Once the attacker has access to your hardware it becomes very very difficult to protect your assets.
We show that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux.
Here is a movie and the original research paper:
Lest We Remember: Cold Boot Attacks on Encryption Keys
Abstract Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.
Labels: crypto, Hardware, Insecurity
heise Security find that the Easy Nova Data Box PRO-25UE RFID hard drive case by German vendor Drecom sounds promising: hardware data encryption with 128-bit AES, access control via an RFID chip, but actually uses just a simple XOR.
Labels: crypto, Insecurity
PHB passwords
Bad password policy number 42.
Labels: Insecurity
http://secunia.com/advisories/24962/
Description:
A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data.
1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. These can be exploited to gain unauthorized access to the private network.
2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations.
An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store.
The vulnerability and security issue reportedly affect the following products:
* Contivity 1000 VPN Switch
* Contivity 2000 VPN Switch
* Contivity 4000 VPN Switch
* VPN Router 5000
*VPN Router Portfolio
Solution:
Update to versions 6_05.140, 5_05.304, or 5_05.149.
Provided and/or discovered by:
The vendor credits
Detack GmbH.Labels: Advisory, Appliance, Backdoor, Insecurity, Vulnerability
OSVDB ID: 31252
Disclosure Date: Jan 9, 2007
Description:
A remote memory corruption flaw exists in Outlook. The program fails to validate VEVENT records in .iCal meeting requests resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Vulnerability Classification:
Remote/Network Access Required
Input Manipulation
Loss Of Integrity
Exploit Unknown
Verified
Products:
Microsoft Corporation Outlook 2002
Microsoft Corporation Outlook 2003
Solution:
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.
External References:
CVE ID: 2007-0033
National Vulnerability Database: CVE-2007-0033
Bugtraq ID: 21931
Microsoft Security Bulletin: MS07-003
Related OSVDB ID: 31253
Related OSVDB ID: 31254
CERT VU: 476900
Secunia Advisory ID: 23674
Microsoft Knowledge Base Article: 925938
US-CERT Cyber Security Alert: TA07-009A
Mail List Post:
http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threadedSecurity Tracker: 1017488
News Article:
http://www.eweek.com/article2/0,1895,2081067,00.asp FrSIRT Advisory: ADV-2007-0104
Credit:
Lurene Grenier - Sourcefire
Labels: Insecurity, Microsoft, Vulnerability
Interesting story about unauthorised people using Wifi in a secure zone, thereby creating a hole in the firewall.
--------------------------------------------------------------------------------------------
That nice, new Linksys wireless router might as well have been a ticking bombBy Anonymous
February 20, 2007
http://www.infoworld.com/article/07/02/20/09OPrecord_1.html
Between the latest firewall technology and advanced intrusion detection systems, IT professionals are breathing a little easier. This is a big mistake. It may be easier to protect the network from external attack these days, but the greatest security risks still come from inside the DMZ.
I work for a small, single-branch credit union in Minneapolis, and I am a one-man shop. If there’s a technical problem, I’m the guy who has to fix it. Once a year, auditors from a large accounting firm come in to perform an audit for our year-end financial statements. In the past, the only tech support I needed to provide was to set up a local printer they could use from their laptops. I couldn’t have given them access to my network if I wanted to, as their techs had their laptops locked down, and I couldn’t make any changes to their setup.
This year the accountants brought their own printer, so they didn’t need any assistance at all. Fine with me; I always have plenty to do. They showed up on Monday. Tuesday morning I arrived for work, opened up my laptop, and was suddenly asked if I would like to join wireless network xx-xx. I recognized the SSID as belonging to our auditors. My first thought was that one of them had left her laptop running in our boardroom overnight and had somehow screwed up the network settings, allowing it to accept connections. I immediately joined this network to see what was going on.
I had no trouble connecting to the router at 192.168.1.1 via port 80, and signing into the management console with the default password. I now had full access to the router, and I used nmap to scan all the computers connected to it. They all had the same ports open, including 135 and 139. All our financial data was potentially at risk.
Moments later I was running down the hall to the boardroom where the auditors were encamped. The first thing I saw, in the middle of the boardroom table, was a nice, new Linksys wireless router with a network printer cabled to it. Wow! It might as well have been a ticking bomb! How could their techs send them out with this equipment, especially configured this way, without security training?
When the accountants arrived half an hour later, I asked them if they were aware that the wireless router and the laptops were unsecured. They had no idea what I was talking about. They assured me that they weren’t even using the wireless functionality; sure enough, they were all cabled to it directly.
I phoned the auditors’ supervisor and told him I was seriously unhappy about our confidential financial data residing on laptops that were unsecured. He told me to calm down; even if the auditors’ laptops were on a wireless network, what could intruders do without a username and password to connect to the shares?
I don’t know about you, but my faith in Windows security on an open network, especially without additional firewall protection, isn’t that high. So, using the router’s Admin console, I disabled its wireless functionality altogether. I was further tempted to change the router’s password, or maybe leave some ominous messages on the auditors’ laptops just to prove a point. But I didn’t. They’ll have to learn their lesson the hard way, at a later date, with some other company’s data.
Labels: Insecurity, Wifi
When is a backdoor really a backdoor?By John Leyden
Published Thursday 15th February 2007 16:46 GMT
Workplace smoking bans may be good for workers' health, but could open the back door to hackers.
In a recent social engineering test undertaken by UK-based security consultancy NTA Monitor, a tester was able to easily gain access to a corporate building through a back door that was left open for smokers. Once inside, the penetration tester was able to easily bluff his way into a meeting room, claiming the IT department had sent him. Even without a pass, he gained access unchallenged and was then able to connect his laptop to the firm's VoIP network via a telephone connection point.
NTA Monitor technical director Roy Hills comments: "It used to be that companies 'left the back door open' in terms of internet security. Now they are literally leaving their buildings open to accommodate smokers.
"Once inside a corporate building, an attacker can use social methods on employees to gain access to restricted areas and information unless a rigid staff pass system is in place," he added.
Smoking will be banned in all indoor public spaces in the UK in July 2007. In many other European countries, such as Spain, workplace smoking restrictions have already been applied. ®
Labels: Backdoor, Insecurity, News Article
From: Michal Zalewski (lcamtuf at dione.ids.pl)
Date: Sat Feb 03 2007 - 14:57:01 CST
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As you probably know, the famous "web 2.0" XMLHttpRequest object allows
client-side web scripts to send nearly arbitrary HTTP requests, and then
freely analyze and manipulate the returned response, including HTTP
headers.
This gives an unprecedented level of control over your browser to the
author of a visited site. For this reason, to prevent various types of
abuse, XMLHttpRequest is restricted to interacting only with the site from
where the script originated, based on protocol, port, and host name
observed.
Unfortunately, due to a programming error, Microsoft's Msxml2.XMLHTTP
ActiveX object that MSIE relies on allows you to bypass this restriction
with the use of - BEHOLD - a highly sophisticated newline-and-tab
technology.
If the victim uses a proxy server (which is very common in corporate
settings), any intranet or Internet site can be interacted with in this
arcane manner:
xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n", "x",true);
Otherwise, only sites co-hosted on the same server or load balancer can be
interacted with - which today can still mean quite a lot, for example
foxyteens.googlepages.com and gmail.com go nicely together. In such a
case, the request is:
xmlhttp.open("GET\t/\tHTTP/1.0\nHost:\tdione.ids.pl\n\n", "x",true);
All contents of the requested page, including cookies, hidden form tokens,
etc, can be then extracted through the use of responseText and
getResponseHeader(), manipulated by the script, and used into subsequent
GET or POST requests.
A test page is available here:
http://lcamtuf.coredump.cx/iexmltest.html
The browser will think it's still talking to the site from which the
script originated, so no session cookies will be sent to that server - but
some interesting activity is still possible: in the true spirit of Web
2.0, this can be trivially turned into an interactive client-side backdoor
proxy that may send shivers down the spines of some corporate security
dudes.
Consider this example: a guy working for company X is sent a link to
hotbrunette25's blog or a really cute video of singing hamsters. While he
is preoccupied with that resource, the creator of a malicious script can
order victim's browser to:
1) Rapidly scan company's internal web services (XMLHttpRequest
supports asynchronous connections and connection notification),
2) Obtain real-time copies of site fronts (raw HTML responseText can be
sent back directly to the attacker through a "legitimate"
XMLHttpRequest).
3) Interact with interesting ones in real-time in a virtually
unrestricted manner (POSTs and GETs with any payloads can be
requested, cookies can be set with setRequestHeader, etc).
Attacker functionality can be esentially implemented as a browser plugin
or a custom proxy and allow what amounts to highly-responsive,
feel-like-you're-there, remote presence - which certainly takes what used
to be blind bounce scanning and XSS to a 2.0 level.
In a setting where no proxy is available, and no elaborate private
infrastructure would be exposed to the attacker, the author of
foxyteens.googlepages.com can of course still use this to send possum
gang-rape spam through GMail from victim's IP, or whatnot - but that's of
course less exciting.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Labels: http, Insecurity, Microsoft