Defense in Depth

Web browsers and other mistakes

Correction, 3:40 p.m. PDT: This story initially misspelled Dan Kaminsky's last name.

On Friday at Microsoft's Blue Hat conference in Redmond, Wash., Alex "Kuza55" K. of SIFT challenged the software company and others to build a better Internet browser by detailing the many ways browsers fail to parse malicious code.

In the talk, Kuza55 included details on how various attacks use logged out cross-site scripting (XSS), cross-site reference frame-protected cross-site scripting, JavaScript hijacking, session fixation, XSS reference frame token fixation, and CSRF vulnerabilities to compromise desktop Internet browsers. The talk was provided to CNET … Read more

Goodbye Storm, Hello Srizbi

On Thursday, MessageLabs reported in its April Intelligence Report a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, Chief Security Analyst.

At its peak, Sunner said, the Storm botnet resided upon one million computers worldwide. That number has since come down to between 85,000 IP addresses at the end of April. He said that over the last eighteen months Storm has been constant, and never decreased according to MessageLabs research. "Other security companies … Read more

Microsoft serves law enforcement free COFEE

This week, as first reported by CNET News.com, Microsoft talked publicly about COFEE, its free Computer Online Forensic Evidence Extractor. The company demonstrated the tool as part of a law enforcement conference held in Redmond.

COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example. … Read more

Microsoft's Blue Hat talks start Thursday

On Thursday and Friday, Microsoft will once again gather select security researchers in Redmond, Wash., for its seventh annual Blue Hat talks.

The conference, by invitation only, has gained a reputation for providing Microsoft engineers with a first-hand opportunity to hear from and question leading security researchers. There will be an executive event on Thursday, with general sessions on Friday. Microsoft has more on the Blue Hat schedule here, and a blog here.

Among those invited to present is Cesar Cerrudo, of Argeniss, who will update his Hack the Box talk on Token Kidnapping. Cerrudo defines an access token as &… Read more

Evidence presented in New Jersey e-voting discrepancies

Despite the threat of legal action by one voting machine vendor, Princeton University professor Ed Felten is continuing his independent investigation of perceived irregularities in New Jersey's February 5, 2008 presidential primary election. On Friday, a New Jersey state judge ruled that voting rights activists will also have the right to have their own independent expert examine the state's electronic voting machines.

The question is integrity. What Felten has found so far isn't enough to change the election results, but evidence presented on his blog site suggests there might be enough to undermine our confidence in the … Read more

Symantec's Norton user forum in beta

After year's of prodding from pesky security software reviewers like myself, Symantec has finally created a user forum for its Norton products. Although still officially in beta, the forum is has been operating in-house for a few months and thus has been generating some useful how-to information.

Moderator Dave Cole sums up the project in a welcome note:

We've been working on re-launching our product forums for several months now and are happy to finally officially open the door on the beta. We kicked off this project with the intent of creating a place where Norton customers, employees … Read more

Rogue trader lands job in computer security

Jerome Kerviel, a former high-risk trader at France's Societe Generale, last week started a new job at Lemaire Consultants & Associates, a computer security and system development company.

Kerviel remains under investigation for one of the largest bank frauds in history. In January 2008, Societe Generale accused 31-year-old Kerviel of being a computer genius who took on trades far beyond what he was authorized to do. As a result, the company has declared a loss of $7.6 billion.

In his defense, Kerviel told investigators he did nothing more than what others were doing.

On March 18, he was … Read more

iPhone now supported by Check Point VPN-1

On Tuesday, Check Point Software Technologies announced support for the Apple iPhone through its Virtual Private Networking (VPN) software tool VPN-1.

Using the iPhone's embedded Layer 2 Transport Protocol (L2TP) client, VPN-1 is able to provide secure, encrypted access for iPhone users communicating with enterprises currently running Check Point's VPN-1 gateway.

Security expert: Don't blame Microsoft for mass site defacements

Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.

A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of WhiteHat Security.

In the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a … Read more