-
The Author - Bart Busschots
-
Contents
-
Search
-
Recently Blog Posts
-
Blog Categories
- 42
- Computers
- Harry Potter
- Local History
- Photography
- Polemics, Morality & Politics
- Science & Astronomy
- Suggested Reading
-
RSS Feeds
-
Links
- Daring Fireball - A straight-talking Apple blog
- Des Traynor - Blog by fellow NUIM PhD Student Des Traynor
- Planet MiNDS> - Agregation of blogs by members of the NUI Maynooth IT Society
- Security Now - A must for all computer power users
- The NosillaCast - A tech geek podcast with an ever-so-slight Macintosh bias
- Worse Than Failure - Curious perversions in IT – a blog all programmers should read
- XKCD - A webcomic just for nerds
-
Creative Commons
The posts on this blog are licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Oct
14
Don’t Panic – WiFi is not Broken!
Filed Under Computers, Security on October 14, 2008 | Leave a Comment
A worrying looking article that declared the end of WiFi security as we know it made it on to slashdot yesterday. The article looks quite worrying, but it doesn’t seem to stand up to the test of reality. The smack-downs are impressive:
- George Ou -
Debunking the latest fear mongering news on WPA security - Robert Graham – WPA is NOT obsolete
- Rich Mogull – Your WPA-PSK Wireless Network Is At Riskā¦ If You Are An Idiot
Oct
12
Protecting Yourself from Click Jacking
Filed Under Computers, Security, The Internet on October 12, 2008 | 17 Comments
‘Click Jacking’ is the latest browser-based security problem to crawl out of the wood work. Since it’s entirely browser based it affects everyone, regardless of their OS, not even Linux users are safe from this one! This is a cross-browser problem and also affects Flash. The technical details have not been released yet, but there is a proof-of-concept exploit doing the rounds. The basic idea is very simple, trick people into clicking on something you want them to click on but they don’t want to click on. From what I’ve been able to piece together from reading various blog postings and reports the attack uses CSS and iFrames to place invisible content over visible buttons or links. When the user clicks the button or link they see the click gets diverted to what ever is in the invisible layer above it instead. If you can do it by clicking the mouse, then you can be tricked into doing it with Click Jacking.
Sep
16
Apple Finally Fix DSN Flaw
Filed Under Computers, Mac, Security on September 16, 2008 | 1 Comment
It's taken them months, but Apple have finally caught up with the rest of the world and patched the critical DNS flaw disclosed in early June. This is Apple's second attempt at patching it, they did a very poor job on their first attempt, but thankfully they seem to have gotten it right this time. It's taken Apple over three months to patch OS X, this is totally rediculous considering Apple users the standard ISC implementation for both their DNS server and DNS resolver in OS X. ISC released patches on the 8th of June, it took Apple till the 15th of September to get their update out!
For a more detailed look at the two major security updates Apple released in the last few days (one for iPhone/iPod Touch, and one for OS X 10.5 and 10.4) check out my analysis on the IMP blog.
Technorati Tags: IMP, DNS, Apple, OS X, security, vulnerability
Aug
27
Mobile Me – A Polished Turd?
Filed Under Computers, Mac, Security on August 27, 2008 | 3 Comments
The problem with .Mac (the previous name for Mobile Me) was never the concept, nor was it what was promised, the problem was always the implementation. I expressed my views on .Mac back in January 2007 in a post entitled ".Mac - The Devil is in the Implementation", and nothing has really changed since. I had high hopes that Mobile Me would finally give us the .Mac we'd always wanted. If all Mobile Me had been was a working version of .Mac without any new functionality it would have been great! However, since it's launch Mobile Me has just been one disappointment after another. Things started badly when it took them days to get the system even remotely stable, got worse when they permanently lost thousands of people's email, and didn't improve at all when we found out Apple had lied to us about push.
Technorati Tags: Apple, Mobile Me, .Mac, iDisk, security
Aug
7
DNS Flaw Update
Filed Under Computers, Mac, Security on August 7, 2008 | 1 Comment
I listened to Dan Kaminsiki's Black Hat talk on the DNS flaw he discovered this afternoon (it's on the web). I was disappointed by the lack of technical details, particularly about the client attacks, but it did answer some of my questions. For me the biggest deal was that yes, clients are vulnerable, and yes, clients do need to use port randomisation. This is what Apple failed to do in their latest update, and what Apple now need to do ASAP. Dan described the server flaw as being like a nuke, and the client flaw as being like a sniper, both will kill you if they hit you, but you defend against the nukes first, hence the focus on servers.
Another key point is that this is a temporary fix, not a permanent fix. By adding in source port randomisation we've bought ourselves some more time, probably a few years, but as networks continue to get faster, even this boost of entropy will cease to be enough. There are two permanent fixes, but neither are easy to deploy, and since DNS is a global system it will take time, and probably the patience of a saint, to get either implemented. At the core of the problem is the fact that DNS uses UDP, which is a connectionless protocol, making it easy to spoof packets. One way around this is so-called DNSSEC, which extends the current DNS architecture to use certificates to authenticate responses. Another solution would be to switch DNS from UDP to TCP. Both sound simple, but no change to DNS is simple, and if you get it wrong you literally kill the internet!
Bottom line, we haven't heard the last of this yet, not nearly!
Technorati Tags: security, DNS, Blackhat, Kaminsky
Aug
2
The Apple DNS Saga Continues
Filed Under Computers, Mac, Security on August 2, 2008 | 1 Comment
Yesterday Apple released security update 2008-005 which was supposed to fix the DNS flaw I recently complained about Apple not having fixed yet. Well, it appears that Apple only half-fixed the problem. Yes, they have fixed the BIND DNS server in OS X, but in reality that only protects X-Serves running a DNS server. Sure, regular OS X ships with the BIND DNS server installed, but it's not on by default, and almost no one turns it on. What we all use all the time is the stub resolver that's part of OS X, and that's what Apple didn't fix. This means that regular Mac users are still not protected from this DNS flaw while just about everyone else is.
Technorati Tags: Apple, OS X, DNS, vulnerability, security
Jul
30
OS X Users Vulnerable – Apple Still Don’t Get Security
Filed Under Computers, Mac, Security on July 30, 2008 | 26 Comments
One of the things I really love about OS X is its Unix underpinnings. Under the hood we get all the *nix tools and utilities I've come to know and love. Printing with CUPS, remote shell with OpenSSH, Windows sharing with SAMBA, web publishing with Apache, and so on and so forth. This gives OS X great power, but it also places a great responsibility on Apple. Just like with any other software, vulnerabilities surface in open source programs. In general the open source community is very responsive to security issues, and patches are released quickly. Those patches protect those who update, but they leave those who don't even more vulnerable. The reason for this is that the patches can generally be reverse engineered, making it easy for the bad guys to attack un-patched machines. In order to keep OS X secure Apple need to push out patches in the open source components in OS X to users as quickly as possible. This is where Apple fall down, they are notoriously slow at getting patches out.
Technorati Tags: Security, OS X, Apple, DNS, open source, BIND
Jul
22
Time’s Up – DNS Flaw Leaked
Filed Under Computers, Security on July 22, 2008 | Leave a Comment
A few weeks back I posted about how there was a major flaw in DNS and how the details were being kept secret to give everyone time to patch. I did say that it would be a matter of when this got out, and not if. When turns out to be today. Details of the flaw were accidentally published on a blog and then un-published but once information gets out onto the net it's out. There's no way to put that genie into the bottle. I was able to find the details of the flaw, so if I can, the bad guys certainly can!
If you haven't done so already, go to www.doxpara.com and click the button to check your DNS server:
Jul
13
Major DNS Flaw – Do You Trust Your ISP?
Filed Under Computers, Linux, GNU & FOSS, Mac, Security, The Internet, Windows on July 13, 2008 | 4 Comments
This week it was announced that one of the core protocols that holds the internet together is fundamentally flawed. The problem is not with someone's implementation of the protocol, but with the actual protocol itself. It's hard to over-state just how big a deal this is. At the moment the details of the vulnerability are being kept secret to give the world time to patch, but you can get some technical information from the advisory issued by the US Cert. On Tuesday all the major DNS server vendors released patches at the same time. This is un-heard of, nothing like this has ever happened before in the history of the internet. That alone should bring home just how big this is.
Although the good-guys have successfully kept the details of the flaw secret to date, despite the large numbers of organisations involved, the reality is that the bad guys are frantically trying to figure this out as I type. It's not a matter of if they'll figure it out, but when. The security community have bought us time. That time should not be squandered, but used to protect the internet as a whole, and to protect ourselves.
Jul
1
The Uncomfortable Truth About Trojans
Filed Under Computers, Mac, Security on July 1, 2008 | 5 Comments
Although it is true that some Trojans use vulnerabilities like the current ARDAgent vulnerability to gain root access, they do not need to. The core message about Trojans is getting lost amidst all the talk about plugging this vulnerability. Even if there was not a single vulnerability in OS X we would be at the mercy of Trojans. That's the whole point of Trojans. Any program you run can do anything you can do. Let's think about that for a moment, what can you do on your system without needing a password? Here's a short list for starters:
- You can run programs.
- You can read, edit, and delete files
- You can use the network
- You can set programs to auto-start each time you log in
Remember, a Trojan is just an ordinary program that pretends to do something you want, but actually does something else. It could delete all your files. It could run a key logger and phone home with your credit card number, user names and passwords, bank details etc.. It could use your machine to send spam. It can set itself to automatically run each time you log in and continue with it's nefarious actions. It can do all this WITHOUT the need to exploit a single vulnerability in your OS or your software. If you can do it, a Trojan can. Think about that for a second, it's not a comforting thought!
Technorati Tags: security, OS X, Mac, Trojan