The Last Hope Talks

I have spent the last few days listening to some of the presentations and talks given at the Hacker On Planet Earth conference (HOPE) This year's event was probably going to be the last due to plans to demolish the venue in New York, hence the event tag "The Last HOPE" however it seems those plans may have changed.

The speakers are wide ranging, with interesting and thought provoking topics.

Some highlights are the talks by Kevin Mitnick, a 3 hour marathon talk by Steven Rambam about privacy and the lack of it and the ominous threats posed by new technologies such as Google, the iPhone and social networking sites, well worth a listen. Also Renderman's presentation "How Do I Pwn Thee? Let Me Count The Ways" highlights the security dangers of mobile technology.

Of special interest to me was Travis Goodspeed's "Introduction to MCU Firmware Analysis and Modification with MSP430static" the slides and information are available from Travis' website. In this talk Travis gives a wonderful account of the basic principals of reverse engineering.

All the talks are available here for free download in low and high quality versions.

Hackers attack DNS exploit, ISPs failing to update servers

theregister.co.uk are reporting that many ISPs have still not acted up on the now infamous DNS security flaw and miscreants are actively exploiting the gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites.

many laggard internet service providers reported to be dragging their feet in applying patches that fix the devastating DNS flaw. Dan Kaminsky says more ISPs appear to be getting the message. Last week, about 51 per cent of unique name servers tested on his site (see the "check my DNS" button to the right) showed up as vulnerable. Now, he says it's closer to 35 percent.

Test your own ISP here.

If it still fails then you can always update your settings to use OpenDNS

Citizen Engineer

Citizen Engineer is a new online video series about open source hardware, electronics, art and hacking by Limor (Ladyada) Fried of Adafruit Industries & Phillip (pt) Torrone of MAKE magazine.

From hackszine.com

Quite an interesting video, some oddity with the sound mixing but an enjoyable 30 minutes

Security flaw turns Gmail into spam open-relay server

A recently-discovered flaw in Google's very popular email service is capable of turning Gmail into an effective spam machine. According to the Information Security Research Team (INSERT) the flaw allows a spammer to send thousands of bulk e-mails through Google's servers without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail.

The worry is not just that the flaw allows spammers to send a potentially unlimited number of messages, it is also the trustworthiness given Gmail by other e-mail providers could exacerbate any potential spam attack.

Spam currently accounts for 95 percent of all e-mail traffic and many e-mail providers have adopted whitelists and blacklists as a first line of defence against the flood. An e-mail from a known spamming domain (or the corresponding IP address block) may be automatically blocked by any given e-mail service, while an e-mail from a trusted, authenticated source such as Gmail is automatically allowed through the gateway.

Most e-mail providers use multi-level filtering services, which might detect that the forged Gmail message is spam, but the message will have cleared a substantial hurdle that would have otherwise stopped it. Messages originating from Google, it seems are well-regarded by both Yahoo and Hotmail. The INSERT team tested the degree of trust between the three major e-mail providers by sending spam messages to Yahoo and Hotmail using two sources. In the first test, messages were sent from personal systems whose IP addresses had been blacklisted by Yahoo and Hotmail. The second test consisted of sending the exact same message via the Gmail flaw that INSERT discovered.

The difference was significant. E-mail sent to Yahoo and Hotmail from a blacklisted IP didn't even necessarily reach the account's spam box, while forged e-mail sent via Gmail always arrived. That is not to say that trusted-source filtering is bad, but it demonstrate how a security flaw in a single product or service can ripple through an ecosystem.

It is being reported the flaw is still present at the time of this post.

(credit to the Arstechnica report)

Secunia PSI - Personal Security Inspector

Secunia is a respected Danish computer security service provider, one of their primary missions is to track vulnerabilities in software and provide security tools primarily for the corporate IT market.

In addition they also provide a free tool (for personal non-corporate use) called PSI - Personal Security Inspector.

PSI acts on a dangerous problem of vulnerabilities on auxiliary and add-on software. The problem of vulnerabilities in the Microsoft Windows operating system and Microsoft Office are tackled by the much improved Microsoft Update system. However what about all the other installed software which are prone to vulnerabilities? Software like Adobe Acrobat Reader, Flash, Java VM, Media players, compression utilities, third party browsers to name but a few.

Most vulnerabilities are triggered by malformed data files distributed across the internet and unless addressed can prove a real danger to the regular user. The problem is despite a lot of these programs having update systems built in it is easy to miss important updates and critical patches can be forgotten, leaving your system exposed.

PSI using a huge database from Secunia to verify your installed software and will indicate if they are insecure and have updates available.

I liked to think I kept my software updated, but after running the tool for the first time I was told I was only 92% secure there were around 15 programs that were running old insecure versions. I few updates later and I am up to 96%, there are still some programs that updates are not available for with know vulnerabilities, and some whose update process is so confusing and convoluted that updating is next to impossible (not helped by hideously unnavigable support websites, Yes Adobe/Macromedia I am looking at you!)

In my scan there were some expected culprits for being out of date, Adobe Flash, Acrobat Reader, Quicktime and Realplayer and others I was not aware of, such as VLC, 7-Zip and WinZip. It is easy is to have vulnerable software running on your computer. If you are not using anything to keep track of software updates, try PSI, you may be surprised. PSI does a good job on detecting software that needs to be updated, so I heartily recommend it.

There is a on-line version available but the installable client is much more capable. The scanning process is a bit resource intensive, so I would suggest you run it periodically (say once a week) rather than letting it permanently run, which is it's default setting.