I ran across this on the Microsoft support site:

If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and then type a new, simple password that does not pass the dictionary check in Kadmind, you may receive the following error message:
Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords.

Microsoft Knowledge Base Article #276304 [Microsoft.com]

With all the concern about data being lost on laptops, and “vulnerabilities” in blackberries, Sprint is jumping into the action. They are offering a managed security service for SmartPhones (you know, like that Treo 700 your boss carries).

Sprint Mobile Security enforces password polices using personal identification numbers and other user-specific credentials for authentication. Customers also have the option of encrypting specific files, a device or memory card. This same encryption can be used by mobile customers to securely access their corporate VPN, the service provider says.

The service also scans, identifies and removes malware, viruses, worms and the like from mobile devices using a firewall that resides on the handheld or laptop. This firewall is also used to block denial-of-service attacks.

That’s good, because we’re all worried about phones getting DOS’d. What!?

This is the first of it’s kind to my knowledge, and may help them win some traction in the highly valued big business space. Now, they’re mostly deploying and managing some Mobile Armor software for you, and charging you $9/month although they have added some custom features like:

[The] ability to remotely lock a wireless device if reported lost or stolen and the ability to remotely erase all data from that device in an effort to protect corporate information.

Seems a little pricey to me, but I can imagine some companies going for it on some especially high-ranking sensitive employees.

Sprint beefs up wireless security services [Network World]

Press Release [Sprint]

Google Analytics is the best free web stsattics software out there. They recently opened registration to anyone, and even the bad guys seem to have noticed:

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics!

Google Analytics and Bots [McAfee Avert Labs Blog]

Newsday has a story that, if true, is fascinating. They are reporting that using technology supplied by Iran, Hezbollah fighters were able to listen in on Israeli radio communications. They of course used this intel to evade the advancing units and counter attack.

“We were able to monitor Israeli communications, and we used this information to adjust our planning,” said a Hezbollah commander involved in the battles, speaking on the condition of anonymity. The official refused to detail how Hezbollah was able to intercept and decipher Israeli transmissions. He acknowledged that guerrillas were not able to hack into Israeli communications around the clock.

…a former Israeli general, who spoke on the condition of anonymity, said Hezbollah’s ability to secretly hack into military transmissions had “disastrous” consequences for the Israeli offensive.

For some interesting reading on this, try Ross Anderson’s Security Engineering on Electronic and Information Warfare [PDF]. This attack also reminds me of the man in the middle attack he talks about in Chapter 2 [PDF].

Hezbollah cracked the code [Newsday]

After a weekend of monitoring here’s what we seem to know about the MS06-040 Worm(s) in the wild:

• There’s at least two variants in the wild so far (ref)
• It appears to be primarily targeting Windows 2000 machines (ref)
• After infecting machines it communicates out via IRC via port 18067 and scans for additional machines to infect via port 445 (ref)
• One variant is also spreading via AOL IM. (ref)
• Most AV Vendors have released updates to detect for at least some of these known exploits.
• The purpose of the worm seems to be to spread a botnet to SPAM.

A couple of stats to ponder:

• Time from patch release to public POC code: ~40 hours
• Time from patch release to self propagating worm: ~96 hours
• Average time it takes an enterprise to patch a critical vulnerability: A lot more than 96 hours.

References:

• Microsoft Security Response Center Blog
• SANS ISC
• LURHQ
• Security Fix

News.com brings us two stories about Symantec and Microsoft. The first declares that “Symantec won’t ‘whine’ about Microsoft” and includes statements from Symantec CEO John Thompson like:

We’re not looking to go whining to the EU or the DOJ for anything

Essentially the message is, “we’re not scared of Microsoft entering the security market.” Just making the statement means they are, but that’s another point. But what’s even funnier is that in another story on News.com today, they go on to whine about a new Microsoft technology to protect the kernel in 64 bit systems called patch guard:

“patch guard is hurting security vendors more than it is hurting malware writers,” Bruce McCorkendale, a chief engineer at Symantec

The story goes on to say:

Indeed, Symantec is playing the anticompetitive card for the first time. The Cupertino, Calif.-based company had said it would beat Microsoft by using its security wits as long as the competition is fair. Now the fairness seems to be gone, McCorkendale said.

So, in summary Symantec will not whine to the DoJ or EU about Microsoft, just to the press. I for one am ready for Symantec to stop trying to grab headlines about technology that hasn’t hit the street yet and start fixing the problems we have today.

Windows defense handcuffs good guys [news.com]

Symantec won’t ‘whine’ about Microsoft [news.com]

Metasploit has proof of concept code for exploiting MS06-040. The countdown to the worm begins.

Exploit Module: netapi_ms06_040 [MetaSploit.com]

The day of the primary is a bad day to have your website attacked. It had happened before but this time it looks like a DDOS attack:

But the earlier two attacks involved defacements — the hacker altered content on Lieberman’s home page. This time, attackers toppled the Lieberman site with requests, probably by directing an army of hacked computers at the site.

Lieberman lost the primary and now goes on to run as an independent. Might it be time to find a new host?

Lieberman campaign site, e-mail hacked [MSNBC]

SecurityWonk was featured on Martin McKeay’s Network Security Podcast. Listen to it here.

Wired has a story out of DefCon picturing Blackberries as the perfect backdoor into your corporate network. Since many cop orations inherently trust the blackberry straight in through their firewalls, it might be worth a read.

The program, called proxy, has to be placed on a Blackberry either physically or as a Trojan horse delivered by e-mail. Once installed, it causes the Blackberry to call back to the attacker’s system in the background, opening a communications channel between the attacker and the company’s internal network.

Details are sketchy, and I can’t find the mentioned “documents on its website” or get to their website at all, but the fact that he says he’ll release the app in the next week or so doesn’t make me feel all warm and fuzzy.

Blackberry a Juicy Hacker Target [Wired]

Our normal scope here is on information based security, but this you gotta see. A new lock-picking technique called “bumping” renders almost all traditional tumbler locks useless with very litte skill or tools.

A bump key is a key in which all the cuts are at maximum depth. The picture below shows bump keys for various locks. Bump keys are sometimes called ‘999′ keys because all cuts are at maximum (9) depth.

Once you get a properly cut key ($10 on eBay) they are easy to copy, and it takes about 1 minute to train someone how to do it. Most importantly this technique works on most very expesive locks as well. Also, it seems to be virtually undetectable:

Given that the insertion of a bump key isn’t much different from inserting a regular key, we’d suspect no special scratch marks would be found other than maybe some miniature dents and deformations caused by the impacts. Until more is known, we think it is diligent to assume that any lock that can be bumped can also, with some care, be bumped without leaving any telltale traces.

This YouTube Video shows bumping in action because we had to see it to believe it:

Bumping locks (pdf) [Netherlands Open Organization of Lockpickers]

The guys at Black Hat are demonstrating some interesting attacks against the device drivers for the wireless card in a MacBook Pro:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system.

This highlights an emerging trend of attacks against device drivers. Should attacks like this become a trend I suspect we’ll see the following:

• Wireless Cards Hit First: Many attacks focused on Wireless cards, and not just because they are remotely accessible. The fact that there’s only a couple of chipset manufacturers will make attacks easier. Especially considering this:
  

  After the demo, Ellch … will talk about a new tool he’s developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.

  “I’m getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that ‘x’ number are running them on a Windows box with a specific version of the driver,” Ellch said. “The userful thing for that information is that if you have a device driver exploit and it’s version-specific, you could tweak [the exploit] before you launch it.”

• Homogenous Environments Hit Hardest: As demonstrated Macs will be easier targets, But think about other homogenous environments: Corporate networks whole use all the same PCs (or maybe just all the same nibs), ISPs that use all the same kind of DSL/Cable Modems, etc…
• Mitigates Slow to Come: There won’t be patches coming out of Windows Update for many of these. Expect longer windows of vulnerability and traditional mitigations like firewalls to prove ineffective.

So what do we do? Assuming the attack involves over running a buffer, some sort of kernel-level buffer overflow protection in a Host Intrusion Prevention-type product seems to be in order. The whole article is worth a read. Share your thoughts by leaving a comment below.

Hijacking a Macbook in 60 Seconds or Less [Security Fix]

SecurityFocus has a great article on Windows password security. Among other things, it addresses the real implications of the weaknesses of LanMan and NTLMv2, and a way you can use that to your advantage:

if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

And I remember creating my fist Alt+255 password years ago. It was a pain to enter, and the author makes a good point:

It common to see recommendations to use high-ASCII characters as the ultimate password tip. High-ASCII characters are those that cannot normally be typed on a keyboard but are entered by holding down the ALT key and typing the character’s ASCII value on the numeric keypad. For example, the sequence ALT-0255 creates the character <ÿ>…. creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.

Might it be time to take a glance at your policy to see if your standards still make sense?
Ten Windows Password Myths [SecurityFocus]

A how-to on boarding early on Southwest…

…Use any HTML editor to change the “B” or “C” graphic on your saved boarding pass to the “A” graphic that you saved.

Not rocket science, but points out the inherent insecurity of boarding passes you print out yourself. I suspect it’s similarly easy with other airlines. Recently, Southwest filed suit against APassOnly.com which acted as a proxy to get you first in line boarding, so I don’t expect this site to stay up long.

How To Change A Southwest Airlines Boarding Pass From a “C” or “B” to and “A”! [boardfast.blogspot.com]

Counter to what the movies might say, hacking grades is not just cheating it’s a crime:

An investigation showed the professor’s network account had been accessed without her permission and grades were assigned to nearly 300 students, prosecutor Robert Fratianne said.

I bet they just guessed her password but still, there’s more legal ways to cheat.

Students face 1 year in jail for hacking [Yahoo News / AP]