May 31, 2011

Lockheed Martin, the country’s largest defense contractor, has suffered a serious network attack. Their VPN architecture was exploited, likely using code from the RSA SecureID intrusion earlier this year.

This is probably the first of many. After all, people have looked at the multifactor authentication afforded by SecureID as the gold standard for years; if that’s cracked, we’re all in a lot of trouble.


May 27, 2011

IT World is running a fun article on features that we’ve lost from our computers over the years. While the common perception is that technology is always getting better, it does occasionally happen that a really useful concept or feature vanishes, never to reappear.

(My favorite, which isn’t in the article, was the old SCO Unix capability to turn all of the text in a terminal window red if you were logged in as root. It was so simple, but such a great visual clue.)

iOS Encryption Cracked

May 26, 2011

Elcomsoft, the well-known Russian security company, has released a new tool that allows users to brute-force the encryption keys used by iOS 4 devices. Apparently the usual time to crack an iPhone or iPad is about forty minutes.

MacDefender Update

May 25, 2011

Apple is planning to release an update in the near future specifically to deal with the MacDefender malware that’s been making the rounds for the last couple of weeks. There’s blood in the water now, though – I wouldn’t be surprised to see significant amounts of new malware on OS X in the near future, now that it’s a proven target.

Google AuthToken Vulnerability

May 18, 2011

Remember Firesheep? The software plugin for Firefox that allowed users to take advantage of authentication tokens being transmitted in cleartext across a shared medium, like a wireless network?

Apparently Google doesn’t.

Researchers at ULM have discovered a remarkably similar flaw in the communication between Android smartphones and Google web services – if you’re updating your calendar or contacts from a public wifi hotspot, eavesdropping and impersonating attacks are trivial. (This includes the automatic synchronization that is on by default on most handsets) Apparently a patch is available; and if the history of Android is any indication, it might even be available to end users in a few months. Maybe.

Partition Encryption in Linux

May 17, 2011

Last week, I started getting errors from the external hard drive that I use for backing up my workstation. Since this is probably the sign of an impending failure, I ordered a new one immediately. Also, since external hard drives are lightweight and easy to steal, both the replacement and the drive being replaced are encrypted to protect their data.

In Linux, the most common solution for drive encryption is a combination of dm-crypt and LUKS. If you’re interested in setting up an encrypted drive yourself, you might find this walkthrough useful – I wrote it a few years ago, and still refer to it every time I need to refresh my memory on the command syntax for working with encrypted filesystems under Linux.

Cisco VoIP Exploits

May 13, 2011

Once again, we see the results of telecom functionality moving into the networking space – the old-school telecom people just aren’t ready for the demands of properly securing an IP network. AusCERT has asserted that Cisco VoIP products, out of the box, can be vulnerable to attacks that turn them into listening bugs, that allow an attacker to eavesdrop on conversations, or can be crashed entirely as a Denial of Service attack.

Running any service over an IP network means that you now have TWO sets of security problems to deal with. In much the same way that “dumb” cell phones’ replacement by smartphones add tremendous security headaches, so too does the transition from traditional PBX systems to a VoIP world.

Leaving the Sandbox

May 11, 2011

French security research firm Vupen has claimed to have written an exploit that allows them to escape the Chrome sandbox and launch arbitrary code.



May 6, 2011

There has apparently been a sizable data exfiltration at LastPass, an application service provider who stores passwords for user accounts. The data was of sufficient size that it probably includes hashed “master passwords”, which serve as the crypto keys to unlock the stored passwords on the service.

If you’re using LastPass, you may want to change your password. And you may also want to reconsider the wisdom of storing all of your passwords in a stranger’s datacenter.


May 4, 2011

Macintosh users – welcome to the fake antivirus party.

A new piece of malware called “Macdefender” has been seen in the wild. It is a Javascript installation inside of a compressed ZIP folder, which means that users running as administrators with “Open Safe Files After Download” checked in Safari will launch and install it automatically. Some users are reporting that they were not even prompted for a confirmation password on the installation.