GANSECBLOGGER Blog is moving!

This blog is moving to my business website location. The new location for this blog will be http://www.gansec.com/blog/.

See you there!

Zero-Day vulnerability in Adobe products enables takeover of system

Looks like there is a new vulnerability out that affects Adobe Flash, Player and Acrobat reader. Exploit is out on the Internet. Attackers are able to take over your system if you open up infected files (flash, PDF etc).

From this Adobe advisory:

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

There is no fix yet. Stay tuned.

iPhone Vulnerability even worse than assumed – everything exposed when connected to Windows

This is getting worse and worse – the good people over at H Security (here is the article) found out that the iPhone issue first reported by security expert Bernd Marienfeldt is even more significant: You can connect an iPhone to a Windows Vista machine and lo and behold, EVERYTHING is accessible, EVEN passwords.

[…] managed to connect an iPhone with iTunes under Windows and created a full backup, including such sensitive data as passwords in clear text.

However, they state, this does not work if the iPhone was in a locked state before it was shutdown. The article says.

[…] has come to the conclusion that the problem only occurs if the iPhone was shut down from an unlocked state. During the wake up this state is restored and the device is “open” for a short period of time before the Springboard application wakes up and locks it down. This short period is sufficient for a pairing to occur that ensures permanent access. An iPhone that was shut down in a locked state does not accept the pairing – which corresponds to heise Security’s observations. This reduces the risk somewhat, because a lost iPhone in a locked state cannot be tricked into pairing.

Either way, crazy stuff.

Vulnerability in iPhone data encryption Or: Do not lose your iPhone because everyone will be able to access it

Bernd Marienfeldt, security officer at LINX, uncovered a pretty bad vulnerability of the latest iPhone that is out there: even with encryption, set passphrases etc, anyone using Ubuntu LINUX can access certain data you have stored on it. There is no fix for this yet.

More detail on Heise-Online, here is the article.

Excerpt:

.. found that he was able to gain unfettered access to his iPhone 3GS from Ubuntu 10.04. If he connected the device whilst it was turned off and then turned it on, Ubuntu auto-mounted the file system and was able to access several folders despite never having previously been connected to the iPhone. The H’s associates at heise Security have successfully reproduced the problem. An Ubuntu system which had never before communicated with the iPhone immediately displayed a range of folders. Their contents included the unencrypted images, MP3s and audio recordings stored on the device.

UPDATE: Rumors have it that this may also affect the iPad.

Child Safety on the Internet – Some Tips

Excellent article on Microsoft.com:

Age-based guidelines for kids’ Internet use

If your children use the Internet at home, you already know how important it is to help protect them from inappropriate content and contact.

Windows Live Family Safety and the parental controls included in Windows 7 and Windows Vista can help you create a safer online environment for your children.

The American Academy of Pediatricians (AAP) helped Microsoft develop age-based guidance for Internet use with the family safety settings in both of these products. It’s important to remember that these are guidelines only. You know your child best.

Up to age 10

Supervise your children until they are age 10. You can use Internet safety tools to limit access to content, Web sites, and activities, and be actively involved in your child’s Internet use, but Microsoft recommends that you sit with your child when they use the Internet, until the age of 10.

Here are some safety tips to consider when you go online with your 2-10 year old:

  1. It’s never too early to foster open and positive communication with children. It’s a good idea to talk with them about computers and to stay open to their questions and curiosity.
  2. Always sit with your kids at this age when they’re online.
  3. Set clear rules for Internet use.
  4. Insist that your children not share personal information such as their real name, address, phone number, or passwords with people they meet online.
  5. If a site encourages kids to submit their names to personalize the Web content, help your kids create online nicknames that don’t give away personal information.
  6. Use family safety tools to create appropriate profiles for each family member and to help filter the Internet.
    For more information, see Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.
    Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  7. All family members should act as role models for young children who are just starting to use the Internet.

Ages 11 to 14

Children this age are savvier about their Internet experience, but it’s still a good idea to supervise and monitor their Internet use to help ensure they are not exposed to inappropriate materials. You can use Internet safety tools to limit access to content and Web sites and provide a report of Internet activities. Make sure children this age understand what personal information they should not give over the Internet.

When your kids are this age it might not be practical to physically supervise their Internet use at all times. You can use tools such as Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.

Here are some safety tips to consider when you go online with your 11-14 year old:

  1. It’s a good idea to foster open and positive communication with your children. Talk with them about computers and stay open to their questions and curiosity.
  2. Set clear rules for Internet use.
  3. Insist that your children not share personal information such as their real name, address, phone number, or passwords with people they meet online.
  4. If a site encourages kids to submit their names to personalize the Web content, help your kids create online nicknames that give away no personal information.
  5. Use family safety tools to create appropriate profiles for each family member and to help filter the Internet.
    For more information, see Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.
  6. Set family safety tools on the medium security setting, which should have some limitations on content, Web sites, and activities.
  7. Keep Internet-connected computers in an open area where you can easily supervise your kids’ activities.
  8. Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  9. Encourage your children to tell you if something or someone online makes them feel uncomfortable or threatened. Stay calm and remind your kids they are not in trouble for bringing something to your attention. Praise their behavior and encourage them to come to you again if the same thing happens.

Ages 15 to 18

Teens should have almost limitless access to content, Web sites, or activities. They are savvy about the Internet but they still need parents to remind them of appropriate safety guidelines. Parents should be available to help their teens understand inappropriate messages and avoid unsafe situations. It’s a good idea for parents to remind teens what personal information should not be given over the Internet.

Here are some safety tips to consider as you guide your teens online:

  1. Continue to keep family communication as open and positive about computers as you can. Keep talking about online lives, friends, and activities, just as you would about other friends and activities.
    Encourage your teens to tell you if something or someone online makes them feel uncomfortable or threatened. If you’re a teen and something or someone online doesn’t seem quite right, then speak up.
  2. Create a list of Internet house rules as a family. Include the kinds of sites that are off limits, Internet hours, what information should not be shared online, and guidelines for communicating with others online, including social networking.
  3. Keep Internet-connected computers in an open area and not in a teen’s bedroom.
  4. Investigate Internet-filtering tools (such as Windows Vista Parental Controls, Windows 7 Parental Controls, or Windows Live Family Safety ) as a complement to parental supervision.
  5. Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  6. Know which Web sites your teens visit, and whom they talk to. Encourage them to use monitored chat rooms, and insist they stay in public chat room areas.
  7. Insist that they never agree to meet an online friend.
  8. Teach your kids not to download programs, music, or files without your permission. File-sharing and taking text, images, or artwork from the Web may infringe on copyright laws and can be illegal.
  9. Talk to your teenagers about online adult content and pornography, and direct them to positive sites about health and sexuality.
  10. Help protect them from spam. Tell your teens not to give out their e-mail address online, not to respond to junk mail, and to use e-mail filters.
  11. Be aware of the Web sites that your teens frequent. Make sure your kids are not visiting sites with offensive content, or posting personal information. Be aware of the photos that teens post of themselves and their friends.
  12. Teach your kids responsible, ethical, online behavior. They should not be using the Internet to spread gossip, bully, or threaten others.
  13. Make sure your teens check with you before making financial transactions online, including ordering, buying, or selling items.
  • Discuss online gambling and its potential risks with your teens. Remind them that it is illegal for them to gamble online.
  • I would like to add that the most safety is offered through you, the parents. Make sure you communicate with your children. Educate yourself about the Internet.

    Adobe fixes critical holes in Shockwave

    Adobe quietly released a HIGHLY CRITICAL update to Shockwave on Tuesday. Exploiting these vulnerabilities enables an attacked to inject code and – shock – take over your system. Yes, you need to update your Shockwave installation ASAP. And yeah, you even have to uninstall your old version first!

    Adobe advisory is here:

    Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided below.

    […]

    Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606.

    Download Patches from here: http://get.adobe.com/shockwave/.

    Patch your Adobe Reader ASAP or get hacked like Google did!

    Go to http://www.adobe.com/support/security/bulletins/apsb10-02.html and get your latest patch.

    The hackers who tried to steal source code from dozens of companies used an exploit in Adobe Reader to get it done..

    From Wired:

    A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

    The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to the companies and were in many cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to an attack that targeted other companies last July, the company said.

    A spokeswoman for iDefense wouldn’t name any of the other companies that were targeted in the recent attack, except Adobe.

    Adobe acknowledged on Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

    The company didn’t say whether it was a victim of the same attack that struck Google. But Adobe’s announcement came just minutes after Google revealed that it had been the victim of a “highly sophisticated” hack attack originating in China in December.

    Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it and had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.

    But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

    The hackers gained access to the company networks by sending targeted e-mails to employees, which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe’s Reader application.

    Don’t get hacked! Patch now.