the world’s first hacker movie?

I just watched Hot Millions, a 1968 film which just might be the world’s first hacker film… with Peter Ustinov as the hacker.  As a computer security professional, I can state that this is a completely factual and realistic portrayal of the challenges we face every day – including blowing the lid off of the critical blue lights which protect computers from embezzlers and other evil doers (other than the cleaning lady).  A must view for all security pros and those that love them.

http://i.cdn.turner.com/v5cache/TCM/cvp/container/mediaroom_embed.swf?context=embed&videoId=16682

the world’s first hacker movie?

this hash can give your servers indigestion

Doesn't that look tasty...

When Microsoft comes out with an out of cycle security advisory (and during a holiday week, no less), you know something big is up.  This week’s bulletin highlights a denial of service attack and two privilege escalation vulnerabilities that affect web sites built on top of ASP.NET.   The most serious privilege escalation vulnerability could allow an attacker to execute commands on a system by sending specially crafted web requests.

The denial of service issue is related to a flaw in the way that ASP.NET (as well as PHP, Ruby and Java) handle the hash tables which are used to pass information from user web inputs to the web server.  By sending specially crafted requests to vulnerable web servers, it is possible to tie up all of their CPU resources and make them unavailable to legitimate users.  This attack was revealed at this past week’s Chaos Communications Congress in Berlin – you can watch the presentation here.

There is a very good technical description of the DoS problem and attack here.

The DoS flaw is also present in PHP, Python, some Java web frameworks, and Ruby.   Apache Tomcat 7.0.23 contains a workaround fix which limits the number of parameters accepted in a POST request.  PHP version 5.4.0 will include a workaround fix for this problem, but is not yet ready for production use.   Ruby version 1.9 and higher has a fix which solves the problem by randomizing the hash tables.

Given the recent ‘hacktivist’ activity we have been seeing, it would not surprise me if this attack was used against sites in the financial industry as well as in the public sector.  In any case, the Microsoft patch is a must for your web facing ASP.NET systems now.  The US-CERT’s vulnerability page for this issue is a good place to keep track of vendors’ responses as more platforms are found to be vulnerable.

 

this hash can give your servers indigestion

authentication via butt-prints?

Tasty snack... or identity theft tool??

From the “you can’t make this stuff up” file…

Cars of the future may use the driver’s rear end as identity protection, through a system developed at Japan’s Advanced Institute of Industrial Technology. A report surfaced earlier this month that researchers there developed a system that can recognize a person by the backside when the person takes a seat. The system performs a precise measurement of the person’s posterior, its contours and the way the person applies pressure on the seat. The developers say that in lab tests, the system was able to recognize people with 98 percent accuracy.  

To get to the bottom of this story, read more here.

authentication via butt-prints?

stale java

oops - wrong Java!

I hate Java.  Not the country or the beverage, but the programming language.  Actually, not so much the language, but the way that it is used and distributed to PC and Mac users.  A recent report from Microsoft stated that between one third and one half of the malware that they saw between 3Q 2010 and 2Q 2011 was written in Java.  Java is a natural target for malware writers – it is cross platform and is installed on just about every computer used to connect to the Internet.  Java is a force multiplier for the bad guys.   Like any other software, the Java Runtime Environment (JRE), which allows Java applets to run on your computer, has its share of security flaws which are then exploited by attackers.  Recently, one “pernicious” Java exploit which had only been available for purchase in the “computer underground” was made available in the Metasploit toolkit, which allows less skilled attackers to use it to craft their attacks.

If you are reading this on a computer that you own personally, stop right now and make sure that you are running the latest version of Java and other browser plugins on your system – Qualys has a nice site which does this for you automatically.  Go ahead, I’ll wait…

In enterprises, upgrading Java is not as easy as it would seem.  Many applications used by business were written with a particular version of Java in mind and they will stop working if you do the “right thing” and upgrade the JRE.  As a result, many organizations are stuck with old and vulnerable versions of Java running on their systems.

There are solutions to this problem, involving installation of the new Java Runtime Engine along side the old one and then playing with the PATH or JAVA_HOME environment variables to tell Java which version of the JRE to invoke.  I’m going to be doing some research on this and will post the results.

In the mean time, a plea to applet developers… please make your software compatible with the newer, safer versions of Java.  Let’s close down malware writers’ access via this particular hole.

 

 

stale java