Trend Micro session token insufficiently random

Secunia, the security services provider, has issued a security advisory about a vulnerability in Trend Micro’s OfficeScan 8.0 and Worry-Free Business Security 5.0 that makes it easier for attackers to take control of the web management of those products. According to Secunia, the web-based configuration interface uses a pseudo-random token to identify a logged-on manager, but its entropy is evidently based on the time at which the user logs in.

Knowing that, brute-force attackers could predict a valid password authentication token substantially more quickly and then use it to log in to the web interface. The report says that, besides changing settings, attackers could also execute their own arbitrary code.

Client Server Messaging Security for SMB 3.x and OfficeScan Corporate Edition 7.x are also affected. So far, Trend Micro has only provided updates for OfficeScan 8.0 and Worry-Free Business Security 5.0.

Source:
http://www.heise-online.co.uk/news/Trend-Micro-session-token-insufficiently-random–/111388

Posted in Internet, Privacy, Security, Software | No Comments

How to Use Honeypots to Improve Your Network Security

Traditionally, the area of information security has been purely defensive. Classic examples of the defensive mechanisms used in order to protect communication networks include firewalls, encryption and IDS (Intrusion Detection Systems). The strategy follows the classical security paradigm of “Protect, Detect and React.” In other words, try to protect the network as best as possible, detect any failures in that defense, and then react to those failures.

The problem with this approach is that the attacker has the initiative, always being one step ahead. For example, traditional, signature-based antivirus solutions have a hard time keeping up with the flood of new malware appearing each day (since the attackers can test new malware samples before releasing them into the wild). In the last few years, it has become more and more clear that these traditional, network-based defense techniques have severe limitations.

Thus, we need new techniques to improve network defenses. One promising approach is the use of honeypots, a closely-monitored computing resource which we want to have probed, attacked or compromised. More precisely, a honeypot is “an information system resource whose value lies in monitoring unauthorized or illicit use of that resource” – this definition coming from the honeypot mailing list at SecurityFocus at http://www.securityfocus.com/archive/119/321957/30/0/threaded.

The value of a honeypot

The value of a honeypot is weighed by the information that can be obtained from it. Monitoring the data that enters and leaves a honeypot lets us gather information that is not available to an IDS. For example, we can log the keystrokes of an interactive session even if encryption is used to protect the network traffic. To detect malicious behavior, IDS requires signatures of known attacks and often fails to detect compromises that were unknown at the time it was deployed.

On the other hand, honeypots can detect vulnerabilities that are not yet understood, so-called “zero-day attacks.” For example, we can detect compromises by observing network traffic leaving the honeypot, even if the means of the exploit has never been seen before.

Honeypots can run any operating system and any number of services. The configured services determine the vectors available to an adversary for compromising or probing the system. A so-called “high-interaction honeypot” provides a real system with which the attacker can interact. In contrast, a “low-interaction honeypot” simulates only some parts; for example, the low-interaction honeypot “Honeyd” simulates the network stack of arbitrary systems.

Source:
http://www.eweek.com/c/a/Security/How-to-Use-Honeypots-to-Improve-Your-Network-Security/?kc=rss

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments

Fake Nero Anti-Virus Pro 2009 (AV XP 2008)

This morning we detected another spam campaign with the aim of enticing users into downloading and executing a file they believe is a 6 month trial of a product called “Anti-Virus Nero Advanced Pro 2009“. When analyzed further the file is actually a variation of the rouge antivirus application known as AV XP 2008 which has been seen in earlier attacks this month.

When we look at this further it appears the same group behind the attacks that delivered the fake CNN Alerts and MSNBC alerts could have also been behind this latest round as well. Over the last couple of weeks a large number of emails have been sent that in some degree installed the AV XP 2008 (i.e. fake I.E Update, some of the CNN alerts, celebrity videos).

Source:
http://pandasecurityus.wordpress.com/2008/08/25/fake-nero-anti-virus-pro-2009-av-xp-2008/

Posted in Internet, Security | No Comments

New attack against multiple encryption functions

Unless you’re a dyed in the wool cryptographic geek you probably didn’t know that there was a Crypto conference, or even a chain of worldwide crypto conferences that take place each year. Fortunately, for the most of us that aren’t crypto geeks there are a handful of very highly skilled people who are; they can take the highly theoretical and complex mathematical proofs and arguments that make up most of modern cryptographic and cryptanalytic research and put it into plain language.

Probably the best known is Bruce Schneier, who is a dedicated crypto geek famous for his general Information Security and cryptographic work; including being responsible (or partly responsible) for ciphers such as Blowfish and Twofish. From his blog he has provided a tantalising suggestion that one of the most famous names in cryptography is introducing a new form of cryptanalysis.

Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a “cube attack” and formed part of Shamir’s invited presentation at Crypto 2008 – “How to solve it: New Techniques in Algebraic Cryptanalysis”.

Source:
http://www.computerworld.com.au/index.php/id%3b1395888957%3bfp%3b16%3bfpid%3b1

Posted in Coding, Internet, Privacy, Security | No Comments

Firefox to get massive JavaScript performance boost

Mozilla is leveraging an impressive new optimization technique to bring a big performance boost to the Firefox JavaScript engine. The code was merged today (but is not yet ready to be enabled by default in the nightly builds) and is planned for inclusion in Firefox 3.1, the next incremental update of the open-source web browser.

I discussed this new optimization strategy with Mozilla’s VP of engineering Mike Shaver and Mozilla CTO Brendan Eich, the creator of JavaScript. They are concerned that sophisticated web applications are being held back by the limitations of JavaScript interpreter performance. They aim to improve execution speed so that it is comparable to that of native code. This will redefine the boundaries of client-side performance and enable the development of a whole new generation of more computationally-intensive web applications.

They are “getting ready to take JavaScript performance into the next tier” with a radically innovative optimization tactic called tracing that has already produced performance improvements ranging between 20 and 40 times faster in some cases. They believe that this is just the beginning of what can be accomplished with tracing, and they expect to be able to achieve even better speed as the work continues.

Source:
http://arstechnica.com/news.ars/post/20080822-firefox-to-get-massive-javascript-performance-boost.html

Posted in Internet, Software | No Comments