Domain: securityevaluators.com
Stories and comments across the archive that link to securityevaluators.com.
Comments · 19
-
Citation needed that browsers don't cache HTTPS
Most (All?) browsers and caching proxy servers do not save https content to disk.
Citation needed. Google Search for https disk cache returns, as its first result, "HTTPS Disk Cache Controller Browser Extensions" which contradicts your claim: "The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store." Farther down the first page of results is the Chromium project's documentation of the disk cache mechanism used by Chromium and Google Chrome. Because this document doesn't contain "HTTPS", "secure", or "encrypt", it appears to say nothing about any distinction between cleartext and HTTPS.
Some caching proxies don't save HTTPS content to disk because they don't cache HTTPS at all. The FAQ of the Polipo proxy states that it falls back to a tunnel using the CONNECT method for HTTPS connections. It doesn't support a shared HTTPS cache with a private CA.
-
Routers alone = shit (here's proof #5/15)
http://phys.org/news/2014-03-w...
http://seclists.org/cert/2012/...
http://securityevaluators.com/...
http://securityevaluators.com/...
http://slashdot.org/submission...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://soylentnews.org/article...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...APK
P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk
-
Routers alone = shit (here's proof #5/15)
http://phys.org/news/2014-03-w...
http://seclists.org/cert/2012/...
http://securityevaluators.com/...
http://securityevaluators.com/...
http://slashdot.org/submission...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://soylentnews.org/article...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...APK
P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk
-
Routers alone = shit (here's proof #5/15)
http://phys.org/news/2014-03-w...
http://seclists.org/cert/2012/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://securityevaluators.com/...
http://securityevaluators.com/...
http://slashdot.org/submission...
http://soylentnews.org/article...
http://tech.slashdot.org/comme...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...APK
P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk
-
Routers alone = shit (here's proof #5/15)
http://phys.org/news/2014-03-w...
http://seclists.org/cert/2012/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://securityevaluators.com/...
http://securityevaluators.com/...
http://slashdot.org/submission...
http://soylentnews.org/article...
http://tech.slashdot.org/comme...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...APK
P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk
-
The home router market is a an ongoing disasterIt's not just simple backdoors like the dlink one that are a problem.
There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.
Start with crypto - no hwrng and a known "less than ideal" version of
/dev/random to feed your "secure" wpa and ssh sessions.Worse:
There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:
http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp
Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:
or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.
What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -
http://kb.netgear.com/app/answers/detail/a_id/2649
Brand new hardware - 4+ and 10 year old software respectively.
It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.
Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?
Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)
How can the dysfunctional edge of the Internet be fixed?
-
The fail is your monkeyboy.
Maybe you should try reading the second link from the summary and take a look at the standard heads. What you would find is that the standard is "no-cache". Chrome and Firefox use the non-standard "no-store". But, guess which browser supports three different headers, and the only one to actually support the standard? IE.
-
Victim Must Have Active Management Session...
Look at the summary chart in the article.
With the exception of two Belkin routers, the victim must have an active management session open at the time of attack and the victim must be tricked into clicking a malicious link that leverages the open management session. This renders this "vulnerability" as highly unlikely. Most people do not open management sessions after initial router setup.
Not surprisingly, this article is full of hyperbole and the likelihood of actual router takeover is minimal to infinitesimally small. Hence, no widespread exploits.
-
Re:Understand Apple a bit better?
Charlie Miller, CanSecWest 2010.
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
See slide 53, for a very simple summary fo the numbers. The presentation I saw gave somewhat narrower ranges, 4 exploitable for Acrobat and 60 for Preview (thus my factor of 15).Thanks WD for the link, http://slashdot.org/comments.pl?sid=1844332&cid=34058546
-
Citation here:
The GP probably based his post on this presentation from Charlie Miller @ CanSectWest:
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
See slide 53 in particular.What's important to realize, however, is that Charlie's fuzzing run was based on a set of PDF files that he chose. It's not stated whether any of the seed PDF files contained any flash objects or 3D or JavaScript or any of the other features that contribute to the size of Adobe Reader.
But that should be an eye-opener for you. Preview doesn't come with support for Flash. Or probably a whole slew of other features that Reader supports. In addition to code quality, the attack surface (or lack thereof) and popularity are also major factors of the risk of using a particular product.
I don't think anybody believes that e.g. SumatraPDF is written in some special, uncrashable way. That would just be naive. But the much smaller attack surface combined with greater obscurity could be the motivating factor for some people.
-
One would think that this is the case...
What you describe is "smart" or "generational" fuzzing, where you have a detailed knowledge of the target that you are fuzzing. The thing is, dumb (mutational) fuzzing is still effective. Very effective. Check out Charlie Miller's CanSecWest presentation - An analysis of fuzzing 4 products with 5 lines of Python
http://securityevaluators.com/files/slides/cmiller_CSW_2010.pptIn 3 weeks of (really) dumb fuzzing, 174 unique crashes in PowerPoint were discovered.
-
Re:He was sitting on the winning weakness
I've been in a lengthy argument about this guy on the Ars Technica forums. I ended up emailing Bruce Schneier about this and asked his thoughts.
Here was my email to him:
Hi Bruce,
I've been following the Pwn2Own contest for the last couple of years.
Last year a researcher from ISE ( http://securityevaluators.com/ )
named Charlie Miller used an exploit in a Perl library included in
WebKit, the base code for Apple's Safari browser and won a cash price
for his effort. In the press it was claimed he "hacked Safari in mere
seconds". In truth it took a lot more time than that to devise the
exploit and only seconds to execute it.This year he did it again with another preplanned exploit which he
says he discovered while researching last years bug. Again he won a
cash prize of $10,000.In an interview with ZDNet he said: "I never give up free bugs. I have
a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a
market value so it makes no sense to work hard to find a bug, write an
exploit and then give it away," Miller told ZDNet. "Apple pays people
to do the same job so we know there's value to this work."I have a major problem with his philosophy and feel this is a
dangerous precedent to set and a bastardization of the goals of
security in the fist place. I feel he has an obligation to inform
Apple and not dangle a dollar amount for the how-to.Sure he should be paid for his time and effort which is why he works
at a security firm. This contest is basically bonus money and about
bragging rights. Sitting on a bug puts the safety of other users at
risk. But he is basically demanding bribe money for bugs. Who is to
say he wouldn't give up his research to the highest bidder? I'm sure
there are blackhat groups like those in Russia and China that would
pay handsomely for some juicy exploits like this.Yes there is a long history of security firms hiring hackers and there
have been many questions of whether that is a good idea. But security
firms should take notice of this philosophy and not employee those who
engage in this kind of behavior. It's bad form for his employer and
makes the security industry as a whole look bad by proxy. Would you
hire a security company that employees hackers who blackmail for bugs
to work on your systems? If we hired his firm while I was working IT
at a large New York bank I would advised my boss to make sure he's not
on our project (and perhaps hire an entirely different firm altogether).I've been in a discussion with other users about this. There seems to
be a split in viewpoint, one side saying he should let Apple and the
WebKit developers know about this exploit for the betterment of
everyone (for free). The other side feels this is purely about
capitalism and he has no moral or ethical obligation to tell anyone.Some have likened it to seeing a crack in a bridge that might fail.
Are you obligated to inform someone of the problem? What if Dan
Kaminsky demanded $1 million to divulge details on the DNS BIND problem?What are your feelings on this?
Thanks
Here's the discussion I've been following:
http://dvlabs.tippingpoint.com/blog/2009/03/21/pwn2own-wrap-up
Bruce wrote me back today with his response:
There's a fine line between being paid for your efforts and extortion. This seems to cross it.
-
Re:HmmI was about to agree with you. However, upon reading their page:
The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised. For more information on the security of the iPhone, visit ISE's site describing the first exploit of an iPhone security vulnerability here.
-
Re:HmmI was about to agree with you. However, upon reading their page:
The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised. For more information on the security of the iPhone, visit ISE's site describing the first exploit of an iPhone security vulnerability here.
-
Re:Incredibly Inflated Sense of Self WorthThe biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS.
This is somewhat true. The average consumer simply isn't aware of the security issues with most things they use. It doesn't matter whether it's their phone, their computer or their front door locks. This is actually kind of the guy's point. Companies are able to keep people in the dark at will, generally.
I've never seen someone anywhere complain that its insecure and vulnerable to hackers.That's funny. Here's a link to a Forbes article from last summer regarding a lack of security.
http://tinyurl.com/2huxru
Here's another link regarding an actual exploit vector, reported by the New York Times: http://tinyurl.com/2uk6vy
Here's the link to the discussion of this exploit by the very guys who discovered it:
http://securityevaluators.com/iphone/ (A short URL ... woot!)This is with a very cursory search via Google. I've certainly read of these, and other, exploits and issues on the iPhone since its release. What's interesting is most people that actually own an iPhone don't seem to give a rat's ass about security on it.
-
More details and video of exploitation
are available here: http://www.securityevaluators.com/sl/
-
The technical paper is the article
Have a read of the technical paper from the article - Quite interesting. They used fuzzing to find a heap overflow vulnerability. They go on to talk of "Blackbox Exploitation", which I later realise has nothing to do with the cinematic genre.
-
Re:Sigh, I hate to burst your bubble...
The SPDC VM is not Java. I don't think you've asked the right questions of your "people at IBM who wrote the JVM used to play BD+". Here's Avi Rubin describing the SPDC VM:
The SPDC Virtual Machine specification defines a MIPS-like instruction set consist- ing of 59 standard machine operations (along with several reserved and vendor-defined operations.) Each machine instruction is encoded as a 32-bit value. The Virtual Machine provides content code with two memory areas, one for the content code and data, and another undefined area which can be used as defined by the device manufacturer. The VM also defines a set of 32-bit registers, a Program Counter, and an Instruction Filter, which is applied to instructions before execution.
(In case you're wondering, the JVM is not a "MIPS-like instruction set on 32-bit registers with a Program Counter and an Instruction Filter" --- but that wouldn't stop you from implementing such a VM IN Java, just as the JVM is itself rarely implemented in hardware --- thus the "V" in "VM".)
The person I know who's involved with BD+ co-designed BD+.
-
Let me get this straight.
From the article: "I understand
.. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them." (emphasis added)Well, that's why Consumer Reports hired computer security professionals to work with on this. Maybe they're just mad that CR didn't ask them to be the security consultants... oh wait, that might be a conflict of interest for the product review. Tough.