A great new opportunity for IT security companies which sell products to detect bugs in software automatically (static analysis) - report some vulnerabilities after running your program on a bunch of software applications and feature your own product in the “Provided and/or discovered by” field without ever giving details of the error! The last one is important, never give details! That’s sleek, that’s modern that’s seemingly a new initiative by Secunia to support third party security companies. One of the first to take advantage of this new initiative is GLEG Ltd. from Russia.
Continue reading ‘Marketing for security companies now via Secunia!’
Archive for the 'Security' Category
Although I had posted this already at the malware research forum and received little feedback, I decided to prepare a brief research paper about this topic and post it here.
The topic is that the Redpill approach by Joanna Rutkowska does not seem to work reliably and the values retrieved in kernel mode inside a virtual machine (VMWare ) differ substantially from the ones retrieved in user mode. While calling SIDT in user mode was the rationale of the whole approach, it would not usually be expected that the results between user mode and kernel mode are different. Also the difference means that the approach is not generally applicable. Last but not least the Redpill approach failed for me on Virtual PC (see the paper).
Continue reading ‘Redpill getting colorless?’
IE7 is coming. But who cares? This company has given a sh*t on standards for the last 10 years, now all of us are supposed to fix our websites again just because they finally found out that there is a certain sense in standard-compliance? I don’t think so. On my website there is one single piece of special treatment for the old IE because it had a screwed box model - and frankly, I am excited how screwed it will look now that IE is going to be standard compliant 
Continue reading ‘So IE7 is coming. Who cares anyway?’
… many people are blaming the judge in the US for Spamhouse’s problems. However, here is a different view on the case.
If you are not familiar. An US-based company has sued UK-based Spamhouse - well-known antispam fighters - because Spamhouse blacklisted the company’s domain as a spam source.
// Oliver
Obviously spammers try to get the biggest effect without caring for success. This is why greylisting works so great, I think.
I still get daily requests to the sendmail CGI script which is no more vulnerable and turns down all exploit requests in the first check. I rarely see a message which gets to the second check and is illegitimate. Funny, huh? Looks like the spammers are not smart enough to see there is no success anymore. If I was a spammer, I’d always include one mail address as recipient to check for my success rate and “assess” the different paths of spitting out my garbage to the world.
It has been over a week now that I patched the security hole …
// Oliver
Today the Software Engineering Institute of the Carnegie Mellon University (CMU) announced a new tool named LiveView on the forensics mailing list at security focus.
This tools looks really promising in that it claims to provide a way to create a VMWare image from a physical disk or raw disk image (e.g. created with DD). Such a tool will allow security researchers to inspect an infected machine without having to be at the site of the incident. Although CMU introduced the tool to forensics specialists, it can be used in various ways apart from the main objective. Such a tool should have been published long ago by the VM vendors. Thank CERT and CMU we now have this tool to aid in different ways during an investigation of malware targets.
Check it out!
// Oliver
Today my logs showed how exactly the spammers exploited the old script. I do not log the mail body, but only sender, recipient and subject, but that’s enough to show the used pattern. In fact the subject variable was used, but different from what I expected. Continue reading ‘Spammers not welcome (2nd part)’
Lately I wrote an article covering one use of MACkerer2. The described scenario is basically this:
- You have a subnet or otherwise limited number of IP addresses for one scope
- A virtually unlimited number of machines is supposed to share the limited number of IP addresses (of course never simultaneously)
- The MS DHCP server has no solution for this, neither on Windows 2000 nor Windows 2003 Server. However, I heard this will somehow be handled by Longhorn
This is obviously a problem, but MACkerer2 comes in handy and solves it. Continue reading ‘More about MACkerer2′
Inspecting my logs recently, I found that there were some strange requests to my Postfix mail server from user www-data. Now any sysadmin could tell you what www-data means but this does not really explain where exactly the requests came from. So I just copied the log files for my mail server and all the websites I run and grep’ed the relevant log entries to match the requests to Postfix with requests to Apache. Although I had first argued it might be one of the scripts included in the blog, forum and CMS software on my server, it turned out to be the script which is (i.e. was!) used as the backend of my contact form. Continue reading ‘Spammers not welcome!’
According to heise UK, AOL has changed the EULA for the Kaspersky AV rebrand and removed the questionable parts.
This is just meant as an update to the last article about Active Virus Shield.
// Oliver
It seems there exists a freely - and legally freely - available version of Kaspersky Antivirus rebranded as AOL - Active Virus Shield.
Here in response to the first comment (see below), a quote from their terms of services: Continue reading ‘Kaspersky AV rebrand freely available - pitfalls included …’
Recently I wrote an article about Agnitum, a security software vendor known for its firewall, because of their accusations towards Microsoft. Today I recognized there was a comment of someone from Agnitum at the Sunbelt Blog, so I decided to comment it. Here is the original comment from Agnitum:
Agnitum’s technical brief about Microsoft’s approach to Kernel Patch Protection has sparked intense discussion at Alex Eckelberry’s blog.
May we participate in the debate?
The new approach to kernel patch protection is designed to block rootkits. That’s progress. However, ironically, it also prevents the installation of third-party security software from Agnitum, and Zone Labs, and McAfee, and Symantec, and other companies. This is not progress. History proves we should not rely on Microsoft and only Microsoft for operating-system security. Continue reading ‘Agnitum still panicked?! …’
StopBadware.org and Google joined forces to warn users of websites that spread malware - or “badware” as they say. This does not include the full spectrum of malware, but one of the nastiest subsets. Good initiative!
This will hopefully be one piece in the puzzle of trying to decrease the vast number of zombie-PCs worldwide.
// Oliver
In the Sunbelt Blog I read today, that Agnitum, vendor known for its firewall mainly, is panicked because of Microsofts Kernel Patch Protection. Sorry, but that caused me to laugh. No idea how new the news are, but to those following the driver developer mailing lists and fora it is certainly no news. Let’s look at some of the claims of Agnitum Continue reading ‘Agnitum panicked because of Microsoft’s security measures’