this is a random security picture. :)
German Security Skills - Confickr, MPLS...
It turns out some Germans broke MPLS. That's not the big kind of surprise because there have been rumors since many years that "jet another fundamental old internet protocol" is insecure. The only problem is, that this isn't patchable jet.
So thanks to all major news until now for not covering this and for going after DNS. This was patchable and therefore needed that kind of awareness.
The MPLS talk will be on Black Hat Europe in Amsterdam. I won't be there (I think), but anyhow...
Also scheduled: Charlie Miller's and Vincenzo Iozzo iPhone security talk - just to keep it in the news I think; and something interesting about WiSh (Windows Shellcode) by Benjamin Caillat.
Just keep an eye on the two in particular.
Again: Germans strike! Confickr pwned, MPLS... wonderful.
Call for certs or for responsibility?
If you're after certain IT security related positions nowadays - without a cert - you need amazing interview skills. And experience to get invited in the first place. Experience, like own (Open Source) projects, stuff done - a good CV. That's normal, because IT security comes with a great responsibility.
Entry positions in the fields are kind of strange sometimes. Managing a certain Unix box and make it secure. Stuff that no one really cares about. But that's how it starts. You don't want to let a beginner setup a Dual-Inline firewall for a critical infra-structure.
Experienced security people, on the other hand, are really rare. And most often very well known and expensive. So how to save money? - Right: certification!
You can rely on real experts very well. Or on certified people, which - on paper - have got skill. Even if they just paid that paper. Paper is real - for management and for the majority of people.
Here's the news: Knowledge isn't certifiable. But interest is interviewable. Knowledge isn't. Interest creates knowledge.
- Ceaseless researching, that's actually what you need. And not a mind-numbing "SuperSec AllInOne MegaCert Experts" degree cert. I have some of these papers and all courses totally sucked! You need a pillow in class. And you never need to listen because the tests are trivial in the end.
Certs neither solve the scan-monkey problem nor are they deep enough. What's really needed are certs, similar to CPTE (builds on CPTS) or higher. This is almost scientific knowledge, but IT security - as it often shows up - is about that. Exploring new grounds, reconstructing (sophisticated) attacks, being aware, and explaining complex technology to other non-IT people.
Today's certs are much too primitive! Even if - on a basic level - everybody needs some skills, that are taught by better institutes like SANS. The basic level just isn't enough. In a CISSP course they teach automated scanning (Nessus, Nmap...), tools, and that's the depth. Compliance and policy - a little. And afterwards you're held responsible enough for IT security. Good idea.
And most often basic certified people are "so called experts". Without even knowing what they're up against. Without interest they're lost. Of course many CISSPs are very good IT security researchers, _too_. And that's the point: not because of the certs. The worth of a cert is similar to the worth of a good pen. It doesn't make an author.
Bye bye XP and other news
The immortal Windows... dies
Microsoft chancels support for Windows XP. You just get security fixes - some. Nevertheless MS advertised the Windows 7 kernel features as "event driven" and much "better", that in case of MS doesn't necessarily mean that the code is mature. Bad news.
NO MORE FREE BUGS - is not about selling exploits
There's just another disclosure debate... In short: a security researcher can get sued by a company, like Apple, because she or he found a vulnerability. Because a company - like Apple - forbids reversing of some software products. And they don't want your expertise and never asked for it. Even if millions of people could get affected by the problem. They don't want your help. That's it in short.
So BEFORE you disclosure, make the company sign NOT to sue you. You need a contract. And, BEFORE you make a post in this mailing list, make sure you know what the "No more free bugs" is about. It's not about selling exploits. CanSecWest is not about selling exploits. This is a stage for awareness.
John Strand strips...
SSLStrip from John Strand on Vimeo.
Important: don't forget the iptables:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Just in case you're a little like me.
FreeBSD in Debian
Sounds awesome. I'll give it some month to mature. Pf in Debian with Jails. If that happens I'll get a Debian fanboy. Because actaully the Linux Kernel sucks. Patching CIFS remote buffer overflows secretly. That's bullshit security and therefore the project doesn't deserve my attention any longer.
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3667,7 +3667,7 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
BCC(smb_buffer_response)) {
kfree(tcon->nativeFileSystem);
tcon->nativeFileSystem =
- kzalloc(length + 2, GFP_KERNEL);
+ kzalloc(2*(length + 1), GFP_KERNEL);
if (tcon->nativeFileSystem)
cifs_strfromUCS_le(
tcon->nativeFileSystem,
The developers aren't sure... guess what. I'm too lazy to go through the patches. Normally that's not necessary. But in case of Linux it is. Even Microsoft tells you about vulnerabilities. But not the Linux people. They're secure by assumption.
Yes we can... illegally spy on US people and that's legal
At least that's what not going after the previous administration in case of Obarma means. Only deliberate leaking is illegal. If it leaks... well... that's okay. All your data are belong to US, legally. Fine... but I thought this Open Informations Society being a little different in my mind's Utopia.
In Europe our data retention laws makes ISPs hold lots of information. If it leaks it leaks. That's how this will get adopted. I'm very sure of this. You don't need lots of prophecy - because Great Britain modernizes Europe that way.
Not highly sophisticated but highly effective - Ghostnet/Ghostrat and others
The (Ghost) trojan, which infected numerous government computers and was used for espionage apparently, as news tell, is Open Source.
This is not highly sophisticated. So there're questions, okay.
One important question now is: did governments jet understand Cyperwarefare and that stuff like that is used for professional espionage? Did they get that a disclosure just happens if the Malware isn't useable any longer? All so called Microsoft Office 0days are Old-Days. I think somebody has to wake them up. Now ;).
Before there's just another hacked Power-grid.
And Turing Award goes to...
Barbara Liskov. Never heard of the stuff she researched. Hmmh... I'm just uneducated as it seems. Sometimes. ;) Just sometimes. Hopefully.
Have fun,
wishi
You're referring to the
You're referring to the potential CIFS (aka SMB) vulnerability... call it a bug or whatever.
Thing is... it's not pointless. length here is UniStrnlen based. It returns the number of characters.
UTF-8 is the worst case. If you need 3 bytes per character ... you simply have to change:
kzalloc(3*(length + 1), GFP_KERNEL);
and not two.
Very pointless... for sure :-).
Microsoft doesn't know the
Microsoft doesn't know the difference between UCS2, Unicode, ASCII, and UTF-8/16. Apparently, neither do you, the dummies at Suse, and a few other blogging geniuses. That's why you felt the need to rant pointlessly, right?
grok CIFS, grep nls.h NLS_MAX_CHARSET_SIZE
Post new comment