Silicon Valley Sleuth, an insider's view from Silicon Valley
 A blog from vnunet.com

May 2008
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31


Other blogs
PCW Inter@ctive
Your views, your comments, your say

Security Watchdog
Sniffing out IT security
issues

The test bed
The hottest products, news and gossip from PCW's
Labs.

IT Sneak
IT Sneak Blog rummages in the dustbin of IT events.

Backbytes
An irreverent and offbeat look at the lighter side of technology

InterActive Home
Your complete guide to home entertainment technology

Taking Stock
Gags and Gossip from Accountancy Age.

Gizmodo
The gadgets weblog.



« June 2005 | Main | August 2005 »

The hacker hacked

If any software can contain security vulnerabilities, then hacking tools that are designed to exploit those holes too are at risk of being hacked.

At the Defcon hackers conference in Las Vegas, the Shmoo Group issued a warning to hackers that planned to compete in a wardriving event where hackers attempt to get onto a wireless network.

Kismet, a popular tool for detecting and entering wireless networks, contains several security holes, the group warned.

"Patch management is not just for users anymore," a member of Shmoo said according to a Cnet blog posting.

Now if only the hackers would focus on hacking their peers, that would solve a big problem for the rest of the world.

Hacking

Tags: defcon, black hat, hacking, hack, hacker, Security.

July 30, 2005 at 10:32 PM | Permalink | Comments (0) | TrackBack

And so Cisco's IOS nightmare continues

Cisco and ISS just can't resist to further ruin their damaged relationship with the security community and have expanded their legal campaign against an IOS vulnerability hack to any website that offers the slides from a presentation that they had failed to stop.

But as the spat's latest victim notices, this will only turn more attention towards the flaw and the real problem of Cisco's vulnerability.

First Cisco and ISS sued security expert Michael Lynn over giving details about a vulnerability in the IOS software that runs Cisco's routers on Wednesday at the Black Hat security conference in Las Vegas. As usually happens, the party that brought in the most lawyers won. Lynn didn't have much of a defence given that he had used information that he wasn't supposed to have after he quit his job at ISS, and had obtained it illegally to begin with by reverse engineering IOS.

But as the injunction against Lynn already suggested (see previous post), Cisco and ISS didn't stop at Lynn. They are now sending cease and desist notices to operators of websites that offer detailed information about Lynn's presentation, demanding that they remove the information.

Enter Richard Forno's website at Infowarrior.org. At 4 PM on Friday users could download a PDF document with Lynn's presentation from the website. I too could have done so, but I prefer to spend my days writing about Cisco's legal spats, not being part of them .

Forno received a fax from an ISS attorney at 5:22 PM. Shortly thereafter he took the document offline and replaced it with the fax.

Forno is anything but a coward for taking the document offline. As he points out in an email to vnunet.com, this only focuses more attention to the whole IOS issue. And hopefully it will fuel a serious discussion about the role of the software in the (in)security of the internet.

There must be a few PR managers and senior executives at Cisco scratching their heads this weekend, trying to figure out how the router maker that seemed to could do no wrong suddenly turned into the boogieman of the high tech industry.

The answer is very simple: they went bad the moment they got the lawyers  involved.

You don't improve internet security by sending cease and desist letters. You do that by engaging in the conversation.

Iosvillage2_1
A safer Ios - the Greek island that is.

Tags: cisco, ios, black hat, michael lynn, iss

July 30, 2005 at 06:25 AM | Permalink | Comments (0) | TrackBack

IOS controversy: could blogs and news websites be next?

The story of Michael Lynn standing up to the big and mighty Cisco remains to be intriguing.

Having just read the legal document that Cisco and ISS filed, it becomes clear just how serious Cisco is taking this.

To read the background information on what exactly happened, read this posting, or this news story.

In summary: Lynn showed how he could take a Cisco router offline at the Black Hat security conference. But his employer ISS and Cisco didn't want him to give that presentation. Lynn quit his job, ISS and Cisco filed a lawsuit hoping to make him shut up. Lynn (rightfully) wet his pants and agreeded to the injunction.

Cisco was holding a legal trump card: by reverse engineering the IOS software that runs Cisco's routers, Lynn violated the vendor's copyrights.

The injunction demands that Lynn presents a list of people who have 1) received written or electronic information about the presentation (this excludes people who heard him give the presentation); 2)  received information about Cisco's code during Lynn's research; 3) a list of websites where Lynn directedly or indirectly posted information about the presentation or Cisco code, or websites where he is aware such information is disclosed.

In other words: any blogger that took notes and posted too much detail about how Lynn's attack worked can expect a phone call from the Cisco and ISS lawyers, demanding that they remove the information.

Because Cisco effectively says that all information from the presentation is the result of a copyright violation, the company would have a decent shot at succeeding.

But does that solve the security issue?

327933_8451

Photo credit:  Syam Hassan

Tags: cisco, ios, black hat, michael lynn, iss 

July 29, 2005 at 01:21 AM | Permalink | Comments (0) | TrackBack

San Andreas vice

Florence Cohen, an 85 year old grandmother from New York has filed a lawsuit against Rockstar Games over the hidden sexual content in the game Grand Theft Auto: San Andreas.

Although the game is rated "M" for mature, for audiences aged 17 and older, she decided that the game's extreme violence was no problem for her 14 year old grandson. But now that it turns out that there is sexual content in there, Cohen is running to the courts to claim unspecified damages.

I had hoped that that Hillary Clinton's crusade to protect the children would be the lowest point in the game's saga. She persuaded the FCC to investigate the game maker over false advertising claims: they didn't say that there were porn scenes hidden in the game. Never mind that those were hidden from the general public and that they have to install a patch that game modders have developed.

Honestly, there is nothing to this case. The sexual content is hidden in the game. You have to willingly install the patch to access it. And I bet that by doing so you violate the maker's copyrights.

Is Cohen also going to sue her internet provider once she finds out that her grandson can visit porn websites? Of course internet porn doesn't come on a CD, but it can reach her computer through spyware, without her knowledge or consent. And internet porn is easier to obtain than finding, downloading and installing a game patch.

Gta

tags: grand theft auto, Video Games, Xbox,   Gaming, Games, PS2, playstation.

July 28, 2005 at 11:06 PM | Permalink | Comments (0) | TrackBack

A Cisco security controversy

If 31 pages are ripped from a conference guide at the last moment, surely that must mean something big is going on.

As it turns out, there is. At this week's Black Hat conference, security expert Michael Lynn was scheduled to give a presentation about an attack method against Cisco routers running the Internet Operating System, the software that controls Cisco routers much like Windows XP controls PCs.

In his presentation, Lynn would have shown how to effectively disable the router using a known exploit in IOS. And with disabling I mean that the attack would make it impossible to reboot or use the equipment.

Cisco and ISS had decided to cancel the presentation because further research was required, according to Cisco.

"When [ISS] would present, they would have presented materials that were much more beneficial to the security industry," Cisco security spokesman John Noh told vnunet.com.

Lynn claimed that Cisco had pressured the security company to do so. As his employer crumbled under the pressure, Lynn decided to do what he believed was the right. He quit his job and proceeded to give the presentation.

As it goes with whistle blowers, his presentation made Lynn an instant celebrity while the lawyers are circling around him.

Cisco and ISS have filed a motion in a California court requesting a restraining order against Lynn. He might have found a genuine way to shut down Cisco routers, the legal complaint argues that he illegally reversed engineered IOS to get there (even if it took him 6 months to do so).

So what? A hacker could take the same approach and shut down the internet. A restraining order won't do much good against a terrorist hacker attack.

Of course we have to behave around copyrights, but copyrights should take a back seat when security is at stake.

Blackhat_guide
31 pages lost...

Tags: cisco, ios, black hat, michael lynn, iss

 

July 28, 2005 at 08:14 PM | Permalink | Comments (0) | TrackBack

RSS is for just a happy few

Only one in every fifty Americans households uses the technology, according to research by Forrester's Charlene Li. Don't look any further to find proof that RSS is failing to excite the average consumer.

Rss Unfortunately her research doesn't go on to explain what causes this lack of interest in the technology, or what we can do to increase the appeal. Technology after all doesn’t buy reports. Marketers hoping to clog RSS with their messages however do (hence the report: Using RSS As A Marketing Tool)

Personally I couldn't live without RSS, and I have been repeatedly frustrated by companies including Google and Sun Microsystems who have failed to keep their (corporate PR) RSS feeds up and running.

But last week a friend visited as I was going through my feeds list, and I failed to sell him on the idea why RSS would be good for him. He doesn't need to read dozens of websites, and is fine with just entering the URL of the few sites that he does look at regularly.

It's not just that the name RSS is wrong. For the average consumer it doesn't solve any problems. That's exactly why Microsoft's plans for the technology can be so exciting. For the same friend does struggle to stay up to day about when he needs to play a game with his sports team. Other people would love to have feeds that keep them up to date about transactions in their retirement plans, bank accounts and credit cards.

Stop thinking about RSS as a news and blog publication tool. RSS could do so much more, and for it to become a success it has to.

Tags: RSS

 

July 28, 2005 at 02:22 AM | Permalink | Comments (0) | TrackBack

Go old school on your mobile phone

Sure, your mobile might be the smallest device ever made, but if you want to be really hip, you better get a matching Phobile "head set".

P1044ex1"Phones were far more entertaining in the good old days," the website argues, while pointing the prospective buyer to the device's easy grip, old fashioned curly wurly cable and choice of phone adapters for different makes and models of mobile phones.

You won't exactly take this thing with you on a business trip, but it makes for a great birthday gift for gizmo savvy friends and relatives.

It's yours for just ₤ 34.95.

P1044h
tags: mobile phone, cellphone

July 28, 2005 at 01:20 AM | Permalink | Comments (0) | TrackBack

Microsoft plays timing games

Last week on Friday Microsoft promised that beta 1 for Windows Vista would be available by 3 August. On Wednesday the company started shipping the code a week too early.

Technically the software vendor didn't lie: the code will actually be available on 3 August. But why did Redmond decide to publish it this week?

The first reason that comes to mind is be PR. After missing numerous development deadlines for Windows Vista, it must have felt good to beat a deadline for once. If anything it could give a morale boost to the Microsoft developers who weren’t told about the pending PR stunt.

Another, more mundane reason, would be that the "software is ready when it's ready". It may sound weird, but this is a very common approach in open source projects where you never know what speed bumps you'll hit. Microsoft might have more control over the number of developers that work on the Vista code, it too faces unexpected difficulties. In this scenario the date of 3 August was merely a worst case scenario to have a buffer for any last minute snafus.

Windowvista
Screenshot of Windows Vista with the new Internet Explorer 7.

tags: windows vista, microsoft

July 27, 2005 at 11:07 PM | Permalink | Comments (0) | TrackBack

How to prepare for Defcon

If you plan on going to the annual DefCon and Black Hat hackers conferences in Las Vegas this week, you should know better than to use your wireless connection.

In an effort to underline the sector's image that hackers are immature, childish computer graffiti artists, the game to play is to hack any computer that can get access to.

"Try to recall all of the attacks you have seen in the last year and dismissed because the attacker needed to be local to your network. Then realize that you are about to connect to that network," the SANS Internet Storm Centre summarizes the threat.

For the brave souls who think they can withstand the threats and plan on using WiFi nonetheless, the Centre has put up a list of to do items before and at the conference.

  • apply all available patches, regardless of your OS
  • hard code the MAC address of the default router.
  • set up a SSH on a proxy server inside your office and hard code your proxy box IP address into your host s file on your laptop to prevent DNS hijacking
  • make sure while at the conference that your web browser is using the proxy address of you SSH tunnel
  • don't connect to corporate email
  • "Do you believe strongly in your VPN client? That's great." Just don't show everybody the IP address of your VPN gateway.
  • Turn off Client for Microsoft Networks.
  • Turn off File and Printer Sharing.
  • Turn off NetBIOS over TCP/IP.
  • Consider changing the domain name and machine name of your computer.

If you, like me, wouldn't know how to apply at least half of these settings, you probably shouldn't be at this event anyway. Or at least you should stick to wired internet access.

tags: defcon, black hat, hacking, hack, hacker, Security.

July 27, 2005 at 06:32 PM | Permalink | Comments (1) | TrackBack

Fun things to do with infrared

Scott Pinzon from security website Watchguard has an amusing yet frightening tale about the security issues associated with the use of infrared in garage door openers, remote automobile locks and hotel room television remote controls.

I don't want to spoil the joy of reading his posting, but in one instance a security expert/hacker figured out the reset command for a certain car brand, drove over to a dealer lot at night and tested his theory.

What happened?

"At nighttime, it's actually a scary sound to hear 50 cars unlock at once."

Another fun experiment is to use the television in a hotel room to hack the hotel's network. Not only would it allow a hacker to alter his bill, he could also mess with the hotel's on demand TV system. Free porn for everybody, whether you want it or not.

Remote

Photo credit: Layton Findlater

Tags: hack, hacking, hacker, infra red

July 27, 2005 at 04:26 AM | Permalink | Comments (0) | TrackBack

 

Useful links: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503