cert.org · Domains · Slashdot Mirror

Attack surface by WD · 2011-12-06 15:32 · Score: 4, Insightful · on Adobe Warns of Critical Zero Day Vulnerability

I wrote it years ago, but it's still quite relevant:
http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html

Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.

Re:Reassuring? by CharlyFoxtrot · 2011-12-01 03:18 · Score: 1 · on Carrier IQ Software May Be in iOS, Too

This is supposed to be reassuring? How many people will ever read about this? And how long until it's turned on by default? Or perhaps turned on by a remote message.

On the latest version of iOS, on the welcome screen on first boot it explicitly asks you if you want to turn on the sending of diagnostics and stuff like location services. This was Apple's response to the privacy kerfuffle after the location tracking thing. Yes I am disappointed it's even in there but Apple is doing the right thing here by disabling it by default.

I've found it useful as an example for people who don't understand why we need free/open software. This story simply means that if you use your phone to access anything that is protected by a password (or PIN or whatever), that little hidden bit of software is making a copy of your login, password, account numbers, etc., and sending it off to some site that you know nothing about. Whoever has that information can then get into your account and do as they like with it. I've seen a lot of worried looks, and I know a number of people who have held off on the idea of using their phone to access their bank accounts as a result of this information.

CERT Advisory CA-2002-24 Trojan Horse OpenSSH Distribution

Re:We already have a cyber CDC by Compaqt · 2011-07-22 06:35 · Score: 1 · on Malware Is a Disease; Let's Treat It Like One

Don't we already have one?

The nerdily-named Computer Emergency Response Team
http://www.cert.org/

Why do I imagine post-doc geeks wearing black sitting around in a darkened room in a "situation room" with huge screens looking at live monitoring logs?

And also asking each other, "Doctor, do you concur?"

Re:Please provide native support of PDF for OS X. by Anonymous Coward · 2011-07-16 13:10 · Score: 0 · on Firefox Is Going 64-Bit: What You Need To Know

Not sure, but Evince shares the Poppler library backend with Okular, which uses FreeType 2 internally, which was susceptible to the iOS JailbreakMe attack. Okular crashed to one of these hijacked PDFs, likely because the payload targeted iOS and not Linux. Beware the PDFs :).

Re:Partial release rings alarm bells by rbrausse · 2011-07-07 19:49 · Score: 1 · on Microsoft Releases Mobile Data Collection Source Code

And that you are verifying the MD5 checksum of the source code to the build on my phone! And a UN panel to supervise the foundry in which the hardware md5 check was being performed!

nah, not enough. md5 is COMPLETELY BROKEN!!!11!

Re:Microsoft should know... by paulo.casanova · 2011-06-17 15:13 · Score: 1 · on Microsoft Brands WebGL a 'Harmful' Technology

Sorry, I meant this year (2011). And I linked to the second page of the list instead of the first one. Here is the link to the start page. Rule number one: don't post without sleep :)

Adobe: 5, Microsoft: 4, Cisco: 2, Oracle: 2, IBM: 1, all out of 58. Now, if you take into consideration the number of products Microsoft ships and its installed user base it is a hell lot better than it used to be (remember the days when a new root exploit for IIS came out every week?)

Also, please understand I'm not saying Microsoft is good at security. I'm just saying they're much better than what they used to be. Of course you can argue that -Inf + x = -Inf, for any x :) but that's a totally different issue.

Re:Microsoft should know... by paulo.casanova · 2011-06-17 03:46 · Score: 1 · on Microsoft Brands WebGL a 'Harmful' Technology

Actually, Microsoft is suffering from bad fame more than anything else. Looking at the CERT database you can see 4 vulnerabilities in MS products in the middle of tons of others. They effectively have taken security somewhat seriously (it did that a long time but that is another story).

On the other hand, Adobe seems to be doing a nice work making sure Flash goes down the drain!

Re:Well by cbiltcliffe · 2011-03-23 10:31 · Score: 1 · on Phony Web Certs Issued For Google, Yahoo, Skype

I said this wasn't over a few years after Verisign signed the fake Microsoft cert in 2001. http://www.cert.org/advisories/CA-2001-04.html

I can't find my /. comment on it right now, as it was years ago, but everybody who responded said many checks had been put in place so that type of thing couldn't happen again.

Well, I told you so. The problem is, it only takes one legitimate CA to screw up, and it subverts the entire system for all CAs.

Re:Agree by rahvin112 · 2011-03-11 14:14 · Score: 3, Insightful · on Ask Slashdot: Worst Computer Scene In TV or Movies?

From: CERT Bulletin
Date: 26 Jun 1996 15:43:18 GMT
Subject: CERT Advisory CA-96.13 - Alien/OS Vulnerability
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Approved: cert-advisory@cert.org
Reply-To: cert-advisory-request@cert.org
Keywords: security CERT
Originator: cert-advisory@cert.org

CERT(sm) Advisory CA-96.13
July 4, 1996

Topic: ID4 virus, Alien/OS Vulnerability

The CERT Coordination Center has received reports of weaknesses in Alien/OS that can allow species with primitive information sciences technology to initiate denial-of-service attacks against MotherShip(tm) hosts. One report of exploitation of this bug has been received.

When attempting takeover of planets inhabited by such races, a trojan horse attack is possible that permits local access to the MotherShip host, enabling the implantation of executable code with full root access to mission-critical security features of the operating system.

The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1 or later, and all versions of Microsoft's Windows/95. CERT advises against initiating further planet takeover actions until patches are available from these vendors. If planet takeover is absolutely necessary, CERT advises that affected sites apply the workarounds as specified below.

As we receive additional information relating to this advisory, we will place it in

ftp://info.cert.org/pub/cert_advisories/CA-96.13.README

We encourage you to check our README files regularly for updates on advisories that relate to your site.

1. Description

Alien/OS contains a security vulnerability, which strangely enough can be exploited by a primitive race running Windows/95. Although Alien/OS has been extensively field tested over millions of years by EvilAliens, Inc., the bug was only recently discovered during a routine invasion of a backwater planet. EvilAliens notes that the operating system had never before been tested against a race with "such a kick-ass president."

The vulnerability allows the insertion of executable code with root access to key security features of the operating system. In particular, such code can disable the NiftyGreenShield (tm) subsystem, allowing child processes to be terminated by unauthorized users.

Additionally, Alien/OS networking protocols can provide a low-bandwidth covert timing channel to a determined attacker.

2. Impact

Non-privileged primitive users can cause the total destruction of your entire invasion fleet and gain unauthorized access to files.

3. Solution

EvilAliens has supplied a workaround and a patch, as follows:

1. Workaround

To prevent unauthorized insertion of executables, install a firewall to selectively vaporize incoming packets that do not contain valid aliens. Also, disable the "Java" option in Netscape.

To eliminate the covert timing channel, remove untrusted hosts from routing tables. As tempting as it is, do not use target species' own satellites against them.

2. Patch

As root, install the "evil" package from the distribution tape.

(Optionally) save a copy of the existing /usr/bin/sendmai

Re:Hate to say it by scdeimos · 2011-02-28 15:22 · Score: 1 · on Infected Androids Run Up Big Texting Bills

Oh yes, because iPhone has never ever once had a vulnerability.

Re:It was just a matter of time by pandrijeczko · 2011-02-28 06:40 · Score: 2 · on Backdoor Trojan For Windows Ported To Mac OS

You need to be aware of what versions of daemons (like SSH, HTTP, FTP, SAMBA, etc. etc.) are running on your system currently.

You then sign up to security alerts, from your OS vendor, but preferably from somewhere like CERT who will report the vulnerabilities first. If a security vulnerability is reported on something you are running, then ideally you'd turn it off until it's fixed by the OS vendor; if you can't, then wrap some connectivity restrictions around it from a firewall, TCP wrappers or network ACLs to restrict what IP addresses can connect to it. Then patch it when the OS vendor releases an update.

Anyone who cares about security should do this - just because you run Apple doesn't make you special.

Re:not "high severity" by kangsterizer · 2011-02-23 05:02 · Score: 2 · on High Severity BIND Vulnerability Advisory Issued

http://www.kb.cert.org/vuls/id/559980
Severity metric: 4.50 (on a scale from 0 to 180)

Sounds like not very high to me either, lol.

That said, it's a kinda serious vulnerability given that the Internet relies a lot on DNS and many servers are running BIND.

Then again, we should be running at least DNSSEC by now, and not provided by BIND, right? right?!

Re:not high severity by Bacon+Bits · 2011-02-23 04:59 · Score: 1 · on High Severity BIND Vulnerability Advisory Issued

That's true, but the CERT advisory only lists the severity metric as 4.5. That's not out of 10. It's out of 180.
http://www.kb.cert.org/vuls/id/559980

ISC very well may use a different ranking scheme for vulnerabilities. DNS is required to have high availability, and this would severely impact that. ISC may rate it highly simply because the common usage scenarios for BIND make this more concerning.

Re:latest BIND not affected by Bacon+Bits · 2011-02-23 04:30 · Score: 3, Informative · on High Severity BIND Vulnerability Advisory Issued

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

CERT was notified at the end of January.
"Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 ]

The CVE was reserved in the middle of January.
"Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 ]

Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.

Re:Another Linux admin with a superiority complex. by The+Moof · 2011-02-21 09:47 · Score: 3, Informative · on Why You Shouldn't Reboot Unix Servers

Why should I bother disabling it?

Generally, good administrators tend to disable service that aren't wanted or needed in their systems. Who's to say that there's not going to be a vulnerability for the service discovered down the road (*coughSolariscough*) that would make you vulnerable?

Re:Pathetic by TheLink · 2011-02-15 17:55 · Score: 1 · on Microsoft's New Plan For Keeping the Internet Safe

Verisign is one of the few CAs that _has_ given out bad certs.
http://www.cert.org/advisories/CA-2001-04.html
http://www.microsoft.com/technet/security/bulletin/ms01-017.mspx

But it doesn't matter. It only takes one CA in your browser/OS's huge list of CAs to sign a cert that's used to MITM you.

None of the popular browsers will give you a warning if the CA changes. For example if you went to China and went to your bank, if CNNIC (one of China's CAs) signs a cert that claims to be your bank, and used that to re-sign your intercepted HTTPS connections, your browser will not warn you. Your traffic would be visible to them without any warnings.

Unless of course you use something like the certificate patrol plug-in.

Re:Stop copying Windows please! by Thundersnatch · 2011-02-07 09:05 · Score: 1 · on USB Autorun Attacks Against Linux

Windows Explorer once had a bug which could execute arbitrary code via JPEG preview.

Of course, most Linux and BSD systems had vulnerabilites just as bad, where a simple view or preview would trigger an exploit.

Vulneabilities with PNG, gzip, TIFF, PDF, and many others. This happens when everything from your browser to the desktop manager's icon system uses the same vulnerable libary. OSX and Linux systems are simply a more obscure target, and not somehow immune from file parsing vulnerabilities. And before you go off on a "but the user isn't running as root" rant, recognize that Microsoft locked down user privileges by default starting with Windows NT version 4 in 1996. But only, of course, when those windows machines were part of a Windows domain...