On July 28, 2009, Microsoft published two out-of-band security bulletins, MS09-034 and MS09-035, for Internet Explorer and Visual Studio’s Active Template Library. These bulletins are related to MS09-032, which disabled a vulnerable version of Microsoft’s MPEG2TuneRequest ActiveX Control Object, among other things. Cisco has released a Security Advisory that details which products are impacted by this issue as well as those that are not. The team that discovered this vulnerability, Ryan Smith, Mark Dowd and David Dewey, shared their research at Black Hat USA this week. In this post, we share some insight into these vulnerabilities as well as offer advice that can help you minimize the risk of criminals exploiting these vulnerabilities to compromise your network. Read More »
Border Gateway Protocol (BGP) is an Internet Engineering Task Force (IETF) standard, and the most scalable of all routing protocols. BGP is the routing protocol of the global Internet, as well as for service provider private networks. BGP has expanded upon its original purpose of carrying Internet reachability information, and can now carry routes for Multicast, IPv6, VPNs, and a variety of other data. For more information on BGP please reference RFC 1163 and RFC 1267.The use of BGP as a routing protocol is ubiquitous on the Internet (used by both Internet Service Providers (ISPs) and non-ISPs). Because of its prevalence, there is a great deal concern on behalf of the Internet community whenever there is public knowledge of a BGP or TCP-based vulnerability that is being or could be exploited. It is this concern that prompted me to provide you with some helpful techniques to secure BGP. Read More »
This week’s Cyber Risk Report (CRR) discussed the newly available Vanish software that allows users to exchange messages whose contents are available for a limited period of time, and rendered unreadable afterward. Researchers from the University of Washington developed Vanish to protect against the recovery of the message data at a later time. The software leverages distributed hash tables (DHT), part of the infrastructure of torrent networks, to store keys to an encrypted message known as a Vanish data object (VDO). The keys are then publicly available for a period of time, allowing anyone in possession of the VDO to read it by retrieving the key from the DHT. Once the time expires, the keys are removed from the DHT and no longer available to decrypt the data.As a result, users can be reasonably sure that messages will no longer be able to be decrypted after a certain period of time. No matter where the data ends up, stored within the cloud, e-mail server backups, or ISP logs, the data is unrecoverable — aside from attacks against the encryption itself, such as brute force attacks. Even under threat of physical or legal compulsion, a user could not recover the key and decrypt the VDO after the specified time period passes, making the scheme best in a certain set of circumstances. Read More »
As mentioned in this week’s Cyber Risk Report (CRR), a hacker, known by the handle Croll, was able to gain access to private accounts owned by employees of the Twitter micro-blogging website. The hacker successfully guessed password “secret question” recovery queries by gathering info from employee public profiles, and intercepted password reset messages after gaining access to an employee’s public e-mail account. As a result, the hacker gathered further account information, including the users’ passwords, and gained additional account access to other sites, using stolen details to access other accounts, including online financial, e-mail, and e-commerce sites. The attacker was able to steal confidential business documents from these accounts and publish the information, including Twitter employee lists, along with credit card numbers and food preferences and confidential customer data, making this information publicly available on the Internet.The emergence of social networking means that more information about us is available online than ever before, even volunteered as part of our online profiles. However, because site password recovery tools consider these very same details to be private, there exists a dangerous disconnect between what users believe to be private and the mechanisms to discern legitimate users from pretenders who are gaming the password recovery system. Relying on secret question password recovery schemes opens up an easy avenue of exploitation for hackers who know some personal details, as Croll demonstrated. The hack follows other high profile intrusions also leveraging the use of password recovery mechanisms. Read More »
On July 14th, 2009 Microsoft released Microsoft Security Bulletin MS09-032 to address a remote code execution vulnerability in the Microsoft Video ActiveX Control (msvidctl.dll). Microsoft initially announced this vulnerability via Microsoft Security Advisory 972890. Cisco Security Intelligence Operations (SIO) released IPS Signature Updates S411 and S414 which contain signatures that detect attempts to exploit this vulnerability. Additional information about this and other vulnerabilities in Microsoft’s Security Bulletin for July 2009 is available in the corresponding Cisco Event Response.
Analysis of IPS Network Participation data in the Cisco SensorBase Network confirms that this vulnerability is being exploited.