I’m setting up a new Linux machine, and while compiling nmap, I noticed the following fly by:

   (  )   /\   _                 (
    \ |  (  \ ( \.(               )                      _____
  \  \ \  `  `   ) \             (  ___                 / _   \
 (_`    \+   . x  ( .\            \/   \____-----------/ (o)   \_
- .-               \+  ;          (  O                           \____
                          )        \_____________  `              \  /
(__                +- .( -'.- <. - _  VVVVVVV VV V\                 \/
(_____            ._._: <_ - <- _  (--  _AAAAAAA__A_/                |
  .    /./.+-  . .- /  +--  - .     \______________//_              \_______
  (__ ' /x  / x _/ (                                  \___'          \     /
 , x / ( '  . / .  /                                      |           \   /
    /  /  _/ /    +                                      /              \/
   '  (__/                                             /                  \
             NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND REPONSIBLY

Somehow, I’ve never noticed this before, but I love it. (Well, except for the misspelling of the word responsibly).

In the “duh” reporting on the moment, securityfocus reports that:

The number of signatures required to detect malicious code skyrocketed in the first half of 2008.

While I may mock them (gently of course) for reporting something which is obvious, the growth curve is impressive:

The data — part of the F-Secure’s IT Security Threat Summary — showed that the company currently requires nearly 900,000 different signatures, also referred to as “definitions” or “detections,” in its product to catch current threats, up from 500,000 signatures at the end of 2007.

The solution of course, is to stop writing signatures. There are a virtually infinite number of pieces of malware that can be written, and trying to write a signature for each and every one is an exercise in futility. We’ve seen it time and again – blacklisting does not work in the long run, it is not scalable, and is inherently reactive rather than proactive.

This is nothing more than a blatant advertisement for OWASP, but they have an upcoming conference in NYC in late September that might be of interest to people here.

I really pity the people who have to design RFID security systems. I don’t mean that condescendingly at all, I really do. They have a system which had no native power source, and has to cost about a dime, and they have to somehow build strong authentication into it. They have to design complex circuitry for minimal cost that runs on almost no power. With that in mind, it’s no wonder there are so many examples of people cracking RFID systems. This is just the newest case.

Researchers of Radboud University in Nijmegen in the Netherlands managed to crack and clone London’s Oyster travel card. They were able to take free rides on the Underground and even perpetrated a DDoS attack on a Tube gate.

According to the statistics from Microsoft’s malicious software removal tool, trojan horses designed to steal online game credentials are now more prevalent than more traditional trojans which simply turn a PC into part of a DDoS zombie network. Frankly this doesn’t surprise me too much. After all the main driver behind botnets these days is purely monetary. Since multiplayer games are now also an economic engine, it makes sense for virus writers to start going after them.

The gpcode virus has been making news of late. It’s ransom-ware that encrypted the infected machine’s files with a 1024 bit RSA key, demanding a monetary payment in exchange for the decryption key. Kaspersky labs announced that they would try to brute force the key if people would just loan them some spare CPU cycles. They took some flak for even trying this, including a rebuke from the master cryptographer himself, Bruce Schneier.

Now it appears they’ve found a solution. No, they haven’t cracked a 1024 bit RSA key this quickly, they’ve discovered that the files can be undeleted, and released a utility to assist in the endeavor. This is another example of Shamir’s third law of security. For those of you who don’t know, Adi Shamir, recipient of the turing award and the S in RSA once delivered his 3 laws of security:

1. Absolutely secure systems do not exist
2. To halve your vulnerability you need to double your expenditure
3. Cryptography is typically bypassed, not penetrated

This is about as good an example of law number three as I can think of. Kaspersky would have found it nearly impossible to break the key in a meaningful amount of time, however circumventing the cryptography proved itself to be much easier.

_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]

There’s a new paper out on SQL injection DoS attacks. Given the severity of the claims, I don’t see why this isn’t getting more coverage. The authors purport that almost any server with a SQL back-end and a search form is vulnerable. Essentially, they craft SQL queries that take an exorbitantly long amount of time to execute. When launching a small handful of them, you can actually make a database completely unresponsive. Although perhaps not as damaging as traditional SQL injection (most people would rather have their data unavailable rather than in the hands of an attacker), it appears to be much easier to execute, so it probably won’t be long before people start seeing this show up everywhere.