you. The danger is very real to the less aware targets who try to visit their bank's website only to be redirected and enter their information into a malicious site.
I'll be interested to see how many people this truly affects before the patch closes the vulnerability for the majority of users.
Source
I swear there wouldn't be nearly as many crackers and software pirates if we didn't give them such cool names and bad ass sounding jargon. Who doesn't want to be called a pirate or try their hand at "cache poisoning". I propose we change the pirate terminology and separate them into two groups. Music Ninjas and Software Pirates. Awesome.
The article is short, but it gives the necessary details. If you're familiar with DNS then you know how this attack works. If you don't, DNS is like the Internet's Yellow Pages full of all the addresses for every website.
The attack poisons your DNS cache and changes the data stored in it. Essentially this isn't a big deal if you're aware of Phishing and pay attention to where a poisoned cache may be redirecting you. The danger is very real to the less aware targets who try to visit their bank's website only to be redirected and enter their information into a malicious site.
I'll be interested to see how many people this truly affects before the patch closes the vulnerability for the majority of users.
Source
Subscribe to:
Posts (Atom)