November 6, 2010

HTTP DDOS May Be in Your Website's Future

I found some interesting research work recently. Attackers have a new technique that can be used against your websites: HTTP DDOS.
Researcher by Wong Onn Chee discovered a way to cause a website to be slow and even take it down via a technique where POSTs are sent to a website slowly causing gridlocks the connection. It's similar to the Slowloris HTTP DDOS attack by RSnake, however this slow POST attack can't be mitigated by load-balancers like the Slowloris one can.

Check it out:
http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=228000532

August 24, 2010

Malware authors have their own con now, MalCon

Interested in WRITING malware? Go to MalCon.

Heh. I've heard it all. Now the malware authors have their very own conference where they can learn and teach about writing malware. Their website claims to bring together "Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares." Okayyyyy.

I'm not sure whether this is a hoax or legit but according to Brian Krebs of Krebs on Security fame it's legit, or at least he spoke with the organizer of the event about it. The word is that Bruce Schneier is one of the leading speakers. This is interesting and seems to lend credence to its legitimacy.

Not sure who will be attending but my guess at the very least there will be a few LE and government security types "hanging" around this conference.

August 7, 2010

Google CEO says no anonymity on future Internet


Google CEO Eric Schmidt stated in a talk at the Techonomy conference in Lake Tahoe that 'true transparency and no anonymity' are required to combat identity theft. He said the increase of information generated every day has helped social interaction but created a condition that helps identity theft thieves. He said there needs to be a verified way to identify people and that Governments will demand it.

My concern would be the procedures and policies surrounding the protection and use of this identity information. The information will need to be protected and how it will be accessed will be critical to whether the system is successful. If run poorly it could actually increase identity theft cases.

See more about the speech here: http://www.thinq.co.uk/2010/8/5/no-anonymity-future-web-says-google-ceo/

July 31, 2010

Even security conferences suffer from vulnerabilities


Whoops, it looks like the folks who developed the registration website for the Blackhat security conference have a little security issue themselves. As Michael Coates reported, the website that is used to register for access to some of the live talks from the conference is vulnerable to a hack where an attacker could obtain free access to paid content.

For a fee the conference offers access to select talks that are streamed live. Well Micheal found a vulnerability where he was able to access the stream without providing his credit card. Oops.

The good news out of all of this is the response from the company who developed the website responded quickly to Michael's call and within 4 hours had a fix installed. Further Michael followed responsible disclosure and did not disclose the issue until after the site was fixed.

July 15, 2010

Rootkit targeting embedded devices in SCADA systems?


A recent malware discovery has many of us security pros very concerned: rootkits targeting embedded devices. The discovery is a rootkit called Rootkit.TmpHider that came with a trojan that infects systems via USB drives. This in itself is not all that concerning, what *is* very concernful is that the driver files that make up the rookit have a legitimate digital signature from....wait for it...an embedded device maker Realtek. Worse it appears to targeted at SCADA control systems. Not good.

Several are discussing this new trojan that has rootkit technologies built into it: Wilders Security, The H-Security site, The Elder Geek.

Why are we concerned you ask? These embedded devices are everywhere controlling everything including critical systems such as water system, power grids, etc. AND in a scary finding made by malware analyst Frank Boldewin of www.reconstructer.org, this rootkit has database queries that target WinCC SCADA systems by Siemens. That's bad news.

To add to this concern is the fact that these devices rarely get updated, if at all, so all bugs and vulnerabilities that existed when they were designed still exist. Furthermore, the trust model in these devices is usually quit open, making it very easy for worms to propagate.

Here's hoping that new embedded systems have stronger security built into them.

June 2, 2010

Using SQL injection to compromise your internal LAN



I just recently discovered this great post by web app security guru Rafal Los about how via SQL injection he was able to (if he hit the button) compromise an internal LAN. Nice.

Check out Rafal's cool blog.

May 16, 2010

Replacement for Facebook?

I discovered an interesting project the other day where 4 software developers are embarking on a project this summer to develop an open source, distributed, privacy-aware social network. It sounds kind of like what Tor is for surfing this network is for socializing. In the video on the main page they complain that they don't want a central hub handling their messages to their friends.

It's an intriguing project and one that has attracted quite a few supporters. I know this because they launched a donation website where one can donate to their project and receive certain benefits. They said they need at least $10,000 to fund the development of the project: as of 12:00 PM UTC on Sunday May 16 they have 4,493 backers who donated a total of $168,730. I wonder what they'll do with the extra cash.

One wonders if this will seriously compete with Facebook's 350 million users or maybe it will get Facebook to fix their privacy policy which has gotten a beating recently. Time will tell with this.

Check out the project here.

April 13, 2010

Call-For-Papers Info Sec Summit in October


I forgot to mention in my last blog post that we are accepting submissions from presenters and trainers for the Information Security Summit on October 11-13 and 14-15, 2010.

CFP submission deadline is May 15, 2010. We look forward to your participation.

http://www.informationsecuritysummit.org

April 9, 2010

8th Annual Information Security Summit Dates Announced

Dates have been announced for the 8th Annual Information Security Summit. This years event will take place October 14-15, 2010 at Corporate College East in Warrensville Heights, Ohio. Pre-conference training class will take place on October 11, 12, and 13. Corporate College East is located at 4400 Richmond Road between Harvard and Emery Roads In Warrensville Heights. The facility is easily accessible from Interstate 271.

Last years event featured keynote talks from well respected industry leaders Richard Bejtlich, Grady Summers, Joel Snyder, and John O'Leary; over 30 sessions; and attracted over 400 security professionals. The event was a huge success and we will be building on that this year.

Registration is open, take advantage of early bird pricing of $250 before July 1, 2010.

http://www.informationsecuritysummit.org