Friday, 8 January 2010
Nicolas Sarkozy given 'impenetrable' superphone
By Henry Samuel in Paris
Telegraph.co.uk
07 Jan 2010
President Sarkozy got to grips with the Teorem phone, which looks like a regular smartphone, while on a visit to the Thales Communication factory in Cholet, western France.
Some 20,000 such devices will be distributed to the president and his entourage as well as government ministers and their advisers early next year. Top military officials will also use them.
The superphone's designers said the phone "guarantees a very high safety level," and has the added advantage of being able to use commercial mobile networks or fixed secure lines.
"It's beautiful", the president could be heard saying during the visit.
Shortly after Mr Sarkozy's election in 2007, workers in the offices of the president and prime minister were reportedly ordered not to use handheld BlackBerry devices, amid fears that foreigners could spy on them.
Telegraph.co.uk
07 Jan 2010
President Sarkozy got to grips with the Teorem phone, which looks like a regular smartphone, while on a visit to the Thales Communication factory in Cholet, western France.
Some 20,000 such devices will be distributed to the president and his entourage as well as government ministers and their advisers early next year. Top military officials will also use them.
The superphone's designers said the phone "guarantees a very high safety level," and has the added advantage of being able to use commercial mobile networks or fixed secure lines.
"It's beautiful", the president could be heard saying during the visit.
Shortly after Mr Sarkozy's election in 2007, workers in the offices of the president and prime minister were reportedly ordered not to use handheld BlackBerry devices, amid fears that foreigners could spy on them.
Spear-Phishing Experiment Evades Big-Name Email Products
By Kelly Jackson Higgins
DarkReading
Jan 05, 2010
The researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from "Bill Gates" is about to reveal the email products and services that failed to filter the spoofed message -- and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort.
Joshua Perrymon, CEO of PacketFocus, had previously revealed that the iPhone, BlackBerry, and Palm Pre smartphones had all fallen victim to the spear-phishing exercise.
"Email-based attacks are probably one of the most effective in today's hacker bag of tricks. The email security industry gets by with stopping most spam and known phishing attacks," Perrymon says. "The problem lies in a directed, under-the-radar, spear-phishing attack -- the type where the attacker spends time to understand the target, create an effective spoofed email and phishing site, [and] then attacks."
The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say.
DarkReading
Jan 05, 2010
The researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from "Bill Gates" is about to reveal the email products and services that failed to filter the spoofed message -- and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort.
Joshua Perrymon, CEO of PacketFocus, had previously revealed that the iPhone, BlackBerry, and Palm Pre smartphones had all fallen victim to the spear-phishing exercise.
"Email-based attacks are probably one of the most effective in today's hacker bag of tricks. The email security industry gets by with stopping most spam and known phishing attacks," Perrymon says. "The problem lies in a directed, under-the-radar, spear-phishing attack -- the type where the attacker spends time to understand the target, create an effective spoofed email and phishing site, [and] then attacks."
The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say.
Certifications: A false sense of security
By John S. Monroe
GCN.com
Jan 06, 2010
Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.
This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic [1] for FCW.com.
"If certifications were effective, we would have solved the cybersecurity challenge many years ago," Castro wrote. "Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers."
His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.
GCN.com
Jan 06, 2010
Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.
This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic [1] for FCW.com.
"If certifications were effective, we would have solved the cybersecurity challenge many years ago," Castro wrote. "Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers."
His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.
Hacker pierces hardware firewalls with web page
By Dan Goodin in San Francisco
The Register
6th January 2010
On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.
By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.
"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."
Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.
The Register
6th January 2010
On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.
By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.
"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."
Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.
Microsoft won't fix Windows 7 crash bug next week
By Gregg Keizer
Computerworld
January 7, 2010
Microsoft today said it will deliver a single security update on Tuesday to patch just one vulnerability in Windows.
However, the company acknowledged that it does not yet have a fix for a crippling bug in Windows 7 that went public nearly two months ago.
The expected update will patch a vulnerability rated "critical" -- Microsoft's most serious rating in its four-step scoring system -- in Windows 2000. The bug also affects Windows XP, Vista and Windows 7, as well as Windows Server 2003, Server 2008 and Server 2008 R2, but is tagged as "low" for those editions.
"The first thing that came to mind was a denial-of-service vulnerability for the newer [operating systems], and a remote code execution on Windows 2000," said Andrew Storms, director of security operations at nCircle Network Security.
Microsoft downplayed the threat even to Windows 2000 users. "The Exploitability Index rating for this issue will not be high, which lowers the overall risk," said Jerry Bryant, a Microsoft security spokesman, in a post to the company's security response center blog today.
Computerworld
January 7, 2010
Microsoft today said it will deliver a single security update on Tuesday to patch just one vulnerability in Windows.
However, the company acknowledged that it does not yet have a fix for a crippling bug in Windows 7 that went public nearly two months ago.
The expected update will patch a vulnerability rated "critical" -- Microsoft's most serious rating in its four-step scoring system -- in Windows 2000. The bug also affects Windows XP, Vista and Windows 7, as well as Windows Server 2003, Server 2008 and Server 2008 R2, but is tagged as "low" for those editions.
"The first thing that came to mind was a denial-of-service vulnerability for the newer [operating systems], and a remote code execution on Windows 2000," said Andrew Storms, director of security operations at nCircle Network Security.
Microsoft downplayed the threat even to Windows 2000 users. "The Exploitability Index rating for this issue will not be high, which lowers the overall risk," said Jerry Bryant, a Microsoft security spokesman, in a post to the company's security response center blog today.
Easily spoofed traffic can crash routers, Juniper warns
By Dan Goodin in San Francisco
The Register
7th January 2010
Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic.
In an advisory sent Wednesday afternoon, the networking company said a variety of devices could be forced to reboot by sending them internet packets with maliciously formed TCP options. The flaw affects versions 3 through 10 of Junos, the operating system that powers devices at ISPs, backbones, and other large networks. Software releases built on or after January 28, 2009 have already fixed the issue.
"The Junos kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port," the bulletin, which was issued by Juniper's technical assistance center, stated. "The packet cannot be filtered with Junos's firewall filter. A router receiving this specific TCP packet will crash and reboot."
There are "no totally effective workarounds," the bulletin added.
The Register
7th January 2010
Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic.
In an advisory sent Wednesday afternoon, the networking company said a variety of devices could be forced to reboot by sending them internet packets with maliciously formed TCP options. The flaw affects versions 3 through 10 of Junos, the operating system that powers devices at ISPs, backbones, and other large networks. Software releases built on or after January 28, 2009 have already fixed the issue.
"The Junos kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port," the bulletin, which was issued by Juniper's technical assistance center, stated. "The packet cannot be filtered with Junos's firewall filter. A router receiving this specific TCP packet will crash and reboot."
There are "no totally effective workarounds," the bulletin added.
Subscribe to:
Posts (Atom)