Secunia released an advisory last July 10, 2007 regarding a URI handler in Firefox (including the latest version, 2.0.0.4) that allows it to execute arbitrary commands in a user’s operating system (remote command execution). Secunia has labeled the said vulnerability as highly critical. No patch has been released yet.
This is old news- a five-year-old antique. Most of you may have already watched this video podcast (16m 59s). The methods used may either be of little use or overused nowadays. However, they are still good demos of security’s greatest weakness- the users. Fast forward to 2007. Methodologies have evolved and smarter tools have been developed, but people seem to have remained the same. Wardriving into a neighborhood would still produce the same results, maybe even better. Others wonder why they still have an Internet connection even if their cable modem is off. It turns out that they’re sharing with their neighbor’s bandwidth. On the other hand, the Pizza 4 Life trick could still be applicable. A user from YouTube even commented that he has done it hundreds of times. This just goes to show many are still unaware and that they could repeatedly fall victim to these kinds of tricks.
A worrying news from SecurityFocus came out today:
Network security analyst Lawrence Baldwin has helped take down his share of bot nets, but he worries that those days may largely be over.
Why worry? Well, botnets are used to send spam and launch denial-of-service attacks. If you’re still not concerned, imagine the amount of spam e-mails about penis enlargement, stock investments, and other promotions you get everyday. Add to that an unusual moment wherein you can’t access your Webmail account in Yahoo! MSN or Google, or your favorite Web sites such as MySpace and Facebook (denial-of-service). These are a few of what botnets can do.
Botnets having a bright future can indeed be alarming. To begin with, I encourage you to watch this news video about the arrest of SPAM king, Robert Alan Soloway last May 30, 2007.
I read an interesting report today from SecurityFocus about an online auction site for security bugs. WabiSabiLabi or simply, WSLabi was just launched. According to SecurityFocus, its online portal will allow researchers to sell vulnerabilities they have discovered to software companies and other interested parties through an open market.
From the WSLabi Web site:
WabiSabiLabi is aiming to a single moving target: to bring the world closer to zero risk.
If the world must become a safer place, the first part of the recipe is simple: to provide a better rewarding for the security researchers, organising an efficient and transparent marketplace, here to maximise the results of their efforts.
This is good news for security researchers. Price offerings are attractive too, ranging from $1,000 to $15,000 if based from the offers of security companies like TippingPoint and iDefense.
Will this help lessen the risks online? We’ll have to wait and see.
Despite its premium price, Apple’s iPhone has been selling like hot cakes last weekend, and and sales are still growing strong. No wonder security researchers are very interested in the smart gadget. Errata Security, a consulting and product testing company that offers expertise in cybersecurity has already spotted a flaw in the iPhone’s Safari browser less than 72 hours after its announcement. More are on the way as of this writing. I’ve compiled a list of possible and/or existing iPhone vulnerabilities based on the reports of different security blogs and news Web sites.
1Fuzzer - A Security fuzzer is a tool used by security professionals (and professional hackers) to test a parameter of an application. Typical fuzzers test an application for buffer overflows, format string vulnerabilities, and error handling. More advanced fuzzers incorporate functionality to test for directory traversal attacks, command execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Web Vulnerability scanners typically perform all of this functionality, and can be considered an advanced fuzzer. -CGI Security
I scoured the Web to find the best single file antivirus scanners and I have found 5 services worth checking out. In choosing the top 5, I should have a basis so I created one. I based my criteria on convenience, file size capability, browser compatibility, update frequency and service load. Without further ado, here they are! The top 5 free single file online virus scan services:
For whatever reason, my Web host has been experiencing Distributed Denial of Service (DDos) attacks. What’s DDoS, you might ask. First, let me explain to you in layman’s term what denial-of-service means. The Internet offers several services- WWW, email, ftp, newsgroup, telnet, p2p among others. These services have corresponding numbers or ports assigned to them. For example, WWW uses port 80, e-mail- port 110 and port 25, ftp- port 21, telnet- port 23, and so on. There are over 65,000 possible ports. The most used service could probably be the World Wide Web. The Web uses HTTP (protocol) and assigned to port 80. A denial-of-service occurs when access to a certain service, such as the WWW is (well, what do you know?) denied. In other words, when we get The connection has timed out messages in our Web browsers while visiting our favorite Web sites, a denial-of-service might have taken place. Of course there are other possibilities, but DoS is certainly one of them.
This is what I’ve experienced yesterday. For more than 4 hours, my blog was inaccessible. It didn’t take long before I found out that all of the other blogs and Web sites in the domain were also down.
My Web host isn’t just experiencing an ongoing DoS attack. Unfortunately, it’s on a larger scale- a DDoS attack. DDoS is different from DoS in that the former makes use of multiple compromised (or infected) computers that are collectively termed as a botnet. Moreover, my Web host may be a victim of a special type of DoS attack termed as pulsing zombie. Wikipedia describes this scenario:
A network is subjected to hostile pinging by different attacker computers over an extended amount of time. This results in a degraded quality of service and increased workload for the network’s resources. This type of attack is more difficult to detect than traditional denial-of-service attacks due to their surreptitious nature.
Denial-of-service attacks are difficult to detect because some occurences may be unintentional, such as the Slashdot or Digg effects. A Web site may also be mentioned in television that’s why there’s a sudden increase in traffic and thus, a heavy load on the Web server is experienced.
Below is a video that demonstrates how a DDoS attack is done. In the video, the attacker used some kind of master program that controls where the zombie or compromised computers should attack. Notice how the target domain became slow and/or inaccessible.
Thousands of sites have been affected yesterday. The issue here isn’t really the service that the Web host is providing, but rather the motive behind these attacks. I believe most of us have been contented with the level of service that this Web host has provided for FREE. What could’ve enraged the attackers? When motives aren’t clear, then I guess conscience should take over.
