Welcome to Delicate template
Header
Just another WordPress site
Header

Unintended Denial-of-Service

January 16th, 2008 | Posted by Michael Oglesby in Security - (0 Comments)

For those who do not follow Apple news, today was the annual Apple keynote by Steve Jobs. These keynotes are highly anticipated as Jobs usually surprise announces the new Apple products: iPod, iPhone, MacBooks, etc. Since most people cannot go to the keynote, websites like Engadget[engadget.com] provide a live running blog of the event. Even knowing that they would have a abnormally large number of visitors to their site, Engadget was still taken down[engadget.com]. The massive amount of people visting their site caused a denial of service at 2 AOL data centers (AOL hosts Engadget). This goes to show that even with advanced planning, unintended or non-malicious denial of service is still a threat.

Michael Oglesby

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

More Posts - Twitter

,

Who are you, REALLY?

January 15th, 2008 | Posted by Dominic Schulte in Identification | privacy | Security - (0 Comments)

On Friday, the DHS took another step forward[news.com] in their drive to increase the reliability of state drivers’ licenses by releasing their “Final Rule,”[dhs.gov] of minimum standards for compliance. These changes are required by the REAL ID Act of 2005 and have been a source of controversy in the security and civil-rights communities. Additionally, some states have passed legislation rejecting REAL ID.

Dominic Schulte

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

More Posts

, , , , ,

Most Home Routers Vulnerable to New Attack

January 15th, 2008 | Posted by Brett Edgar in Security - (0 Comments)

GNUCitizen[gnucitizen.org] has released details of a new attack[gnucitizen.org] on UPnP-enabled home routers that can be perpetrated by a Flash object running on the browser of any user. I haven’t tested this, but it looks like it should work even if executed under a non-privileged account. (You do use non-privileged accounts, right?) It should work because this attack vector doesn’t do anything particularly suspicious, and certainly not something that would require administrator privileges. There are several very bad results from this attack, but a worst-case scenario is described in the details published on GNUCitizen’s website:

The most malicious of all malicious things is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.

That would suck.

What’s interesting here is that this is not a vulnerability in UPnP itself. A pre-existing web session with the home router is a prerequisite for this attack to occur. However, GNUCitizen has several other discussions which show that a simple XSS attack is all that is needed to establish the prerequisite. So this is an attack vector that is opened by another exploit entirely!

Brett Edgar

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

, , ,

Adult Web Industry Compromised

January 15th, 2008 | Posted by Brett Edgar in Security - (0 Comments)

The AP has released a story [FOXNews.com] detailing that a New Jersey company which provides accounting software to the adult-entertainment industry has been hacked. The software apparently tracks referrals from one website to another and determines how much each website owner is supposed to be paid based on those referrals. The breach allowed the attackers to obtain the subscriber lists of several adult websites. Those subscribers are now being spammed with targeted adult advertisements from competitor websites. The greatest quote from the article from the owner of several adult websites: “There’s a loss, in my opinion, of user confidence.”

Brett Edgar

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

, ,