BlogAllAlong » Security

Interview with Charlie Miller, the guru of Pwn2Own Hacking Contest

Bashar — Fri, 27 Mar 2009 16:27:04 +0000

Read this interview with Charlie Miller, the guy who took down a fully patched MacBook Air last year in 2 minutes!, and the one who hacked the Safari/Macbook this year in seconds, blaming the app, not the OS! The same guy however, in another article by ZDNet, is quoted for saying Macs are likely less secured than Windows for the lack of interest and are yet more preferred now for the same reason as a safer operating system for normal users over Windows.

A nice quote from the interview I take is the note on how quickly they manage to hack into systems the Hollywood style, saying about it:

“Charlie: Yes, I took down the Mac in under a minute each time. However, this doesn’t show the fact that I spent many days doing research and writing the exploit before the day of the competition. It only looks Hollywood because you don’t see the hard work in the preparation. If you set me down in front of an application I’ve never seen before and told me I have 2 minutes to hack it, as is often the case in movies, I’d have no more luck than your grandma at accomplishing it. Well, maybe a littlemore of a chance, but not much!”

Google Chrome – Last Browser Standing

Bashar — Fri, 20 Mar 2009 09:40:27 +0000

One day into the Pwn2Own hacking competition, and all 3 major browsers (IE, Firefox and Safari) have fallen down, leaving Google Chrome, with predicted 2% market share), standing on its own. Interesting notes are that Opera was not part of the competition, and the first one falling was, you bet, Safari! Later, the winning hacker “Nils” managed to gain control of the Safari, and hacked the other two browsers as well.

So is Google Chrome more secured, or less known to hackers? Well either way, it means it’s more secured for the time being at least.

Google doing Safe Site Scan with AVG

Bashar — Tue, 03 Jun 2008 15:09:15 +0000

Just like Yahoo started sometime back, Google is in co-operation with AVG scanning their search results for malware sites.

And while this is good in concept, I found the scan to take way too long, that I don’t think people will generally wait to see the result. An option to turn that off was not spotted. This could be troublesome for people with slow connection. Luckily, Google is not mad at my blog, but they better be careful. They don’t wanna make Yahoo’s mistake, or some say trick ;).

PayPal Issues Safari Users Warning – Use Different Browser

Bashar — Tue, 04 Mar 2008 07:49:19 +0000

Away from politics and all, and due to it’s lack of anti-phishing technology, PayPal has issued a security warning to all Safari users out there from the high possibility of web forgery for Safari users, which accounts for %4.5 of browser market share. Web Forgery, for those you may not know, is having some sites pretending to be something they aren’t. And PayPal being one of the most famous payment solutions on the net, you can guess how often people would like to fake it. I my self got so many emails in my Gmail Junk folder (What a go Gmail Anti-Spam), and when you have a strong anti-phishing browser like Firefox in place, this is what you would get trying to open the link:

e-Government in Kuwait

Bashar — Sat, 01 Sep 2007 08:31:22 +0000

Kuwait has been promoting the e-Government at least since I was in college. How every thing is going to be electronic, and how the services will be all available online. In the past few years, several advancements have been made. In the MOI, you can view your speeding tickets and pay them online, see passport status, driving license, see if you have any travel prevention, gun license. In terms of jobs, and through the Civil Service Commission, you can apply for government jobs online, see the vacancies and specify your desires as well. You can request a sick leave, go to Dr. next day and he will print and fill the form. No need to consult your job location first. This is really great, and we definitely want more of it, BUT…

Online services is something that needs planning, stable implementation and rounds and rounds of testing. The way I see it, Government seems to have cut things short and ignored some critical parts. To begin with, we have the privacy and security of the systems. How can a person authenticate him self as the specific individual who is allowed to see the data, and how can we make sure no intruder or outsider gets also access to this data. The way it’s done right now is mostly depending on the person’s Civil ID number. We all know that this kind of information is not confidential. It’s something that identifies you, but it does not authenticate who you are. For example, the guy in the bank has access to thousands of Civil IDs. I was working in Kuwait University and I had access to hundreds of thousands as well. My employer has that kind of information. Many people just have it. It’s not something I can hide from the world. So imagine that by knowing my Civil ID number, you can see if I have speeding tickets, if I have gun license, my passport information, who I am ensuring, and lots of more information. It actually happened to me once as well. My uncle told my father you have a speeding ticket. Why should they know that? Maybe I don’t want them to know it.

Say this is not enough? The MOI it self posted sometime back with a flashy sign an excel sheet with the full list of eligible voters with their civil ID. So pick your name from here and paste it there. It’s that simple! This is in regard of the MOI. For the Civil Service Commission, it gets even worse. Someone could be driving your future without you knowing it. You must sign there to specify your jobs. The only authentication again is your Civil ID. Provide it and you are good to go. Then you can see your information, available vacancies for you, and alter the jobs you want to apply for. Most these windows open inside an IFRAME. Open the IFRAME it self in a new window and you will see this:

My first program example “Hello World”. For non-programmers, Hello World tends always to be the first program you write. Just a dummy program to print this message. It seems the programmers were in a rush and just left the title as it is. Now as for the security, let’s say that soon the authentication model is changed, and a password is applied. Does that mean we are safe? Not without a thorough testing and revamp of the current security model implementation, No. You know why? Because if you open one of the IFRAME windows in a new screen, you will see this is the URL:

http://www.csc.net.kw:8888/csc/SpecialNeed.jsp?kk=13&cv_id=

Where is your civil ID number. Change it to any other person number and you got it. So it’s a matter of passing parameter only. This is one of the oldest tricks in the book. I can’t say now they missed it because Civil ID is already the mechanism of authentication so it’s the same thing anyways. But at least make it not that obvious and a bit future ready.

Again, as I said before, things are moving forward. I just knew you can pay your speeding tickets online. Something many people would like to do. However I don’t see it moving in the right way. Specialists must be following up with the implementation and ensuring the security and integrity of the data. The ultimate solution in hope for is one secured login credential for all government services and sites. Not a walk in the park I know. But unless this security issue is addressed right now, more and more services will come and reside on the existing weak model implementation.

Facts About Widows Vista Security

Bashar — Sun, 08 Apr 2007 06:26:55 +0000

Microsoft co-president Jim Allchin made an irrational statement back in Nov 2006 that Windows Vista is so secured it does not need Antivirus, saying his 7 years old kid is using Vista without Antivirus. Ofcourse this was back in November before public had theirs hands on it to start discovering holes.

Alex Ionescu posted a proof of concept program that utilizes Vista Protected Processes to it’s own advantage, making evil malicious programs as protected processes, be it keylogger or anything else you can think of (Thanks Slashdot for posting it).

This is ofcourse in addition to many other holes that are getting patched everyday, like last animation cursor that got immediate patch. My advise if you want to be mostly secured is to have good antivirus, good firewall (I like ZoneAlarm), and use the most secured browser, Firefox. Since I’ve started using it, very rarely I’ve seen any viruses coming in.

Windows Vista Under Zero-Day Attack

Bashar — Sat, 31 Mar 2007 19:59:07 +0000

The so-called most secured operating system ever, Windows Vista is seeing increased amount of attacks one day after Microsoft disclosed the security hole withing the the mouse cursor. The newly discovered vulnerability is in the .ani files that change the cursor into animation while loading programs. The hole allows malicious websites to use those files to install their code into visitor’s computer. Worth noting that Windows 2000 SP4, Win XP SP2 and some versions of Windows 2003 Server are also infected with the same flaw. This all comes soon after Microsoft started claiming credits for the world’s most secured system, which they say may not need Anti Virus! Wonder if we can sue them for it. More on the news here.

Google Pack now with Symantic Anti-Virus

Bashar — Wed, 28 Mar 2007 05:59:11 +0000

The FREE to use Google Pack which comes bundled with several useful tools now has added Symantic’s Norton Security Scan to scan and remove viruses and PC Tool’s Spyware Doctor Starter Edition. As a background process tries to show it self more and more, I’ve lost interest in Symantic products recently, they are becoming more and more stupid and bugging. But the fact that both softwares come inside Google Pack with FREE automatic update protection makes it worth considering. I can stop asking my Symantic to remind me about updates 15 days later now. Note that I am assuming you are paying the full license and not a cracked version here in my complement. Otherwise the whole package makes no difference.

Hackers Enjoy, No Microsoft Patches This Month

Bashar — Sat, 10 Mar 2007 13:14:02 +0000

Isn’t it funny? Since Microsoft started their monthly security update back in 2003, only few of the known as Patch Tuesdays did not have Microsoft patches coming. Otherwise, it is scheduled that every second Tuesday of the month there is a security update coming from Microsoft. Last time Microsoft did not have Patch Tuesday was in September 2005 imagine! But does that mean things have been going smooth for the past month? Absolutely not. Microsoft are working on security patches for known vulnerabilities in IE7, Office 2007, Publisher 2007, ohh yeah and Windows Vista OS ofcourse. Lucky me I am not using any of those. The patches are not ready yet for release, so hackers will get more time of joy before they have to find new holes in the next patch. Lucky me I am not using any of those. More from PC WORLD.

IE6 was unsecured for 284 days in 2006

Bashar — Sun, 07 Jan 2007 14:04:18 +0000

Slashdot posted a link to a washingtonpost article compiling the number of days IE6 had open exploit code with no fixes from Microsoft. The result is more than 9 months (284 days) of the year, the IE6 browser had known unpatched security flaws. There was also another 98 days without fixes to IE flaws that criminals were using to gain personal and financial data.

Could a customer sue Microsoft over his losses because of the lack of support for the browser? While Microsoft enforces Internet Explorer as the default browser in all it’s operating systems, this causes the majority of people to go with the crowd and use what’s already there. And with the results given from the article, I think Microsoft should be held legally accountable for the loss of millions of user data, and in the future, they have a choice of either removing IE from their system, or showing one of those scary warning signs they have to the user saying “We do not guarantee the confidentiality of the information you send and receive over the internet if you use our Internet Explorer” Just like what they did when they lost the lawsuit against Sun for licensing their own modified JRE.

Again, MS Word Code Execution Exploit

Bashar — Fri, 15 Dec 2006 12:57:48 +0000

A third MS Word code execution exploit has been posted that allows code execution on the victim PC by opening the infected word document. While Microsoft have not yet publicly confirmed the vulnerability, the United States Computer Emergency Readiness Team issued a warning in this regard. More on the story comes from eWeek.

Dark Day for PHP

Bashar — Thu, 14 Dec 2006 12:56:40 +0000

Open Source PHP security specialist and member of the PHP Security Response Team, Stefan Esser have had enough, and resigned! The security expert says in his blog

“The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.”Clearly a very strong message sent in public about the spirit going inside the PHP Community. And what makes it worse for them, is that now security holes will no longer be hidden from public, rather security holes will be exposed in advance “For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories”, Stefan says.

This incident however is not the first of its kind. Back in July, PHP lead developer Jani Taskinen also left the team with what’s called cryptic message:

"Thank you all for the last 6 years or so. It has been fun
(sometimes) and many times not so much fun. Unfortunately
I have had enough and I don't want to be associated with
this project anymore.

I'm sure most people (the ones who matter) can understand
why. If someone doesn't, I could not care less. Take care.

Please do not reply to this email.

--Jani

p.s. Delete my CVS account. I have no use for it anymore."

The message does not give much details, but its enough to reveal the kind of low spirit and disputes going inside. Open Source is the strongest community if built on honest goals with a united team, but since thats all about it, and its non-profit, disputes like those can quickly break the backbone of it and bring the whole organization down to its knees. Specially with the rise of other alternatives, like Ruby.

Another day, another Zero-Day flaw in Microsoft

Bashar — Fri, 08 Dec 2006 12:48:10 +0000

Just one day after the zero day flaw in Word was announced, another zero day flaw has been discovered in Windows Media Player. The flaw resides in the WMVCORE.DLL library that handles .ASX files. Microsoft have not yet released a fix for the problem, and did not even report it.

Click here for the source and some details on how this flaw works, and how to protect yourself against it.

Microsoft Issues Word Zero-Day Attack Alert

Bashar — Wed, 06 Dec 2006 12:44:46 +0000

Microsoft have issued a security advisory regarding a newly discovered Word Zero-Day Attack. The attack infects all major Word releases by simply opening unsolicited attachments from both known and unknown source. Best thing to do know is avoid opening any attachments, even from legitimate source. The report came from Eweek with more details.

BlogAllAlong » Security

Interview with Charlie Miller, the guru of Pwn2Own Hacking Contest

Related Posts:

Google Chrome – Last Browser Standing

Related Posts:

Google doing Safe Site Scan with AVG

Most Popular Posts:

PayPal Issues Safari Users Warning – Use Different Browser

Most Popular Posts:

e-Government in Kuwait

Most Popular Posts:

Facts About Widows Vista Security

Most Popular Posts:

Windows Vista Under Zero-Day Attack

Most Popular Posts:

Google Pack now with Symantic Anti-Virus

Most Popular Posts:

Hackers Enjoy, No Microsoft Patches This Month

Most Popular Posts:

IE6 was unsecured for 284 days in 2006

Most Popular Posts:

Again, MS Word Code Execution Exploit

Most Popular Posts:

Dark Day for PHP

Most Popular Posts:

Another day, another Zero-Day flaw in Microsoft

Most Popular Posts:

Microsoft Issues Word Zero-Day Attack Alert

Most Popular Posts: