* Posts by Chet Wisniewski - Sophos

6 publicly visible posts • joined 15 Jul 2009

Hackers scalp Apache

Chet Wisniewski - Sophos

We can all learn from this...

After such a high profile site is compromised it serves as a good point in time to review all your systems to be sure you haven't made the same mistake...

1. Always use SSH password/passphrases on keys...

2. Make them complex and long.

3. Never allow inbound SSH to systems that can publish to the greater world, from the greater world.

4. Always check the checksums, but --not against-- the site you got the file from.... Software companies need to start publishing and signing the checksums separate from the website.

Chester Wisniewski

www.sophos.com

Intel warns over bare-metal BIOS bug

Chet Wisniewski - Sophos

Blackhat, BIOS's, raising security awareness

As happens every year around this time, security gets a lot of attention... Blackhat, Defcon, and some vendors, like Intel, fessing up to coding errors and airing their own laundry. Although very different to the Blackhat presentation in terms of the flaw, this is increasing our awareness of how the growing sophistication of BIOSes and related technologies (Asus ExpressGate, etc) could compromise a system. All OS level software would consider these bits a rootkit merely because of their hidden/lower-level nature. The more concerning one disclosed by Core Security has more information available from our blog (without the hype.) http://www.sophos.com/blogs/sophoslabs/v/post/5716

Chet Wisniewski

@chetwisniewski (twitter)

www.sophos.com

Adobe promises fix for critical Flash hole next week

Chet Wisniewski - Sophos

Can't come soon enough...

Adobe's advice is interesting, however terribly incomplete and to some degree bad advice. Going to the linked article from Adobe it tells users to delete/disable authplay.dll. Of course this is of no use to Maq, Linux, or Solaris users whatsoever. On Linux at least the file in question appears to be /opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so and on Mac it appears to be /Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle. Of course, moving this file only protects you against malicious PDF's and not the Flash exploit.. And Adobe's advice for that? "Flash Player users should exercise caution in browsing untrusted websites." What the heck is a trusted site these days? And how are users to know if a site contains Flash??? I recommend using NoScript in the interim (http://noscript.net) to prevent flash from loading through ANY site until this hole is fixed.

Which leads to my next question.. When is Adobe going to provide tools to network admins to actually roll out these updates in a controlled manner? Without something better than a quarterly patch Tuesday its only a gesture towards really caring about the security of users of their products. These flaws are being actively exploited (http://www.sophos.com/blogs/sophoslabs/post/5524) so protect yourselves immediately!

Chet Wisniewski

Security Analyst

www.sophos.com

Chet Wisniewski - Sophos

Adobe can do better than this

The advice from Adobe is a bit lacking... Linux, Mac, and Solaris users are left to their own.. And I am not sure what an "untrusted website" is considering that many popular websites, ad networks, etc have been compromised the last 18 months.

Linux users should move their libauthplay.so somewhere or delete (usually in /opt/Adobe/Reader9/Reader/intellinux/lib). This does NOT protect against the Flash exploit, only against Flash in PDF files.

Mac users should move /Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle (Just use Spotlight to search for AuthPlayLib in Applications).

Windows, Mac, and Linux users should use something like NoScript (http://noscript.net) rather than follow Adobe's advice of "exercise caution in browsing untrusted websites". We published more info on our blog, as this is being actively exploited in the wild (http://www.sophos.com/blogs/sophoslabs/post/5524).

Chet Wisniewski (@chetwisniewski)

Security Analyst

www.sophos.com

BlackBerry update bursting with spyware

Chet Wisniewski - Sophos

@Goat Jam

I was not suggesting that people simply trust anything that is digitally signed, and clearly that is not the recommendation of Sophos, nor the manner in which our products are designed. The intent of the comment was directed towards users who are taught to look for the padlock in their browsers and consider that as some sort of validation that a website is secured. Clearly readers of El Reg are more sophisticated than most, and you are correct in pointing out that blindly trusting signed content means nothing.

Chet Wisniewski - Sophos

Digital Signatures are only the beginning

It's interesting to me that it has taken this long for a "legitimate" signing certificate to be used for nefarious purposes. This is always a danger when a central authority like RIM or Verisign authorize someone to sign code/sites on their behalf without any oversight. This reminds me of how we used to tell users not to open .scr or .exe attachments, and now the baddies are using PDF and .ppt to infect via email. Now we can't simply inspect a file for an appropriate signature, we need to decide if we trust the publisher, and whether we need the update. We had published a blog article (http://www.sophos.com/blogs/sophoslabs/v/post/428) instructing users on being vigilant regarding signatures, perhaps this calls for an update.

I hope RIM takes some action regarding this abuse of trust...

Chet Wisniewski

www.sophos.com