InfoSec Snobs

I’ve read two articles recently that helps validate what I’ve been noticing since I joined Twitter and started listening to Security podcasts to gain more information in the field.  I keep seeing posts and hearing comments from certain people (no names will be mentioned but most of you will know at least one or two of them) and they always make it sound like if you are not already in this field then you are nothing and should shut up and go away.  They even go so far as to insult the new guys and make them feel stupid for not already having 20 years of experience.  I am so sick of hearing this shit.

Anyway, here are the two articles that really drive it home:

http://preachsecurity.blogspot.com/2009/10/infosec-is-rotten.html

http://daveshackleford.com/?p=277 (a response to the first one)

These guys nailed it right on the head.  I understand that education isn’t everything and I am trying as hard as I can to get a job in the field to start gaining the needed experience, but it’s not easy believe me.  I now have two degrees and two certifications and I think this provides me with a very solid foundation to build on when a company actually does give me a chance.

Mad props to Rafal Los and Dave Shackleford.

Posted in General BS, Security | No Comments

Cain & Abel v4.9.34 released

New in 4.9.34:

• Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.
• Added Abel64.exe and Abel64.dll to support hashes extraction on x64 operating systems.
• Added x64 operating systems support in NTLM hashes Dumper, MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder.
• Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
• Fixed a bug of RSA SecurID Calculator within XML import function.
• Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.
• Executables rebuilt with Visual Studio 2008.

Download:
http://www.oxid.it/cain.html

Posted in Internet, Privacy, Security, Software, Windows | No Comments

Sneaky Microsoft plugin puts Firefox users at risk

An add-on that Microsoft silently slipped into Mozilla’s Firefox last February leaves that browser open to attack, Microsoft’s security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

“While the vulnerability is in an IE component, there is an attack vector for Firefox users as well,” admitted Microsoft engineers in a post to the company’s Security Research & Defense blog on Tuesday. “The reason is that .NET Framework 3.5 SP1 installs a ‘Windows Presentation Foundation’ plug-in in Firefox.”

The Microsoft engineers described the possible threat as a “browse-and-get-owned” situation that only requires attackers to lure Firefox users to a rigged Web site.

Source:
http://www.computerworld.com/s/article/9139459/Sneaky_Microsoft_plug_in_puts_Firefox_users_at_risk?source=rss_news

Posted in Internet, Security, Windows | No Comments

Evil Maid goes after TrueCrypt!

Let’s quickly recap the Evil Maid Attack. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption.

Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.

So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Source and Full Details:
http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

Posted in Hardware, Internet, Linux, Networking, Privacy, Security, Software, Windows | No Comments

SSL Still Mostly Misunderstood

Most users ensure their Web sessions are using Secure Sockets Layer (SSL) before entering their credit card information, but less than half do so when typing their passwords onto a Web page, according to a new survey.

Just what SSL does and doesn’t do isn’t clear to many users, and the way Websites implement it doesn’t help: “The biggest issue is the general population doesn’t know what SSL is, why they’re using it, and it’s ingrained in them that it always makes them secure, which is not always the case,” says Tyler Reguly, senior security engineer for nCircle, who surveyed a cross-section of users — technical and nontechnical — and shared the results of his findings today during a panel presentation about SSL at the SecTor Conference in Toronto.

Reguly’s survey found that while 83 percent of users check they’re using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords. “It’s scary that people care so little about their passwords than they do about their credit card numbers,” he says. “You see surveys saying that anywhere from 30 to 60 percent of users are using the same password everywhere, so they’re probably using it for online banking, too.”

It has been a rough year for SSL, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he’s in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as a demonstration by researcher Mike Zusman showing how several certificate authorities (CAs) themselves are vulnerable to attacks when issuing SSL certificates. And Dan Kaminsky at Black Hat USA exposed critical flaws in X.509 certificate technology used in SSL.

Source:
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220301548

Posted in Internet, Privacy, Security | No Comments