News
Firewall Service Pack
There is a new service pack for GTA firewalls, version 5.4.2 which is recommended for immediate use.
If you are using v5.4.1 and have any problems with Mail Sentinel then this is probably the fix, but it also includes a minor VPN fix.
Release notes are posted here: http://www.gta.com/support/showReleaseNote/?id=271
Download directly to the firewall second slice for install.
US Navy buys fake Chinese chips
Came across this doozie of a story where a US Navy contractor bought 59,000 microchips from China because they were cheaper, but it turned out they had a backdoor in them.
I guess the US has never had to worry about this type of thing before like the rest of us.
GB-OS Version 6.0 Released
If you are an owner of one of these devices and have your firewall notifications configured correctly you will already be aware firmware version 6.0 is now in general release. This is a major build in that it has the first support for IPv6. Some key points you should consider may be:
If you are running under v5.4 you will require new activation codes.
If you run a GB-250 your upgrade is NOT as straight forward.
If you are running under v5.2 the upgrade will resize the partitions and take a long time.
It will replace the management SSL certificates so if you use Firefox you will have to delete the old one.
As usual we do not recommend undue haste with upgrades and unless you have an immediate need suggest you wait a couple of weeks until you upgrade.
Old MailMarshal
For those people running MailMarshal v6.2 or earlier you may not realize that M86 have discontinued updates for the built in SpamCensor. If that’s what you are relying on to detect spam you can expect poor performance unless you carefully check your ruleset. A combination of address validation, Spamhaus, SURBLs and text censors can give you okay results but it can’t be ideal and we recommend an upgrade.
If there is a specific reason you are parked on an old version give our support guys a ring.
Follow the money
It’s taken ten years of spamming for anyone to follow the money. This article in Information Week suggests 95% of all monies received for stuff sold via spam are processed by only three banks!
zerigazbank in Azerbaijan
DnB NOR in Latvia (although the bank is headquartered in Norway)
St. Kitts-Nevis-Anguilla National Bank in the Caribbean.
The original research paper here.
Leaky Android
99.7% of all Android smartphones are leaking login data for Google services and could allow others to access information stored in the cloud. Researchers at the University of Ulm in Germany wanted to know if it was really possible to launch an impersonation attack against Google services and found not only is it possible it is quite easy. They aren’t the first to make this claim. This means someone can eavesdrop any transmitted data, read your contact data, phone numbers, email addresses or even change information in your lists.
Interesting thought
French firm Vupen has hacked Chrome v11.0.696.65 running on Windows v7 service pack 1, bypassing the sandbox, address space layout randomization (ASLR) and data execution prevention (DEP) sandbox.
They released the details on their blog and the CNET Story is here.
Aside from the how they released the exploit as a lovely video - which is cutting edge cool - what is quite interesting is they haven’t given the exploit details to Google. There’s no sign of that in fact. Rather they say this:
Vupen … said it would not publicly disclose the exploit code or technical details of the vulnerabilities but will share them with its government customers as part of its vulnerability research services.
So they are making money off their own customer base for the research. Imagine if the security community started a trend for closed research, that is to say don’t give the research to vendors for free. But rather sold the info to governments and other customers privately.
What a change in the landscape that would be.
False Positives
After 12 years of content filtering it would be true to say spam detection is more accurate that it’s ever been. Almost very solution has multiple complementary scanners and accurate blacklist services like Spamhaus are so good now.
But the volume of email is so high now and people run their whole lives over email so the problem of false positives is growing. Some of these examples are a good laugh if they didn’t involve airline tickets and purchase orders:
Also awkward realisation that Gmail’s spam filter also filters emails from your boss. SORRY SORRY SORRY. #flippingout
http://twitter.com/courtody/statuses/66074991392858112
Yahoo mail spam filter is a load of sh*t, 90% of my emails are now ending up in the Spam folder. It used to work, it has been disimproved.
http://twitter.com/G4GUO/statuses/63884681254420480
Omg…. I just found over 100 emails that were sent to Spam that shouldn’t have been. Gmail, we need to break up.
http://twitter.com/JLYoungsma/statuses/65577791143424000
Thanks yahoo, for putting my Scholarship notification e-mail in my spam folder. I COULD HAVE DELETED IT AND NEVER KNOWN. :T
http://twitter.com/rikkue/statuses/65897796120743936
You know what’s not cool? That GMail sent my plane ticket to NYC to my spam folder. THAT’S NOT COOL, GMAIL.
http://twitter.com/PBAmanda/status/65598878753370112
Things that didn't catch bin Laden
This weeks news is after nine years and unknown billions of dollars a man full of hate a murder is finally dead. For IT security types there are some obvious lessons here so I have a quick think about the budget
He wasn’t caught in a backscatter X-ray scanner
He wasn’t caught by an outsource partner
He wasn’t seen on a CCTV camera anywhere
Airport staff didn’t catch him after a “junk” fondle
Inconveniencing millions of travelers didn’t help one iota
In the end the US had to go and do the job itself and the job was done through good old fashioned police/spy work by experts in the field. There is a sad lack of sensational press release about it. The truth that’s being lost is new technology sometimes helps, but often is a waste of money and focus on the job.
I can’t help but think it could all have been done much sooner and much cheaper. Without the fear, without the hysteria and endless theatre of politicians all trying to appear harder on terror than the others.
Running on Empty
APNIC confirm IPv4 address space is now gone, after Chinanet got 500,000 of the last free addresses. Only addresses used for connectivity to the new IPv6 “second internet” will be allocated. Microsoft asked for temporary IPv4 addresses for it’s Sydney TechEd and were told “There is no IPv4 address space available for temporary allocation.”
I predict the number of unexplained and odd problems organisations have with their internet connections is set to rise.
SSL could fail at any time
Whenever you talk about web security it isn’t long before you hit SSL. It’s one of the foundational security pieces we have. After the recent Comodo debacle you might be interested in how completely broken SSL really is. This is a great article from The Register.
It starts like this:
Analysis Every year or so, a crisis or three exposes deep fractures in the system that’s supposed to serve as the internet’s foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.
And ends with this great quote from Jeremiah Grossman, CTO of White Hat Security:
“It is definitely weak. It could fall down at anytime.”
Worth a read.
Detecting Flash
The News - Adobe has a zero day exploit launched from flash embedded in Word or Excel files. Details from ZD Net here.
Wouldn’t it be nice to tell MailMarshal to block office documents with flash embedded in them?
When MailMarshal sees one of these and unpacks the Excel it looks something like this:
938 18:21:12.124 Type=XLS, size=122741, Name=Filename.xls
4938 18:21:12.124 Type=EMF, size=12098940, Name=Extracted0.emf
No SWF file here, instead there is something called an EMF file. EMF’s are not a container for files, rather they contain COMMANDS to execute and any file is hidden in a EMF_COMMENT field as binary. It’s a pretty odd way of doing it that was probably going to be exploited sooner or later - but I am sure there are very good reasons to do things in convoluted ways.
To detect this we have to look for that specific file type (Excel with Flash), so requires modification of the filetype.cfg library file for custom signatures. The signatures that need to be added are:
46 57 53 - SWFE
43 57 53 - CWSE
This is only a work around as the signatures are very specific. If other in the wild examples are found new signatures would need to be added. Bear in mind the manual nature of keeping this up to date.
Follow the money
McAfee released this report about the trends of cybercrime. Much of it seems focused on very large companies spending up to a million dollars a day on security - so nobody we know. And some of the claims of how much dollar value is lost seem over the top. However I thought this was a good quote and a good way to view the coming trends:
“Anything that can be monetized can become a target of the underground economy. These range from banking credentials of individuals to database dumps of Fortune 100 companies.”
Marcel van den Berg, Team Cymru
This seems to me a realistic and pragmatic position to take and a useful rule of thumb for looking at what might be at risk. It also fits that old adage - follow the money.
SSL Certificates attacked
This is an interesting story, Comodo issue SSL certificates and were tricked into issuing fraudulent certificates through a logon of a European reseller. For sites like Google and Microsoft.
On it’s own it’s pretty poor form that any reseller can bang out certificates without any real checks. But when you place it along side RSA theft it becomes even more interesting. Both attack core encryption blocks of the jigsaw. Both look targeted in that by itself the information taken is only useful as part of a larger or wider attack. In both cases you’re left scratching your head about so called security suppliers.
Maybe we’re seeing the tip of the state sponsored iceberg. I hope not.
UPDATE
Here’s an interesting analysis of the same issue from the Blog at the TOR project
The big burn
Here’s a wonderful story from the New Zealand Herald explaining the saga of a printing company and it’s optimistic management.
Salient events:
Used to be called Pacific Print based in NZ, but now called Geon Group based in Australia.
In 2005 half of it was sold for about $155 million dollars to Gresham Private Equity, then Gresham bought up the whole of it. They don’t say how much more for.
Since then it pursued “Aggressive growth, particularly in Australia”.
At the end of June 2010 the company had negative equity of $216 million dollars.
Bankers now control the company after accumulated losses of $271 million dollars.
The company was “in danger of collapse” until it’s bank, BOS International, bailed it out last month by reducing it’s debt from $244 million dollars to $80 million dollars and suspended the interest payments. So it the light of this stupendously large disaster where everybody involved lost millions upon millions of dollars what did the group management have to say?
“The company has welcomed the deal, and claims it is now ready for it’s next significant growth stage.”
Hm. Can’t wait.
