Tuesday, May 24, 2005

Send $200 in unmarked e-cash...

This story is a little light on technical details, but interesting nonetheless. Short form: an attacker encrypts important business documents, then leaves a $200 ransom note for the encryption keys. I'm sure this sort of thing happens all the time, but it rarely makes the mainstream media (especially not for a measly $200 ransom).

Have you backed up your files lately?

Saturday, May 21, 2005

Inside Operation Firewall

Business Week has an article with some interesting details on last October's Shadow Crew bust. Pretty interesting, especially for a non-tech publication.

Friday, May 13, 2005

A big shout-out to all my Croatian fans!

In a rather unlooked-for but extremely welcome turn of events, I've been scheduled to speak at next month's InfoSeCon in Dubrovnik, Croatia (June 6 - 9). I will be presenting a talk on Network Security Monitoring (NSM) with the open source Sguil software. I'll also be teaching a more advanced master class on NSM based on Richard Bejtlich's The Tao of Network Security Monitoring.

And let me just say that the location looks to be a stunning seaside resort on the shores of the crystal blue Adriatic. Even if you don't care to hear me talk, come for the junket value!

Tuesday, May 10, 2005

Symantec releases worm outbreak simulator

This is just too cool. You can download and run this on your own Windows system, but although the documentation says you can tinker with the security policies, worm characteristics and other simulation variables, the software doesn't seem to allow you to do this. I guess Symantec doesn't want to give undue advantage to it's competitors (or the worm creators), which I suppose is understandable. Still, if we could at least edit the network security policies and such, this would be a great tool to show your users & management the importance of good security controls!

IPSec information disclosure vulnerabilities

The UK's National Infrastructure Security Coordination Centre has published an advisory about vulnerabilities in certain IPSec configurations that could allow an active attacker to recover the plaintext of the encrypted communication.

If you're using IPSec, you need to read the advisory, but I can tell you briefly that the attack involves twiddling the bits of the encrypted payload such that the IP headers of the tunneled packet are modified in various ways, which should generate ICMP diagnostic messages on one side of the tunnel. ICMP packets typically include the header and payload information from the packet which generated the error condition, in this case the unencrypted IP packet.

The advisory claims that this attack can be fully automated and can potentially recover entire encrypted sessions. The best workaround seems to be to configure ESP's integrity protection as well as it's encryption, though blocking ICMP error messages would also be effective in some circumstances.

Monday, May 09, 2005

F-Secure tries to infect the prius

This is pretty creative. I admit to having wondered myself how secure some of these bluetooth-enabled car computers were. When a friend of mine got a new 2004 Prius last year, we actually went out and tried to see if we could somehow access it with my PDA, but we didn't go to nearly the trouble these guys did!