Archive for the 'Security' Category

Exploit code released for Firefox vulnerability

Published
by
Tom Raftery
on 23/9/2005
in Browsers, Security and Technology
. Comments

According to Brian Krebs blog on the Washington Post, exploit code has been released for the latest Firefox and Netscape vulnerability. To protect yourself against this code either 1) buy a Mac or 2) update your version of Firefox to the latest version - available here.

The exploit code appears to allow an attacker to take remote control of infected PCs - it is interesting to see a serious exploit for Firefox being released, finally - we are far more used to seeing these kinds of exploits being released for internet Explorer!

Microsoft releases critical fixes

Published
by
Tom Raftery
on 10/8/2005
in Security, Technology and Windows
. Comments

Overnight Microsoft released 3 critical, 1 important and 2 moderate fixes for Internet Explorer and Windows. The vulnerabilities patched allow remote code execution, denial of service and local elevation of privilige. Any internet Explorer and/or Windows users are strongly advised to patch their systems with these upgrades.

More info and updates available here.

Cisco harass security worker

Published
by
Tom Raftery
on 2/8/2005
in Security and Technology
. Comment

Bruce Schneier has posted a fascinating story about Cisco’s harassment of a security worker called Michael Lynn:

Lynn was going to present security flaws in Cisco’s IOS, and Cisco went to inordinate lengths to make sure that information never got into the hands of the their consumers, the press, or the public.

Cisco threatened legal action to stop the conference’s organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco’s Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed.

In the end, the researcher, Michael Lynn, went ahead with a presentation, describing flaws in Cisco’s software that he said could allow hackers to take over corporate and government networks and the Internet, intercepting and misdirecting data communications. Mr. Lynn, wearing a white hat emblazoned with the word “Good,” spoke after quitting his job at Internet Security Systems Inc. Wednesday. Mr. Lynn said he resigned because ISS executives had insisted he strike key portions of his presentation.

A copy of Michael Lynn’s presentation is now available here.

Spamming can seriously affect your health!

Published
by
Tom Raftery
on 26/7/2005
in Comment Spam, Security, Technology and Trackback Spam
. Comments

Via Loic

From MozNews.com

Russia’s Biggest Spammer Brutally Murdered in Apartment

Vardan Kushnir, notorious for sending spam to each and every citizen of Russia who appeared to have an e-mail, was found dead in his Moscow apartment on Sunday, Interfax reported Monday. He died after suffering repeated blows to the head…

Under Russian law, spamming is not considered illegal, although lawmakers are working on legal projects that could protect Russian Internet users like they do in Europe and the U.S

For more info on Kushnir, see the WikiPedia entryhere.

UPDATE:
Russian police are now saying that Kushnir’s death was a robbery gone wrong and was unrelated to his spamming - see here for more.

Shoot to kill policy fundamentally flawed

Published
by
Tom Raftery
on 26/7/2005
in Security
. Comments

The recently exposed UK “shoot to kill� policy appears to have been discreetly introduced into anti-terrorist procedures in 2003, after then-Metropolitan Police Commissioner Lord Stevens sent teams to both Israel and Sri Lanka to study how they dealt with suicide bombers.

On Sunday, Lord Stevens said in the News of the World:

There is only sure way to stop a suicide bomber determined to fulfill his mission: Destroy his brain instantly, utterly. Which means shooting him with devastating power in the head, killing him immediately. Anywhere else and even though they might be dying, they may still be able to force their body to trigger the device

The procedures would remain in place, Sir Ian Blair the current Police Commissioner, insisted:

there is no point in shooting at someone’s chest because that is where the bomb is likely to be.

There is no point in shooting anywhere else if they fall down and detonate it. It is drawn from experience from other countries, including Sri Lanka. The only way to deal with this is to shoot to the head

The policy had been “reviewed and reviewed” for many months and was a national one, not just for London, he said.

Jack Straw, the Foreign Secretary, also defended the policy. He said it was essential police were able to deal effectively with the threat of a suicide attack.

That all sounds quite reasonable (especially to me seeing as I am pale skinned, freckled and red-headed!).

However, as Bruce Schneier points out, now that the terrorists know about the shoot to kill policy, all they have to do is change their detonators to explode when someone lets go of the trigger - or as Bruce himself puts it:

This policy is based on the extremely short-sighted assumption that a terrorist needs to push buttons to make a bomb explode. In fact, ever since World War I, the most common type of bomb carried by a person has been the hand grenade. It is entirely conceivable, especially when a shoot-to-kill policy is known to be in effect, that suicide bombers will use the same kind of dead-man’s trigger on their bombs: a detonate that is activated when a button is released, rather than when it is pushed.

Shoot to kill doesn’t increase security - it decreases it - innocent lives are put at further risk as demonstrated so effectively this week. Also, right about now, if I were a mugger/rapist/whatever, I know that any call by me to “Stop, Police” will net me a very compliant victim, thank you very much.

UPDATE;
According to reports in the Times and the Guardian, Jean Charles de Menezes the Brazilian shot dead by London Police in the Shoot to Kill incident, was neither wearing a bulky jacket, nor did he vault the ticket barrier. From the Times article:

Vivien Figueiredo, 22, said police told her that he was wearing a lightweight denim jacket and not some bulky coat that could have hidden an explosive belt underneath. Detectives also claimed immediately after the shooting that Mr Menezes had refused to heed shouted warnings by armed police and vaulted the ticket barriers at Stockwell Tube station.

Now police say that he used his travelcard to gain access to the station.

Mrs ESTHER ROBERTS - is a scammer!

Published
by
Tom Raftery
on 15/7/2005
in Community Interest and Security
. Comment

I received the following 419 scam email yesterday:

From:Mrs ESTHER ROBERTS
Address:Avenue 44 Rue 12 Treichtown
Lot 87 Marcory Cocody 1863
Abidjan,Cote D’Ivoire,West Africa

Respectfull one,

Good a thing to write you. I have a proposal for you-this however is not mandatory nor will I in any manner compel you to honour against your will.

I am MRS.ESTHER ROBERTS,46 years old and the wife of late MR.ROBERTS MARTINS. My late husband was a highly reputable and respectful business magnet in our country and other West African countries during his days.

It is sad to say that he had passed away last year.I had my first and only son Elvis when i was 26 years old and as at then we were happily married.Before his death on September 22 2004, he called me before he died and told me that he had a sum of 19.700,000 US DOLLARS (NINETEEN. SEVEN MILLION USA DOLLARS)kept in a security company in (AFRICA) for safe keeping for me and my son for us not to suffer after his death.

He also said that the security company does not know the content in the safe Box.He decleared it to the company as family treasure and used my son’s name ELVIS to Deposit the Box as his only child for next of kin. He also explained to me that I should seek for a foreign partner in a country of my choice where I will transfer this money to and use it for investment purposes,so that me and my son will not suffer in the near future.

I want you to assist me in retrieving this box from the security company and then transfering the box to your country or any country of your choiceand act as a beneficiary of the fund in the said box, and also to make use of the fund in the box for an investment purpose on a very lucrative and profitable business ventures in your country or any country of your choice.
I am just a widow and a refugee in a country i don’t have family nor friend and i really don’t know what to do.Now I want you to assist me in retrieving this box that contains this fund and transfering it to you in your country. This is because I have suffered a lot of set backs as a result of incessant political crisis in my country LIBERIA and even here in Ivory coast.The death of my husband actually brought sorrow to my son and i.

Dearest one,I am in a sincere desire of your humble assistance in this regards .Your suggestions and ideas will be highly regarded.

Now permit me to ask these few questions:-
1. Can you honestly help me as your sister or partner?
2. Can I completely trust you?
3. What percentage of the total amount in question will be good for you after the money in the box is in your possesion?

Please,Consider this and get back to me as soon as possible on this my private e-mail

Thank you so much.And God bless you

Best regards,
Mrs.ESTHER ROBERTS& SON,ELVIS.

& son Elvis? - I love it! Now we know where he has gone to.

Esther’s email address is esther_robert0021@yahoo.com in case anyone wants to scambait her.

Tom Raftery’s Social Media is Digg proof thanks to caching by WP Super Cache!