http://praetorianprefect.com Information security, a little slower...a little deeper Thu, 11 Mar 2010 23:54:29 +0000 http://wordpress.org/?v=2.8.6 en hourly 1 http://praetorianprefect.com/archives/2010/03/iepeers-a-new-internet-explorer-zero-day-vulnerability/ http://praetorianprefect.com/archives/2010/03/iepeers-a-new-internet-explorer-zero-day-vulnerability/#comments Wed, 10 Mar 2010 23:01:30 +0000 Prefect http://praetorianprefect.com/?p=3511 Microsoft's recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of "limited targeted attacks" to being widely accessible and available as a new module for the Metasploit framework.]]> http://praetorianprefect.com/archives/2010/03/iepeers-a-new-internet-explorer-zero-day-vulnerability/feed/ 1 http://praetorianprefect.com/archives/2010/03/microsoft-ie-6-7-zero-day-aside/ http://praetorianprefect.com/archives/2010/03/microsoft-ie-6-7-zero-day-aside/#comments Tue, 09 Mar 2010 22:00:45 +0000 Simon Price http://praetorianprefect.com/?p=3489 http://praetorianprefect.com/archives/2010/03/microsoft-ie-6-7-zero-day-aside/feed/ 1 http://praetorianprefect.com/archives/2010/03/3473/ http://praetorianprefect.com/archives/2010/03/3473/#comments Tue, 09 Mar 2010 20:38:40 +0000 Simon Price http://praetorianprefect.com/?p=3473 Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel.]]> http://praetorianprefect.com/archives/2010/03/3473/feed/ 0 http://praetorianprefect.com/archives/2010/03/press-f1-for-help-pwned/ http://praetorianprefect.com/archives/2010/03/press-f1-for-help-pwned/#comments Tue, 02 Mar 2010 17:39:54 +0000 Simon Price http://praetorianprefect.com/?p=3444 http://praetorianprefect.com/archives/2010/03/press-f1-for-help-pwned/feed/ 1 http://praetorianprefect.com/archives/2010/02/microsofts-google-attack-patch/ http://praetorianprefect.com/archives/2010/02/microsofts-google-attack-patch/#comments Fri, 26 Feb 2010 04:18:26 +0000 Prefect http://praetorianprefect.com/?p=3421 George V. Hulme shared the picture below from CNBC, perhaps the most amusing way seen thus far of describing the patch for the 'Aurora bug' that famously affected Google late last year.]]> http://praetorianprefect.com/archives/2010/02/microsofts-google-attack-patch/feed/ 1 http://praetorianprefect.com/archives/2010/02/a-brief-reminder-passwords-have-been-around-forever/ http://praetorianprefect.com/archives/2010/02/a-brief-reminder-passwords-have-been-around-forever/#comments Thu, 25 Feb 2010 04:25:21 +0000 Prefect http://praetorianprefect.com/?p=3395 http://praetorianprefect.com/archives/2010/02/a-brief-reminder-passwords-have-been-around-forever/feed/ 0 http://praetorianprefect.com/archives/2010/02/was-the-austin-plane-crash-domestic-terrorism/ http://praetorianprefect.com/archives/2010/02/was-the-austin-plane-crash-domestic-terrorism/#comments Thu, 18 Feb 2010 19:24:27 +0000 Prefect http://praetorianprefect.com/?p=3346 http://embeddedart.com.]]> http://praetorianprefect.com/archives/2010/02/was-the-austin-plane-crash-domestic-terrorism/feed/ 8 http://praetorianprefect.com/archives/2010/02/februarys-patch-tuesday/ http://praetorianprefect.com/archives/2010/02/februarys-patch-tuesday/#comments Tue, 09 Feb 2010 22:56:29 +0000 Simon Price http://praetorianprefect.com/?p=3305 http://praetorianprefect.com/archives/2010/02/februarys-patch-tuesday/feed/ 3 http://praetorianprefect.com/archives/2010/01/congressional-web-site-defacements-follow-the-state-of-the-union/ http://praetorianprefect.com/archives/2010/01/congressional-web-site-defacements-follow-the-state-of-the-union/#comments Thu, 28 Jan 2010 09:46:14 +0000 Prefect http://praetorianprefect.com/?p=3236 http://praetorianprefect.com/archives/2010/01/congressional-web-site-defacements-follow-the-state-of-the-union/feed/ 29 http://praetorianprefect.com/archives/2010/01/umm-techcrunch-defacement-two-in-24-hours/ http://praetorianprefect.com/archives/2010/01/umm-techcrunch-defacement-two-in-24-hours/#comments Wed, 27 Jan 2010 08:19:56 +0000 Prefect http://praetorianprefect.com/?p=3211 from the last web site defacement, TechCrunch has been defaced again early this morning by the same cracker(s) responsible for yesterday's attack. Whatever preventative measures were taken yesterday (WordPress upgrade, HTTP authentication for wp-admin) have not blocked the attacker's access to modify TechCrunch's content, as this morning the attacker left a profane message on top of the homepage for Michael Arrington as well as a few media outlets like Yahoo and the BBC. At this point TechCrunch should perhaps be ensuring that there is no uploaded shell on the server the site is hosted on.]]> http://praetorianprefect.com/archives/2010/01/umm-techcrunch-defacement-two-in-24-hours/feed/ 5 http://praetorianprefect.com/archives/2010/01/techcrunched-techcrunch-the-victim-of-a-defacement/ http://praetorianprefect.com/archives/2010/01/techcrunched-techcrunch-the-victim-of-a-defacement/#comments Tue, 26 Jan 2010 09:36:43 +0000 Prefect http://praetorianprefect.com/?p=3178 TechCrunch, the popular blog founded by Michael Arrington in 2005 that profiles technology start ups with posts about their products and company news was the victim of a website defacement that has effectively taken the site down for a period of three hours at time of writing. The site initially went down a little after 1 AM EST with a message of "Hi" on the homepage, and for a while seesawed between coming back up, being newly defaced, and showing a "We'll be back shortly" message.]]> http://praetorianprefect.com/archives/2010/01/techcrunched-techcrunch-the-victim-of-a-defacement/feed/ 3 http://praetorianprefect.com/archives/2010/01/microsoft-posts-advanced-notification-for-out-of-band-patch/ http://praetorianprefect.com/archives/2010/01/microsoft-posts-advanced-notification-for-out-of-band-patch/#comments Thu, 21 Jan 2010 00:31:43 +0000 Simon Price http://praetorianprefect.com/?p=3145 http://praetorianprefect.com/archives/2010/01/microsoft-posts-advanced-notification-for-out-of-band-patch/feed/ 0 http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/#comments Sat, 16 Jan 2010 00:42:41 +0000 Prefect http://praetorianprefect.com/?p=3065 big news hit earlier this week, the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 30 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used in IE 6 according to Microsoft. Per Microsoft's Advisory 979352: "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers gained access to the corporate networks of Google, et al. using this zero day attack.]]> http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/feed/ 62 http://praetorianprefect.com/archives/2010/01/scareware-purveyors-spammers-and-crooks-take-advantage-of-haiti-earthquake/ http://praetorianprefect.com/archives/2010/01/scareware-purveyors-spammers-and-crooks-take-advantage-of-haiti-earthquake/#comments Fri, 15 Jan 2010 00:28:27 +0000 Prefect http://praetorianprefect.com/?p=3024 http://praetorianprefect.com/archives/2010/01/scareware-purveyors-spammers-and-crooks-take-advantage-of-haiti-earthquake/feed/ 1 http://praetorianprefect.com/archives/2010/01/windows-smb-crash-video/ http://praetorianprefect.com/archives/2010/01/windows-smb-crash-video/#comments Thu, 14 Jan 2010 05:27:07 +0000 Prefect http://praetorianprefect.com/?p=2997 on November 11th, 2009 we confirmed Laurent Gaffié's remote exploit for Windows that causes a kernel crash. The operating system actually freezes creating a denial of service when for example a user is tricked into clicking on a link to a malicious SMB share on a web page. The SMB client goes into an infinite loop when processing this malformed request according to Microsoft. The video below demonstrates this effect, having a user click a web site link and showing the crash.]]> http://praetorianprefect.com/archives/2010/01/windows-smb-crash-video/feed/ 5 http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/ http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/#comments Thu, 14 Jan 2010 03:37:42 +0000 Simon Price http://praetorianprefect.com/?p=2856 posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.]]> http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/feed/ 2 http://praetorianprefect.com/archives/2010/01/first-patch-tuesday-of-2010/ http://praetorianprefect.com/archives/2010/01/first-patch-tuesday-of-2010/#comments Tue, 12 Jan 2010 23:08:10 +0000 Simon Price http://praetorianprefect.com/?p=2947 http://praetorianprefect.com/archives/2010/01/first-patch-tuesday-of-2010/feed/ 2 http://praetorianprefect.com/archives/2010/01/baidu-com-the-latest-victim-of-iranian-cyberarmy/ http://praetorianprefect.com/archives/2010/01/baidu-com-the-latest-victim-of-iranian-cyberarmy/#comments Tue, 12 Jan 2010 03:11:23 +0000 Prefect http://praetorianprefect.com/?p=2920 DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that serves up over 740 million web pages along with music and video. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.]]> http://praetorianprefect.com/archives/2010/01/baidu-com-the-latest-victim-of-iranian-cyberarmy/feed/ 15 http://praetorianprefect.com/archives/2010/01/juniper-kernel-crash-scapy-code/ http://praetorianprefect.com/archives/2010/01/juniper-kernel-crash-scapy-code/#comments Sun, 10 Jan 2010 21:45:30 +0000 JD McCloud http://praetorianprefect.com/?p=2962 exploit code has been published elsewhere, there is little reason not to answer this question.]]> http://praetorianprefect.com/archives/2010/01/juniper-kernel-crash-scapy-code/feed/ 0 http://praetorianprefect.com/archives/2010/01/smb-bug-wont-be-patched-in-january/ http://praetorianprefect.com/archives/2010/01/smb-bug-wont-be-patched-in-january/#comments Fri, 08 Jan 2010 18:07:44 +0000 Simon Price http://praetorianprefect.com/?p=2910 http://praetorianprefect.com/archives/2010/01/smb-bug-wont-be-patched-in-january/feed/ 0 http://praetorianprefect.com/archives/2010/01/junos-juniper-kernel-crash-video/ http://praetorianprefect.com/archives/2010/01/junos-juniper-kernel-crash-video/#comments Fri, 08 Jan 2010 01:28:52 +0000 Prefect http://praetorianprefect.com/?p=2863 our post yesterday detailing the information in Juniper bulletin PSN-2010-01-623 and our thoughts on its somewhat understated effect. Since our post yesterday, the bulletin has been updated, becoming more specific about the versions affected (basically excluding JUNOS version 10.x and versions no longer supported by Juniper). We have tested all 256 permutations of the Options field in the TCP header, and reproduced the kernel crash, which is demonstrated in the video below.]]> http://praetorianprefect.com/archives/2010/01/junos-juniper-kernel-crash-video/feed/ 20 http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/ http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/#comments Wed, 06 Jan 2010 22:23:17 +0000 Prefect http://praetorianprefect.com/?p=2812 http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/feed/ 19 http://praetorianprefect.com/archives/2009/12/googles-new-years-eve-tricks/ http://praetorianprefect.com/archives/2009/12/googles-new-years-eve-tricks/#comments Thu, 31 Dec 2009 22:21:00 +0000 Prefect http://praetorianprefect.com/?p=2769 likes to have fun with the holidays, and it appears that New Year's Eve will be no exception. People who have been hitting the "I'm Feeling Lucky" button lately with a blank search have been presented with a timer counting down the seconds to New Year's Eve. The timer is based on the PC clock.]]> http://praetorianprefect.com/archives/2009/12/googles-new-years-eve-tricks/feed/ 0 http://praetorianprefect.com/archives/2009/12/intel-breach-reveals-passport-information/ http://praetorianprefect.com/archives/2009/12/intel-breach-reveals-passport-information/#comments Tue, 22 Dec 2009 16:05:52 +0000 Prefect http://praetorianprefect.com/?p=2641 two Kaspersky international properties and a Wall Street Journal conference site has demonstrated an attack on an Intel web property, http://channeleventsponsors.intel.com/intelwebinar/somepage. This site handles online registrations for channel partner events and that has been demonstrated to have a SQL injection vulnerability that outputs a database table appearing to contain personally identifiable information (PII).]]> http://praetorianprefect.com/archives/2009/12/intel-breach-reveals-passport-information/feed/ 4 http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/ http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/#comments Sat, 19 Dec 2009 02:51:33 +0000 Prefect http://praetorianprefect.com/?p=2574 this update from @slashdot on Twitter: "DECAF Was Just a Stunt, Now Over", along with this: "Anti-COFEE tool taken down & d/l'ed copies disabled.". Ok, fair enough, releasing DECAF was a stunt according to its two creators. But then we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we're going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we'll demonstrate how.]]> http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/feed/ 13 http://praetorianprefect.com/archives/2009/12/we-shall-strike-if-the-leader-orders-twitter-struck-by-iranian-cyber-army/ http://praetorianprefect.com/archives/2009/12/we-shall-strike-if-the-leader-orders-twitter-struck-by-iranian-cyber-army/#comments Thu, 17 Dec 2009 16:32:07 +0000 Prefect http://praetorianprefect.com/?p=2500 administrative portal of managed DNS service provider Dyn.]]> http://praetorianprefect.com/archives/2009/12/we-shall-strike-if-the-leader-orders-twitter-struck-by-iranian-cyber-army/feed/ 11 http://praetorianprefect.com/archives/2009/12/adobe-util-printd-zero-day/ http://praetorianprefect.com/archives/2009/12/adobe-util-printd-zero-day/#comments Wed, 16 Dec 2009 21:02:21 +0000 Simon Price http://praetorianprefect.com/?p=2427 released a critical update for its Flash Player on patch Tuesday last week. The attack uses a weakness in a function called util.printd along with a heap spray implemented with Javascript to attempt to inject shell code.]]> http://praetorianprefect.com/archives/2009/12/adobe-util-printd-zero-day/feed/ 1 http://praetorianprefect.com/archives/2009/12/forensics-beverages-aside-a-look-at-incident-response-tools/ http://praetorianprefect.com/archives/2009/12/forensics-beverages-aside-a-look-at-incident-response-tools/#comments Wed, 16 Dec 2009 00:57:57 +0000 Simon Price http://praetorianprefect.com/?p=2333 much hype about nothing, as many free tools already out there exceed COFEE in features and functionality.]]> http://praetorianprefect.com/archives/2009/12/forensics-beverages-aside-a-look-at-incident-response-tools/feed/ 2 http://praetorianprefect.com/archives/2009/12/regular-or-decaf-tool-launched-to-combat-cofee/ http://praetorianprefect.com/archives/2009/12/regular-or-decaf-tool-launched-to-combat-cofee/#comments Tue, 15 Dec 2009 01:21:34 +0000 Simon Price http://praetorianprefect.com/?p=2250 http://praetorianprefect.com/archives/2009/12/regular-or-decaf-tool-launched-to-combat-cofee/feed/ 8 http://praetorianprefect.com/archives/2009/12/unu-gets-kaspersky-again/ http://praetorianprefect.com/archives/2009/12/unu-gets-kaspersky-again/#comments Fri, 11 Dec 2009 04:44:34 +0000 Prefect http://praetorianprefect.com/?p=2180 his fifth demonstrated SQL Injection vulnerability on the web site of a well known company in the last 30 days. This time he has again targeted Kaspersky Labs, the anti-virus vendor that he previously demonstrated web site vulnerabilities for back on February 7th of this year.]]> http://praetorianprefect.com/archives/2009/12/unu-gets-kaspersky-again/feed/ 6