Debian SSH/SSL Predictable Keys

Posted on May 15, 2008 by Adam Hostetler

A serious issue was discovered this week in the OpenSSL packages distributed with Debian based distributions over the last year and a half. The issue revolves around a small piece of code that was removed, it turned out that removing this bit of code crippled the pseudo random number generator used when creating keys. The vulnerable code has been using only the process id of the service as the seed, which leaves a very small number of seeds that can be used (32,768 to be exact).

All SSL and SSH keys generated affected systems since September 2006 could be affected. All generated certificates will be need to recreated and resigned by the CA. This includes web site certificates as well as OpenVPN certificates. If your CA was created on an affected system, it will also need to be recreated, and the old one revoked. As for SSH, any systems using key authentication need to be audited. If the keys were generated on these affected systems, they should be updated and regenerated ASAP.

Debian and Ubuntu have released updated packages, as well as a tool for checking your keys. Upon installing the packages, it is possible to recreate the keys during the update. These updates should be installed immediately, and keys regenerated after installing the updates.

April Virtual Event MP3 Available – Selling Security to Upper Management

Posted on May 15, 2008 by Brent Huston

We are pleased to announce the availability of the MP3 from last month’s virtual event that covered the selling of security to upper management.

We got great feedback on the event and plan to continue our monthly virtual presentations. If there are topics you would like to see us cover or want us to dig into, please drop us a line or comment.

The slides for this presentation are available here.

The MP3 is available here.

Thanks again for spending time with us. We really love working with each and every one of you!

MS Word CSS Exploit

Posted on May 14, 2008 by Nathan Grandbois

A vulnerability in Microsoft Word could allow attackers the ability to execute arbitrary code. Cascading Style Sheets (CSS) are documents that allow the definition of various styles within a word document. A vulnerability in the processing of CSS results in memory corruption, which could be exploited by malicious attackers. Users would have to open an infected document on their local system to trigger the exploit.

Microsoft Patches Released for May

Posted on May 13, 2008 by Brent Huston

Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.

Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.

Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.

Mass Injection Attacks

Posted on May 12, 2008 by wstoner

Reports of a mass file injection attack were seen over the weekend. Upwards of 400,000 sites seem to have been affected so far by URLs that download a file that seems to be related to the Zlob trojan. Most of these sites seem to be running phpBB forum software. If you have the capability you may want to examine egress logs and/or blacklist the two URLs that are currently known to be distributors. Those URLs are:

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

New Thunderbird Version, Rdesktop Vuln

Posted on May 9, 2008 by Adam Hostetler

A new version of the Mozilla Thunderbird Client was released today. The new version fixes a security issue that could allow JavaScript to escalate privileges and execute arbitrary code. It also fixes a crashing issue. If you use Thunderbird as your mail client it should be updated as soon as possible due to the mitigation of a security flaw.

MSI Announces May Virtual Event – Corporate Counterintelligence

Posted on May 9, 2008 by Brent Huston

Corporate Counter Intelligence: Ancient Strategy,Bleeding-Edge Protection

Abstract:

The message is very clear. What we have been doing to secure information has not been working. Attackers are on the rise, the number of successful compromises is higher than before and all of the legislation and regulations just make things more complicated. Attackers continue to grow in number capability and sophistication.

The principles of corporate counterintelligence are rooted in the history of warfare. This presentation will explain how organizations can improve, simplify and increase the effectiveness of their information security programs. Using ancient principles and techniques based on the art of counter intelligence information security teams can become more strategic, focused their resources where they will achieve the highest return and reduce the risk that their organizations face.

MSI security visionary, Brent Huston, will explain how these techniques can be applied to your business and introduce specific strageties and tactics that you can deploy today. Explanations of how these evolutions in security thought can truly translate into faster, safer and more powerful protection for your organization will be revealed.

For more information, access to the visual and audio content for the presentation, simply email info@microsolved.com.

The virtual event will be conducted Tuesday, May 20, 2008 at 4pm Eastern.

Beware of Myanmar Aid Scams & Trojans

Posted on May 8, 2008 by Brent Huston

Nothing like a disaster to bring out the crimeware.

Keep your eyes open for disaster and aid oriented phishing and trojan scams. There is likely to be the same types of attacks that we have seen with other disasters. We can expect everything from Trojan horses designed to look like headline update tools, phishing schemes asking for donations, basic client-side exploits from web and HTML emails and the usual myriad of outright fraud.

Basically, if you really want to help folks, drop by known and trusted organizations such as the Red Cross, etc.

Be on the look out for strange network activity as this is likely going to be a basis for growing the bot-nets by yet another expansion.

SQL Injection Worms Infecting New Sites

Posted on May 7, 2008 by Adam Hostetler

Attacks continue in the wild against ASP pages with SQL injection flaws. It appears that the worm is injection scripts and iframes into the webpages which then forwards users to another page with an exploit embedded. The exploits are believed to be based on recent Real Player vulnerabilities. take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. It’d be a good idea to make sure everyone has Real Player updated if it is installed as a precaution for users that may visit any infected site.

Windows XP Service Pack 3

Posted on May 6, 2008 by Adam Hostetler

Windows XP Service Pack 3 has been released. This long awaited update to Windows XP offers some enhanced security features borrowed from Windows Vista and a few other things. Rolling out this service pack will also install all of the Windows updates released since service pack 2. Some of the enhancements in SP3 includes black hole router detection, network access protection, enhanced security for administrator and service policy entries, and a kernel mode cryptographic module.

MSI :: State of Security

Insight from the Information Security Experts

Monthly Archives: May 2008