"The final release of Mozilla Firefox 1.5 is now available for download from GetFirefox.com for most major operating systems or from the mirrors. Users of the release candidates should receive the update soon.

Well, it has arrived, Firefox 1.5. The Mozilla folks have made improvements to the software updating system (to gain more popularity in the corporate space no doubt), user interface enhancements, and security improvements to name a few. I'm still trying to get a handle on the new features, but a full listing can be found here.

Full Article

Go get it now!

.com

"The final release of Mozilla Firefox 1.5 is now available for download from GetFirefox.com for most major operating systems or from the mirrors. Users of the release candidates should receive the update soon.

Well, it has arrived, Firefox 1.5. The Mozilla folks have made improvements to the software updating system (to gain more popularity in the corporate space no doubt), user interface enhancements, and security improvements to name a few. I'm still trying to get a handle on the new features, but a full listing can be found here.

Full Article

Go get it now!

.com

"Securing endpoint systems by locking them down using complex software brings back memories of another era, where business computers were once used for business applications only - and businesses retained control over their assets and data."

This is an excellent article that talks about how businesses should go back to basics and make their corporate PCs more corporate and less personal. From restricting which software is installed, to filling USB ports with glue. No one is really safe (even when you do use Firefox), and for businesses, the focus should be business, not listening to music or fancy screensavers.

It may sound too extreme for some organizations, but then again, what are you willing to put at risk?

Full Article

.com

"Securing endpoint systems by locking them down using complex software brings back memories of another era, where business computers were once used for business applications only - and businesses retained control over their assets and data."

This is an excellent article that talks about how businesses should go back to basics and make their corporate PCs more corporate and less personal. From restricting which software is installed, to filling USB ports with glue. No one is really safe (even when you do use Firefox), and for businesses, the focus should be business, not listening to music or fancy screensavers.

It may sound too extreme for some organizations, but then again, what are you willing to put at risk?

Full Article

.com

"It has been identified a vulnerability in the Cisco IOS Web Server. An attacker can inject arbitrary code in some of the dynamically generated web pages. To succesfully exploit the vulnerability the attacker only needs to know the IP of the Cisco. THERE'S NO NEED TO HAVE ACCESS TO THE WEB SERVER! Once the code has been inyected, attacker must wait until the admin browses some of the affected web pages."

This appears to be a posting by someone, with very poor english, who has found a new vulnerability in Cisco IOS. This has not yet been confirmed, but if you are using HTTP to manage your Cisco equipment you should switch to SSH. So many organizations still use TELNET to manage their network infrastructure. This greatly contributes to the "Hard outside, soft and chewy inside" theory of network security.

SSH + TACACS = Good

TELNET + Enable = Bad

Partial Advisory

.com

"It has been identified a vulnerability in the Cisco IOS Web Server. An attacker can inject arbitrary code in some of the dynamically generated web pages. To succesfully exploit the vulnerability the attacker only needs to know the IP of the Cisco. THERE'S NO NEED TO HAVE ACCESS TO THE WEB SERVER! Once the code has been inyected, attacker must wait until the admin browses some of the affected web pages."

This appears to be a posting by someone, with very poor english, who has found a new vulnerability in Cisco IOS. This has not yet been confirmed, but if you are using HTTP to manage your Cisco equipment you should switch to SSH. So many organizations still use TELNET to manage their network infrastructure. This greatly contributes to the "Hard outside, soft and chewy inside" theory of network security.

SSH + TACACS = Good

TELNET + Enable = Bad

Partial Advisory

.com

"This wiki page is dedicated to the thousands of applications that break when run as non-admin. I've moved the HallOfShame here so that people can add their own anecdotes. Please just follow the convention of using the HOS suffix for each HOS wikiword. Thanks! Please do take the time to notify the company of the problem. You can make a difference."

I always recommend that users run with a non-admin user account to avoid being overtaken by malware. I get a lot of push-back from users and administrators, and with good reason in some cases, the applications just don't run unless you have administrative rights. Please follow up with your vendors and ask them to fix their code.

Hall Of Shame Homepage

.com

"This wiki page is dedicated to the thousands of applications that break when run as non-admin. I've moved the HallOfShame here so that people can add their own anecdotes. Please just follow the convention of using the HOS suffix for each HOS wikiword. Thanks! Please do take the time to notify the company of the problem. You can make a difference."

I always recommend that users run with a non-admin user account to avoid being overtaken by malware. I get a lot of push-back from users and administrators, and with good reason in some cases, the applications just don't run unless you have administrative rights. Please follow up with your vendors and ask them to fix their code.

Hall Of Shame Homepage

.com

Black Friday Edition

- Another 0-day IE exploit has been released, no patch yet, but M$ has acknowledged it
- Paul put up the Frsirt version of a working POC that starts calc.exe
- Use Firefox, or go straight to the bleeding edge with Flock, integrates del.icio.us bookmarks and blogging to the web browser
- Check out Paul's Asparagus recipe collection
- Sony Bashing Round 3, Amazon calls them "Defective", $SYS$ T-Shirts, Sony has ninjas, Tape can bypass DRM, M$ Anti-Spyware will remove, Create canary file called "$sys$[something].txt" and if it goes away you have the Sony Rootkit (I call mine "$SYS$F-Sony.txt")
- Xbox360, crashing, Get metal sticks to hack
- Richard Stallman gets in trouble for wearing tin foil hats
- Lexus IS pedal sequence disables traction control
- M$ has a new security tool called "Windows Live Safety Center". Tells you about things like open ports, hard drive defrag notification, email us with feedback if you've used this tool
- New SANS Top 20 released this week
- TAOSecurity Blog, Good and Bad about the sans top 20, new book available at amazon called "Extrusion Detection", Security Awareness training not effective?
- Shadow Crew busted and pleaded guilty
- Exploiting the stack series from Security Compass
- To kill or not to kill...a pix, Remote DoS Vulnerability, Exploit Available, Workarounds available
- OSSRC, ("Open Source Snort Rules Consortium") created to make snort rules better
- Symantec to stop selling LC5 outside US, use Cain instead
- Twofish rumored to be crackable
- Sign up for Schmoocon 2006 ("Bow To My Firewall")

- Tool Of The Week - John the Ripper - Password cracking tool, run the auto on debian install for Debian auto account audit, and use the something option to generate really good password dictionaries ("-rules" option).

- Wireless word of the week - EAP-TTLS (Extensible Authentication Protocol - Tunnel Transport Layer Security) - Requires only a server certificate, uses SSL tunnel for encryption, works with OS X built-in client, Windows client available called SecureW2, CIsco ACS is bad

Direct Download Link

(Bandwidth provided by OSHEAN, they're the opposite of Sony and IE)

Black Friday Edition

- Another 0-day IE exploit has been released, no patch yet, but M$ has acknowledged it
- Paul put up the Frsirt version of a working POC that starts calc.exe
- Use Firefox, or go straight to the bleeding edge with Flock, integrates del.icio.us bookmarks and blogging to the web browser
- Check out Paul's Asparagus recipe collection
- Sony Bashing Round 3, Amazon calls them "Defective", $SYS$ T-Shirts, Sony has ninjas, Tape can bypass DRM, M$ Anti-Spyware will remove, Create canary file called "$sys$[something].txt" and if it goes away you have the Sony Rootkit (I call mine "$SYS$F-Sony.txt")
- Xbox360, crashing, Get metal sticks to hack
- Richard Stallman gets in trouble for wearing tin foil hats
- Lexus IS pedal sequence disables traction control
- M$ has a new security tool called "Windows Live Safety Center". Tells you about things like open ports, hard drive defrag notification, email us with feedback if you've used this tool
- New SANS Top 20 released this week
- TAOSecurity Blog, Good and Bad about the sans top 20, new book available at amazon called "Extrusion Detection", Security Awareness training not effective?
- Shadow Crew busted and pleaded guilty
- Exploiting the stack series from Security Compass
- To kill or not to kill...a pix, Remote DoS Vulnerability, Exploit Available, Workarounds available
- OSSRC, ("Open Source Snort Rules Consortium") created to make snort rules better
- Symantec to stop selling LC5 outside US, use Cain instead
- Twofish rumored to be crackable
- Sign up for Schmoocon 2006 ("Bow To My Firewall")

- Tool Of The Week - John the Ripper - Password cracking tool, run the auto on debian install for Debian auto account audit, and use the something option to generate really good password dictionaries ("-rules" option).

- Wireless word of the week - EAP-TTLS (Extensible Authentication Protocol - Tunnel Transport Layer Security) - Requires only a server certificate, uses SSL tunnel for encryption, works with OS X built-in client, Windows client available called SecureW2, CIsco ACS is bad

Direct Download Link

(Bandwidth provided by OSHEAN, they're the opposite of Sony and IE)

"Security researchers have published a zero-day exploit for Internet Explorer this week that allows remote code execution on most variants of Windows. The vulnerability targeted by the exploit was originally announced in May as a stability issue resulting in the browser closing. "

So, a DoS vulnerability that turns out to be a remote exploit. M$ knew about it at least since May and did find the remote exploitability, but some clever hackers did. For the most part I treat DoS vulnerabilities as if they could lead to remote code execution (if they deal with memory, not the TCP SYN flood type DoS).

Full Article

"Security researchers have published a zero-day exploit for Internet Explorer this week that allows remote code execution on most variants of Windows. The vulnerability targeted by the exploit was originally announced in May as a stability issue resulting in the browser closing. "

So, a DoS vulnerability that turns out to be a remote exploit. M$ knew about it at least since May and did find the remote exploitability, but some clever hackers did. For the most part I treat DoS vulnerabilities as if they could lead to remote code execution (if they deal with memory, not the TCP SYN flood type DoS).

Full Article

"Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability. Disable Javascript in your Internet Explorer browsers, or switch to another browser."

We started Episode 3 of PaulDotCom Security Weekly with some good 'ole fashioned IE bashing. While we may joke about it, seriously folks DO NOT USE INTERNET EXPLORER. To exemplify our point there is an exploit floating around that allows attackers to gain remote access to your computer, and there is no patch for this vulnerability. The temporary fix is to disable JavaScript, but I strongly recommend that you use Firefox. I won't say it to those IE users (okay, I will, I told you so :-)

Of course I am being biased and unfair, Firefox isn't perfect either, but I still believe it to be better that Internet Exposure, er, Explorer.

Full Article

.com

"Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability. Disable Javascript in your Internet Explorer browsers, or switch to another browser."

We started Episode 3 of PaulDotCom Security Weekly with some good 'ole fashioned IE bashing. While we may joke about it, seriously folks DO NOT USE INTERNET EXPLORER. To exemplify our point there is an exploit floating around that allows attackers to gain remote access to your computer, and there is no patch for this vulnerability. The temporary fix is to disable JavaScript, but I strongly recommend that you use Firefox. I won't say it to those IE users (okay, I will, I told you so :-)

Of course I am being biased and unfair, Firefox isn't perfect either, but I still believe it to be better that Internet Exposure, er, Explorer.

Full Article

.com

Episode 3 is now available! Video should be coming early this week, so check back. Show notes:

- Paul realized creative control and started M$ IE bashing (IE sucks!)
- PC World 100 best product 2005 ! Firefox #1 Go install Firefox Now!
- Sony rootkit (DRM) madness, Amazon recalls CDs, Uninstaller ActiveX has flaws, Bleeding Snort sigs for Sony DRM
- Docs Para, Don Cominsky reverse query Sony DRM Infection Map
- Multi-vendor IPSec vulnerabilities, Cisco advisory, PaulDotCom Blog posting, Full Listing of vulnerable products from Security.nnov
- Vulnerabilities in Wifi phones, Cisco IP 7290, PaulDotCom Blog Posting, Others
- Google Bids To Give Mountain View Wi-Fi
- Everyone should register for my SANS course
- Blackhat 4 sale
- Windows RPC DoS, Originally thought you needed good credentials, apparently you may not
- From PacSec05 - "Using Neural Networks for remote OS Identification"
- MSNBC only run trusted code, CIA/KGB rant, Larry has gas
- Plain text passwords database from SCinet
- Got a Kidney to sell? Latest spam "Sell your organs online"
- WPA-PSK pass-phrase generator from Steve Gibson
- Go listen to Friends In Tech, and In The Trenches

Hosts: Larry Pesce, Paul Asadoorian
Sound/Video: Andrew Veitch, Nick DePetrillo

Direct Download Link

(Bandwidth provided by OSHEAN, they rock)

Much thanks to our sponsor:

"Without Shrimp, its just Kung Fu"

Episode 3 is now available! Video should be coming early this week, so check back. Show notes:

- Paul realized creative control and started M$ IE bashing (IE sucks!)
- PC World 100 best product 2005 ! Firefox #1 Go install Firefox Now!
- Sony rootkit (DRM) madness, Amazon recalls CDs, Uninstaller ActiveX has flaws, Bleeding Snort sigs for Sony DRM
- Docs Para, Don Cominsky reverse query Sony DRM Infection Map
- Multi-vendor IPSec vulnerabilities, Cisco advisory, PaulDotCom Blog posting, Full Listing of vulnerable products from Security.nnov
- Vulnerabilities in Wifi phones, Cisco IP 7290, PaulDotCom Blog Posting, Others
- Google Bids To Give Mountain View Wi-Fi
- Everyone should register for my SANS course
- Blackhat 4 sale
- Windows RPC DoS, Originally thought you needed good credentials, apparently you may not
- From PacSec05 - "Using Neural Networks for remote OS Identification"
- MSNBC only run trusted code, CIA/KGB rant, Larry has gas
- Plain text passwords database from SCinet
- Got a Kidney to sell? Latest spam "Sell your organs online"
- WPA-PSK pass-phrase generator from Steve Gibson
- Go listen to Friends In Tech, and In The Trenches

Hosts: Larry Pesce, Paul Asadoorian
Sound/Video: Andrew Veitch, Nick DePetrillo

Direct Download Link

(Bandwidth provided by OSHEAN, they rock)

Much thanks to our sponsor:

"Without Shrimp, its just Kung Fu"

"The Cisco 7920 Wireless IP Phone provides Voice Over IP service via IEEE 802.11b Wi-Fi networks and has a form-factor similar to a cordless phone. This product contains two vulnerabilities: The first vulnerability is an SNMP service with fixed community strings that allow remote users to read, write, and erase the configuration of an affected device. The second vulnerability is an open VxWorks Remote Debugger on UDP port 17185 that may allow an unauthenticated remote user to access debugging information or cause a denial of service."

So over the wireless network I can read the configuration of your phone, write a new configuration, wipe out the configuration, view all the debug output, or prevent your phone from working all together. Great! I can't wait until these come to market!

And another thing, shouldn't Cisco know how to secure SNMP by now? Fixed community strings? They should know better...

Full Article

.com

"The Cisco 7920 Wireless IP Phone provides Voice Over IP service via IEEE 802.11b Wi-Fi networks and has a form-factor similar to a cordless phone. This product contains two vulnerabilities: The first vulnerability is an SNMP service with fixed community strings that allow remote users to read, write, and erase the configuration of an affected device. The second vulnerability is an open VxWorks Remote Debugger on UDP port 17185 that may allow an unauthenticated remote user to access debugging information or cause a denial of service."

So over the wireless network I can read the configuration of your phone, write a new configuration, wipe out the configuration, view all the debug output, or prevent your phone from working all together. Great! I can't wait until these come to market!

And another thing, shouldn't Cisco know how to secure SNMP by now? Fixed community strings? They should know better...

Full Article

.com

"Wireless enthusiasts have been repurposing satellite dishes for a couple years now. This summer the longest link ever was established over 125 miles using old 12 foot and 10 foot satellite dishes.

Check out the image

This is cool, can't wait to build one. They state that they can grab wireless networks from 8 miles away. Sweet!

Full Article

.com

"Wireless enthusiasts have been repurposing satellite dishes for a couple years now. This summer the longest link ever was established over 125 miles using old 12 foot and 10 foot satellite dishes.

Check out the image

This is cool, can't wait to build one. They state that they can grab wireless networks from 8 miles away. Sweet!

Full Article

.com

I will be teaching the SANS Stay Sharp course titled Home Computer and Network Security

This course will cover:

"In this class, you will learn about many different threats, antivirus programs, firewalls, anti-spyware, identity theft, Phishing, how to create strong passwords and more. This course will give you the basic skills you need to protect yourself from various threats on the Internet whether you are at home, on the road or at work."

It will be held on January 18, 2006 from 6:00PM-9:00PM at OSHEAN in N. Kingstown, RI.

The cost of the course if $50.00 per student and you can REGISTER HERE

Tell all your friends :)

.com

I will be teaching the SANS Stay Sharp course titled Home Computer and Network Security

This course will cover:

"In this class, you will learn about many different threats, antivirus programs, firewalls, anti-spyware, identity theft, Phishing, how to create strong passwords and more. This course will give you the basic skills you need to protect yourself from various threats on the Internet whether you are at home, on the road or at work."

It will be held on January 18, 2006 from 6:00PM-9:00PM at OSHEAN in N. Kingstown, RI.

The cost of the course if $50.00 per student and you can REGISTER HERE

Tell all your friends :)

.com

" iDefense researchers have found that keylogger infections are up 65% over the year before, putting the private data of tens of millions of users at risk."

Keystroke loggers are bad. I'm not certain how they are tracking keystroke logger usage, but of all malware its the nastiest because its works outside the scope of your applications security (like SSL). If you do manage to have a keystroke logger installed, a firewall that restricts outbound connections can help to prevent the logger from calling home.

Full Article

.com

" iDefense researchers have found that keylogger infections are up 65% over the year before, putting the private data of tens of millions of users at risk."

Keystroke loggers are bad. I'm not certain how they are tracking keystroke logger usage, but of all malware its the nastiest because its works outside the scope of your applications security (like SSL). If you do manage to have a keystroke logger installed, a firewall that restricts outbound connections can help to prevent the logger from calling home.

Full Article

.com

sudo (superuser do) is a program in Unix, Linux, and similar operating systems such as Mac OS X that allows users to run programs in the guise of another user (normally in the guise of the system's superuser).

Try to treat local exploits seriously, when combined with some of the new PHP app server vulnerabilities these can = #0w3n3d system.

Full Advisory

.com

sudo (superuser do) is a program in Unix, Linux, and similar operating systems such as Mac OS X that allows users to run programs in the guise of another user (normally in the guise of the system's superuser).

Try to treat local exploits seriously, when combined with some of the new PHP app server vulnerabilities these can = #0w3n3d system.

Full Advisory

.com

"Attackers could exploit a vulnerability in a security protocol widely used in VPNs to cause a denial of service or buffer overflows, or to launch malicious code."

If a buffer overflow were released for any given number of VPN platforms this could spell trouble for those who rely on these systems to protect the wireless network, not to mention that it sits at the perimeter between your network and the Internet.

Full Article

.com

"Attackers could exploit a vulnerability in a security protocol widely used in VPNs to cause a denial of service or buffer overflows, or to launch malicious code."

If a buffer overflow were released for any given number of VPN platforms this could spell trouble for those who rely on these systems to protect the wireless network, not to mention that it sits at the perimeter between your network and the Internet.

Full Article

.com

Our second episode has been released! We've got a whole new audio setup and sounding pretty better than ever (although that's not saying much). Here are this weeks show notes/topics:

- We beat the Sont DRM horse a few times because, well, we were the only ones who hadn't yet
- You can get a list of CD's that have the rootkit HERE
- We covered the MS05-053 exploit
- Botnets that use HTTP/HTTPS, presentation HERE
- Tracking MIT Students
- Sniffing passwords and clear text protocols, from the excellent blog by Bruce Schneier
- The overrated Linux Worm
- Fun (and profit) with Rainbow Tables

Direct Download

(Bandwidth provided by OSHEAN, they rock)

Hosts: Larry Pesce, Paul Asadoorian
Sound: Andrew Veitch

.com

Our second episode has been released! We've got a whole new audio setup and sounding pretty better than ever (although that's not saying much). Here are this weeks show notes/topics:

- We beat the Sont DRM horse a few times because, well, we were the only ones who hadn't yet
- You can get a list of CD's that have the rootkit HERE
- We covered the MS05-053 exploit
- Botnets that use HTTP/HTTPS, presentation HERE
- Tracking MIT Students
- Sniffing passwords and clear text protocols, from the excellent blog by Bruce Schneier
- The overrated Linux Worm
- Fun (and profit) with Rainbow Tables

Direct Download

(Bandwidth provided by OSHEAN, they rock)

Hosts: Larry Pesce, Paul Asadoorian
Sound: Andrew Veitch

.com

We are proud to bring you our second podcast, an exclusive interview from SANS 2005 in LA with Marty Roesch, creator of Snort, an open-source intrusion detection system, and co-founder/CTO of Sourcefire:

Direct Download

Marty talks about:

- The history of Snort
- Recent Back Orifice buffer overflow
- New and exciting technologies at Sourcefire
- His love for Mac (which we share)

(We apologize in advance for the poor audio quality, new equipment is on the way. If you have suggestions or comments feel free to drop me a note, paul /at/ pauldotcom.com).

Again, thanks to our sponsor OSHEAN for providing the bandwidth.

"Snort saved my bacon"

.com

We are proud to bring you our second podcast, an exclusive interview from SANS 2005 in LA with Marty Roesch, creator of Snort, an open-source intrusion detection system, and co-founder/CTO of Sourcefire:

Direct Download

Marty talks about:

- The history of Snort
- Recent Back Orifice buffer overflow
- New and exciting technologies at Sourcefire
- His love for Mac (which we share)

(We apologize in advance for the poor audio quality, new equipment is on the way. If you have suggestions or comments feel free to drop me a note, paul /at/ pauldotcom.com).

Again, thanks to our sponsor OSHEAN for providing the bandwidth.

"Snort saved my bacon"

.com