Dragan on Security

Can we trust to desktop search engines such as Google, Microsoft and similar. I’m afraid but I still don’t want to use it. I tried it and know that they help a lot to organize and search data. Also they have more and more cool features. But new report in row on SecurityFocus guides me to be careful still. Read “Google Desktop flaw allows data theft” by Robert Lemos, SecurityFocus (here).

A week ago, Neel Mehta from IBM Internet Security Systems X-Force has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent over a network that is monitored by Snort .

Successful exploitation allows execution of arbitrary code.

The vulnerability reportedly affects the following versions:

• Snort 2.6.1, 2.6.1.1, and 2.6.1.2
• Snort 2.7.0 beta 1

Solution is to update to version 2.6.1.3. The vendor recommends that beta users disable the DCE/RPC preprocessor.

This problem has been reported on Snort web site (here) and on Slashdot (here). Sourcefire has not received any reports that this vulnerability has been exploited.

IDC IT Security Roadshow 2007 “Securing Your Business: Technology Meets People” Conference will be held on February 13, 2007 in Belgrade, Serbia (Venue: Hyatt Regency Belgrade). You can see schedule, general information and other details here. See you there.

Ryan Naraine writes on his ZDNet blog about Wi-Fi hacking with a handheld PDA.

The palm-sized PDA tucked away in Justine Aitel’s pocketbook just might be the most scary device on display at this year’s RSA security conference.
Aitel is roaming the hallways here with Silica, a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform.

Read more here.

National Institute of Standards and Technology (NIST) is having a competition for a new cryptographic hash function. NIST did a good job managing the AES process (competition for Advanced Encryption Standard). They are obviously going to do in similar way with hash functions. You’ll find Announcement for the Development of New Hash Algorithm(s) for the Revision of Federal Information Processing Standard (FIPS) 180–2, Secure Hash Standard here. Last year and the year before, NIST sponsored two workshops (2005 and 2006) to discuss the requirements for a new hash function, and last month it announced a competition to choose a replacement for SHA-1.

Submissions will be due in fall 2008, and a single standard is scheduled to be chosen by the end of 2011. This is a reasonable schedule. Designing a secure hash function seems harder than designing a secure encryption algorithm, although we don’t know whether this is inherently true of the mathematics or simply a result of our imperfect knowledge. Producing a new secure hash standard is going to take a while. Luckily, we have an interim solution in SHA-256.

This is big chance to create something really big and important in security area. Bruce Schneier told that his Twofish team is going to reconstitute and get to work on an Advanced Hash Standard submission.

Read Announcement, and more here and here.

One among most important security conferences this year, RSA Conference is in progress in Moscone Center, San Francisco (February 5-9). Keynote speakers list includes Bill Gates (Microsoft),  Larry Ellison (Oracle), and many other famous and very important speakers.

Keynote Webcasts are avaiable online. You do not need to be a registered attendee of RSA® Conference 2007 to view the keynotes; however you will need to answer a few brief registration questions before you can start downloading the webcast replays.

Register for Webcasts here.

Might be a little bit outdated but still interesting stuff: The Computer Ethics Institute is a nonprofit research and policy study organization made up of the Brookings Institute, IBM, The Washington Consulting Group, and the Washington Theological Consortium. They have published the Ten Commandments of Computer Ethics, which are as follows:

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with the computer work of other people.
3. Thou shalt not snoop around in the computer files of other people.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use the computer resources of other people without authorization or proper compensation.
8. Thou shalt not appropriate the intellectual output of other people.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

A few times each year, Bill Gates or Steve Ballmer, Microsoft top executives, publish an executive memo. The first memo was Bill’s essay on trustworthy computing, in July 2002. Yesterday Bill has a new memo, one that is very important for all of us who strive to achieve a balance between being secure and, well, getting work done.

Read full memo here.

Couple of companies and occasions where companies or individuals sell information about code flaws to the vendors or companies buys it from hackers. So do criminals…

Read article here.

Interesting video at YouTube (here).