3Com is planning an IPO for its TippingPoint security unit some time in the near–or not-so-near–future. The networking company announced the plan Thursday via a short press release that is light on details, as these things typically are. All we know for now is 3Com paid about $430 million for TippingPoint back in December 2004, a time when intrusion prevention was the Next Big Thing. A few months earlier, McAfee (then Network Associates) had acquired IntruVert and Entercept for a combined $240 million, and other networking companies, including Cisco and Juniper also were getting into the security game in a big way. But that experiment looks to be over now.

When and if it happens, this will be the second IPO for TippingPoint. The company was already publicly held when 3Com bought it in 2004.

Technorati Tags: 3Com, TippingPoint, TippingPoint+IPO

The prolific Storm malware is on the attack again, according to the folks at the SANS Internet Storm Center (ISC). ISC handler Lorna Hutcheson wrote on the storm center Web site that the latest email attack includes a subject line that says “You’ve received a postcard from a family member!” From there, variations of the email text are as follows (WARNING: DO NOT CLICK ON THE URLs BELOW):

——–
OPTION 1
——–

Click on the following Internet address or
copy & paste it into your browser’s address box.

http://200xxxxxxxxxxxxxxxx

——–

OPTION 2

——–

Copy & paste the ecard number in the “View Your Card” box at

http://200.8xxxxxxxx

Your ecard number is 08a823e96272575cbcxxxx

Hutcheson says the Web site has some interesting javascript that “appears to have multiple ways to exploit a browser in order to compromise a system.” If javascript is enabled, she says, the user receives this:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7 which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

She adds: “If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04.”

Here is what a user would see:

“We are currently testing a new browser feature. If you are not able to view this ecard, please click here (/ecard.exe) to view in its original format.”

From there, the ISC lists a bunch of other code variations and a long list of compromised home machines being used in the attacks.

This is just another reminder not to click emailed URLs if they don’t come from a trusted source.

Technorati Tags: Storm+Attack, Storm+worm

Much has been made about the release of Apple’s iPhone, including a lot of speculation on the security risks of using one. There’s so much blogosphere noise on the subject that I’ve decided to focus on nothing else.

Headlines on the iPhone are all over the place. Some dismiss the notion that hackers will make iPhone attacks a priority. Others, like nCircle Director of Security Operations Andrew Storms, compare the coming of this device to the coming of the cyber apocalypse. Storms wrote in the nCircle blog, “‘It’s [the iPhone] going to be entering enterprise networks whether we like it or not, and it’s a nightmare for security teams.”

He said the iPhone has no place in the enterprise network simply because it lacks enterprise security controls. The most anyone can get out of Apple are demonstrations of the iPhone’s usability interfaces. “Given the complete lack of Apple to address enterprise security (yet), enterprise security teams must prepare for the worst,” he wrote.

There’s some truth to what Storms has to say. There’s no doubt these devices will find their way into offices across the globe, and that IT shops will be at a loss over what the big security picture will be. But for the most part, the security nightmare scenarios being bandied about amount to speculation and pure FUD. And when you get down to it, the potential threats are no different from those against every other Web-enabled mobile device. I just don’t see anything new here.

My impression is that a majority of bloggers feel the same way.

One of the strongest statements to that effect comes from Dave Goldsmith via the Matasano Chargen blog. Under the headline “Matasano Does Not Care About iPhone Security” he wrote the following:

“The fear mongering stories about the iPhone are beginning to pour in. From exploits to execs storing critical data on it, everyone is talking about how the iPhone is going to be the next security nightmare. Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.

“Yes, somewhere deep inside of every enterprise is a small team of people that have to worry about data management. And yes, every time something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.

“If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.”

Space Rogue, a security consultant and founder of Hacker News Network, wrote in his Space Rogue blog that the iPhone looks to be just as secure or even more so than a Balckberry, Treo, or Blackjack. “Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots,” he said. “About the only security questions I have with iPhone is whether or not it supports IMAP over SSL or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included.”

Jeff Hayes pointed out in his Security blog that there will always be new or potential vulnerabilities anytime a new computing device is thrown into the corporate mix. He said iPhone security might be a bigger issue over time, though for now it should be the least of a security manager’s worries.

There’s no question that the iPhone will face the same risks as mobile phones, laptops and other devices now being used in airports, coffee shops and offices across the world. But the big-picture threat is already well established. Most IT shops know by now that mobile devices are becoming a critical business tool and that there’s no shortage of tricks attackers can use to pit the technology against us.

The iPhone adds nothing new to this reality.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Technorati Tags: iPhone, Apple, iPhone+Security

The Windows server RPC vulnerability that caused so much consternation this spring was so easily exploitable because the vulnerable RPC interface was accessible anonymously, according to an analysis of the DNS RPC flaw that Microsoft SDL guru Michael Howard posted Thursday. The vulnerability, which affects Windows 2000 and Windows Server 2003, is a buffer overflow and security researchers said shortly after it was disclosed that it would be trivial for most attackers to exploit the hole. What’s interesting is that as a result of the mess caused by the Blaster worm, which exploited a separate RPC vulnerability, Microsoft began requiring authentication for RPC communications. XP SP2 was the first version of Windows to have this protection enabled by default and all subsequent versions have it as well, including the forthcoming Windows Server 2008, aka Longhorn.

In his detailed analysis of the vulnerability, Howard points out that because Windows 2000 predates the implementation of the Security Development Lifecycle, it does not include any built-in protections against this kind of buffer overflow. However, Windows 2003 did go through the SDL process, but the flaw found its way into the code anyway. Howard points to a couple of main reasons for this:

• The static analysis tools Microsoft used to analyze the code were not designed to look for the specific kind of construct that is vulnerable.
• The fuzzer used on the Windows Server 2003 code “didn’t discover this vulnerability because previously our process did not include tooling to verify whether an RPC end-point is authenticated or not. It’s important to understand that given a set of interfaces into a system, analysis and testing is prioritized based on accessibility. For example, a remotely and anonymously accessible network interface will get much more scrutiny than a local-admin-only interface.”

Another contributing factor is that the firewall included in Windows Server 2003 is not enabled by default. “There is a lot to learn from the DNS RPC vulnerability. As an outcome of this vulnerability, we are more carefully scrubbing all RPC end-points to verify whether they should really be anonymously accessible. We have also updated our fuzzers to add more context-centric test cases and these updates are now in use. Our static analysis tools will be updated to accommodate more variable-length array variants,” Howard writes.

Technorati Tags: Microsoft, Windows, Windows+DNS+RPC+flaw, DNS+RPC

SearchSecurity.com News Editor Rob Westervelt sat down with Burton Group analyst Diana Kelley at this week’s Burton Group Catalyst Conference to talk about PCI DSS. Particularly noteworthy here is Kelley’s warning that some PCI DSS auditors are tossing ethics aside and pitching certain products and services for compliance.

Also in this podcast: Dan Jones, director of IT at the University of Colorado, explains his school’s ongoing PCI compliance initiatives.

Download the podcast here.

Technorati Tags: PCI+DSS, PCI, PCI+Audit, QSA

There’s no security conference that’s more fun to cover than Black Hat, and, judging by the roster of speakers, this year’s Las Vegas edition looks to be no exception. The session that’s drawing the most pre-conference attention is one titled “Don’t Tell Joanna, the Virtual Rootkit is Dead,” which features Nate Lawson, Thomas Ptacek of Matasano Security and Peter Ferrie of Symantec. All three of these researchers have done extensive work on rootkits and rootkit detection and they have set up their talk as a kind of challenge to Joanna Rutkowska, the author of the much-discussed Blue Pill virtual rootkit. Lawson et al. believe that Rutkowska’s claim that Blue Pill is completely undetectable is indefensible, so they’ve proposed setting up two completely fresh Vista machines and allowing Rutkowska to load Blue Pill on one of them. The team will then run its own detection tool on both machines and see whether it finds the rootkit.

Rutkowska says she is up for the Blue Pill challenge, but she wants to impose some additional conditions.

First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines. Each of them could be in a state 0 or 1 (i.e. infected or not). On each of this machines we install two files: bluepill.exe and bluepill.sys

The .sys file is digitally signed, so it loads without any problem (we could use one of our methods for loading unsigned code on vista that we’re planning to demonstrate at BH, but this is not part of the challenge, so we will use the official way).

The bluepill.exe takes one argument which is 0 or 1. If it’s 1 it loads the driver and infects the machines. If it’s 0 it also loads the driver, but the driver does not infect the machine.

So, on each of the 5 machines we run bluepill.exe with randomly chosen argument, being 0 or 1. We make sure that at least one machine is not infected and that at least one machine is infected.

After that the detection team runs their detector.exe executable on each machine. This program can not take any arguments and must return only one value: 0 or 1. It must act autonomously — no human assistance when interpreting the results.

Lawson, a whiz at reverse-engineering hardware and software, was the lead designer of the Blu-Ray disc protection scheme and knows a thing or two about kernel design as well. In an interview a few weeks ago he told me he doesn’t believe any rootkit is 100% undetectable and that virtual rootkits like Blue Pill are easier to detect than kernel-mode rootkits because of the requirement that they emulate the entire OS, not just a portion of it. “There are too many things that can go wrong with that model for it to stay completely hidden, ” he said. Or, as he told ZDNet’s Ryan Naraine, “I think the best rootkit is the simplest.”

Whatever the result, the talk should be fascinating. If rootkits aren’t your thing, Rutkowska also will be giving another talk at Black Hat on several methods for compromising the kernel of 64-bit Vista machines.

Here are some of the latest vulnerability alerts, based on my Internet travels this morning:

Check Point flaws

The French Security Incident Response Team (FrSIRT) has issued two advisories about some security holes in Check Point products.

The first advisory is about a flaw attackers could exploit in Check Point’s Safe@Office appliances to execute arbitrary requests. “This issue is caused by input validation errors in the web interface that fails to properly validate HTTP requests, which could be exploited by attackers to bypass security restrictions and manipulate certain data by tricking an administrator into following a malicious URL,” FrSIRT said. It affects Check Point Safe@Office Appliances version 7.0.39x and prior and can be addressed by upgrading to Embedded NGX 7.0.45 GA.

The second advisory is about a flaw attackers could exploit in Check Point VPN-1 UTM Edge to execute arbitrary scripting code. “This issue is caused by unspecified input validation errors in the management interface that fails to properly validate HTTP requests, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user’s browser in the security context of an affected Web site,” FrSIRT said. Upgrading to the latest version fixes the problem.

Flaws in HP security products

HP has acknowledged flaws attackers could exploit in its Secure Web Server for HP Tru64 UNIX Powered by Apache (SWS) and HP Internet Express for Tru64 UNIX (IX) to disclose potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.

Secunia’s advisory has full details.

Despite the fact that most Hollywood movies are the products of computers these days, no one in La La Land seems to have the first clue what computers can and can’t do. Or more accurately, what skilled hackers can do with computers. Exhibit A would be the egregious John Travolta vehicle “Swordfish,” which has the brilliant tagline: Log on. Hack in. Go anywhere. Steal everything. My personal favorite is still “Sneakers,” the Robert Redford-Sidney Poitier thriller in which Redford and his band of merry hackers are tricked into stealing a device that can decrypt any message created by any cryptosystem on Earth. It’s the NSA in a box.

Now, we’re about to be treated to another installment: “Live Free or Die Hard.” In this one we find Bruce Willis chasing an uber-cyberterrorist all over the Eastern seaboard as the bad guy shuts down communications systems, unleashes anthrax scares and generally wreaks havoc from the safety of his broadband connection. Along for the ride is Justin Long, the guy who plays the Mac in those Apple ads. Here he’s a hacker who gave some secret code to the wrong guys and now they want him dead. (No truth to the rumor that Richard Clarke was a technical adviser.)

What I don’t really understand about these movies is why they don’t hire someone with actual computer security knowledge to help guide the writers. This is done all the time with cops, doctors and lawyers, so why not security professionals? Some of the things that hackers have actually done are just as impressive as any stunt the Hollywood types concoct. You don’t have to look any farther than the German hackers who compromised a number of Defense Department computers in the 1980s on contract for the KGB. You can’t make that stuff up. But then again, why let the facts get in the way of a good story?

Technorati Tags: John+Travolta, Robert+Redford, Sidney+Poitier, hacking, Bruce+Willis, cybersecurity, hollywood

This week, Cisco executives explain how they’ll use the newly acquired talent and technology from IronPort to improve security for their customers.

And as part of our ongoing Vista deployment series, Papa Gino’s IT manager Chris Cahalin discusses the benefits of being in Microsoft’s early adoption program and the perils of making some third-party software work with the latest Windows OS.

Download Security Wire Weekly.

A number of vendors and other entities have addressed significant security flaws in their programs in the last few days. Here’s a roundup:

– iDefense Labs has issued an advisory on flaws in RealPlayer, an application for playing various media formats developed by RealNetworks Inc., and HelixPlayer, the open source version of RealPlayer.
“Remote exploitation of a buffer overflow within RealNetworks’ RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user,” iDefense said. “The issue specifically exists in the handling of HH:mm:ss.f time formats by the ‘wallclock’ functionality within the code supporting SMIL2.”

The latest version of RealPlayer fixes the problem.

– The Massachusetts Institute of Technology (MIT) has fixed several critical Kerberos 5 flaws attackers could exploit to cause a denial of service or take complete control of an affected system. According to the French Security Incident Response Team (FrSIRT), there are three problems:

Attackers could exploit an error in the “gssrpc__svcauth_gssapi()” [src/lib/rpc/svc_auth_gssapi.c] function when processing an RPC credential with a length of zero to crash an affected application or execute arbitrary code.

Attackers could exploit an integer conversion error in the “gssrpc__svcauth_unix()” [src/lib/rpc/svc_auth_unix.c] function when storing an unsigned integer obtained from “IXDR_GET_U_LONG” into a signed integer variable “str_len” to crash an affected application or execute arbitrary code.

Attackers could exploit a stack overflow error in the “rename_principal_2_svc()” [src/kadmin/server/server_stubs.c] function when concatenating the source and destination principal names with the string “to” to crash an affected application or execute arbitrary code.

FrSIRT’s advisory links to the fixes MIT has made available.

Kerberos is a secure method for authenticating a request for a service in a computer network. It was developed in the Athena Project at MIT and is incorporated into a variety of products, including Sun Microsystems’s Enterprise Authentication Mechanism software and its Solaris operating system, Red Hat Linux, MandrakeSoft Linux and Debian Linux.

– Symantec has fixed a denial-of-service flaw in its Mail Security for SMTP. The product fails to properly check for boundary errors when parsing executable attachments, and attackers can exploit the problem to cause a denial of service.

“Symantec has released a downloadable updates for this issue available through the Platinum Support Web Site for Platinum customers or through the FileConnect -Electronic Software Distribution web site for all licensed users,” the vendor said in its advisory. “Users of Symantec Mail Security for SMTP 5.0.0 are encouraged to upgrade to 5.0.1 and then download and apply the update.”

Technorati Tags: RealPlayer, Kerberos, Symantec