Archive for September, 2011

Firefox 7 Released – Includes updates for Security, not SSL (BEAST)

1 Comment »

 

Firefox 7 isn't just about speed, there's also a long list of security patches. Surprisingly, a fix for the SSL BEAST attack is not one of them.

Mozilla is patching it's Firefox Web browser for at least 10 vulnerabilities, seven of which are rated as being "critical." Firefox 7 was released on Tuesday offering users the promised of improved performance and better memory usage.

On the security front, the Firefox 7 release provides a critical fix for what Mozilla describes as, "Miscellaneous memory safety hazards."

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products,"
Mozilla stated in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of  these could be exploited to run arbitrary code."

There is also a critical fix for an interesting flaw that could have been triggered by having a user hold down the 'Enter' key. By holding
down the key, code could potentially be installed without a user's knowledge.

"Mariusz Mlynski reported that if you could convince a user to hold down the Enter key — as part of a game or test, perhaps — a malicious
page could pop up a download dialog where the held key would then activate the default Open action," Mozilla warned.

Other critical flaws that are fixed in Firefox 7 include potentially exploitable crashes in WebGL graphics and the YARR regular expression
library. Firefox 7 also provides a fix for a high impact flaw where cross-site scripting (XSS) could have been enabled via plugins.

There is also a fix in Firefox 7 for a flaw rated as "moderate" that is triggered by the motion of a device. Mozilla's advisory noted that a recent research paper detailed how it would be possible to inferring keystrokes from device motion data on mobile devices.

"Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk," Mozilla warned. "We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher
keystrokes the user is entering into the foreground tab."

SSL BEAST

While Firefox 7 addresses multiple security issues, it is not taking specific aim at the recent disclosure of potential SSL vulnerabilities. Overall, Mozilla has publicly noted that they do not believe Firefox to currently be at risk from the SSL BEAST attack


SSL BEAST – Heavy Security Risk for SSL/TLS (aka HTTPS)

1 Comment »

SSL is a critically important part of Internet security and it has come under increasing scrutiny in recent months. Last Friday, a pair of security researchers demonstrated a new attack called SSL BEAST at the ekoparty security conference in Buenos Aires, Argentina. Researchers Thai Duong and Juliano Rizzo leveraged weaknesses in cypher block chaining (CBC) in order to exploit SSL.

"The SSL standard mandates the use of the CBC mode encryption with chained initialization vectors (IV)," the researchers wrote in a white paper detailing their research. "Unfortunately, CBC mode encryption with chained IVs is insecure, and this insecurity extends to SSL."

Duong and Rizzo noted the CBC vulnerability can enable a man-in-the-middle (MITM) attacks against SSL to decrypt and obtain authentication tokens.

"The novelty of our attacks lie in the fact that they are the first attacks that actually decrypt HTTPS requests by exploiting cryptographic weaknesses of using HTTP over SSL," the researchers stated.

While the SSL BEAST attack is a cause for concern, there are already technologies in place to help mitigate the risk. For one, the BEAST attack only affects the TLS 1.0 version of SSL and not later versions. One vendor that leverages a non-vulnerable version of TLS is the Tor onion router project which provides a degree of anonymyity and privacy to users..

"Tor uses OpenSSL's empty fragment feature, which inserts a single empty TLS record before every record it sends," the Tor project noted in a blog post. "This effectively randomizes the IV of the actual records, like a low-budget TLS 1.1. So the attack is simply stopped."

Google's Chrome Web browser has also taken steps to mitigate the risk as well.

"Chrome has already addressed the issue and the fix on the browser side is quite simple and elegant," ISC SANS security research Mark Hofman blogged. "We'll see the other browsers implement something similar over the next few weeks. That doesn't fix the protocol, but it will help address the immediate issue of clients being attacked in this manner."

Google engineer Adam Langely blogged that Google's own servers are also somewhat protected from the SSL BEAST attack since they use a cipher that doesn't use CBC.

While Google has already taken steps to protect its users, Microsoft sees the risk as being low.

"Microsoft is aware of the industry-wide SSL 3.0 / TLSv1.0 issue demonstrated at a recent security conference which we believe presents low risk to our customers and to the Internet," Jerry Bryant, Group Manager, Response Communications, Microsoft Trustworthy Computing said in a statement emailed to InternetNews.com. "Windows 7 and Windows Server 2008 R2 support TLSv1.1 and TLSv1.2 but due to compatibility issues with many web sites, are not enabled by default."

2011 has not been a good year for SSL. SSL has come under fire due to the exploit of a pair of certificate authorities. Both Commodo and DigiNotar were exploited this year leaving big sites including Google and Mozilla at risk.


Enigma – Return to innocence (Kalami Mix)

1 Comment »

 

A great song to help you find ur innerself
Enigma – Return to innocence (Kalami Mix)


Alizée – I’m Fed Up

No Comments »

Alizée – I'm Fed Up (English Version of "Jen ai marre" French)

I'm fed up!

Bubbles and water
Legs up for hours
My goldfish is under me
To bathe for hours
Makes my mouth water
I'm "foamely" ecstatic
It's not a problem
I lazy 'round
Bubbly and stubborn

I lazy 'round
Melon and water
Is just a dream
It makes me wonder
Is it a "sin" ?
Bubbles and water
Legs up for hours
"Bombs", you keep away from me!
Today lying low
Twisting up my toes
I swim in such harmony
So what bothers me:

Chorus :
I'm fed up with loneliness
With my uncle overstressed
Fumbling, crawling for something
That never shows, just a dream.
I'm fed up with creeps crying
Over the past, such a sin
Not to be cool, but a fool
If I could mess up their rules.
I'm fed up with your complaints
Baby, well I'm not a saint!
Fed up with the rain, the plane…
That makes me throw up again.
I'm fed up with all cynics
Bathing caps and all critics
I'm fed up with being fed up! Poor me !

Bubbles and water
Legs up for hours
My goldfish still under me!
Delight of pleasures
Aquatic treasures
A place out of misery, my fantasy

 


uTorrent web servers compromised

No Comments »


If you are a torrent lover like me then you need to read this.

Unfortunately, a day before yesterday (13th September, 2011) uTorrent’s (tiny and very stable torrent client) web servers were compromised by a hacker. This happened at 4:20am PST, and uTorrent’s web server team didn’t take the hacked server offline until 6am PST. The problem is, the hacker replaced the uTorrent Windows client with a fake antivirus executable. So anyone who downloaded the client during that 1 hour 40 minute period was actually downloading malware unknowingly.

The malware in question is called Security Shield, and is a well-known rogue anti-spyware program. It will pop-up a professional looking app screen on your desktop that lists fake infections after doing a fake scan. It then offers to remove them if you pay for the full-version of the “security suite.”

If you were unlucky enough to visit utorrent.com and download the Windows client during couple of days, then you’ve probably already seen the Security Shield software pop-up and run on your machine. You need to remove it asap check your PC with some good Antivirus other wise read this page [bleepingcomputers]

uTorrent has now apologized and managed to get their servers back online after removing the rogue files. If nothing else this should act as a reminder to everyone to ensure any files you download from the Internet are scanned with a reputable security scanner before being run, as clearly you can’t trust legitimate sites all of the time.


Hacker’s Interview – behind Comodo and DigiNotar hacking

4 Comments »

 

Comodo is one of the largest SSL and Code Signing Certificate provider, some Comodo certificates were hacked earlier this year and now ComodoHacker  claimed hacking DigiNotar a Dutch Code Signing/SSL provider company.

Meanwhile, the fallout from the hack continues. DigiNotar has, in effect, lost its status as a trusted root certificate authority. Its certificates have been blacklisted by Microsoft, Google, Mozilla, and Apple.

With this hack the hacker can intercept all encrypted communications of Windows Update and other microsoft services, Gmail , Mozilla based  and Apple services without user knowledge.

Also Microsoft and Firefox  just released a security update to block all DigiNotar based certificates. (Kindly update your systems now)

ComodoHacker also justifed his attack on the Dutch certificate authority by blaming the Dutch for the murder of 8,000 muslims at Serbian hands in Srebrenica; "It's enough for Dutch government for now, to understand that 1 Muslim soldier worth 10000 Dutch government."

Here is the Interview of the Iranian Hacker who was behind Comodo and DigiNotar hacking.

 

Hi

I have received around 25 interview requests, I'll give response to all requests, I'll give interviews to all.

Just to make some points which I see around in internet about me and in some interview questions:

a) I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain.

b) This attack was really more sophisticated than simple Stuxnet worm. 0-days? I already have discovered similar bugs, trojan? I already wrote most sophisticated undetectable ring0 and ring3 rootkit (works together), signing certificates? huh, man! I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet, I have so much to explain, but later… You have to wait!

c) I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification.

d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and… Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?

I'll talk about more stuff later. May I also start a web hacking course for Anonymous and Lulzsec and friends of them, Rootkit development for Stuxnet developers, 0-day vuln. assessment in Windows and Linux environment for Stuxnet developers and other hackers too. huh? What do you think?

Dutch government is paying what they did 16 years ago about Srebrenica, you don't have any more e-Government huh? You turned to age of papers and photocopy machines and hand signatures and seals? Oh, sorry! But have you ever thought about Srebrenica? 8000 for 30? Unforgivable… Never!

I heard also that Dutch government tries to gather documents and make a compliment against Iran, really? Shame on you man! Have you been in court for Srebrenica? Who should file compliment for Srebrenica? You should pay, these are consequences of Srebrenica, just know it! This is consequence of fighting with Islam and Muslims in your parliament.

WOOOOORLLLLDDD! Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!