Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning.

hehehe.... The problem with a lot of automated tools that try to respond to attacks is that an attack can trigger them intentionally. Dropping in a firewall rule to block anyone who port scans you? Why don't I spoof a port scan from your favorite website? Even worse is the idea of automatically retaliating. Retaliating security software is Texan for distributed denial of service zombie.

Leveraging automated attack response

The latest (February 6) issue of Newsweek has a picture on page 39 of
George Bush visiting the NSA headquarters in Fort Meade. A wall-sized
screen in the background displays the latest versions of our favorite
open source security tools, including Nmap, Metasploit, Snort
Ethereal, Cain & Abel, and Kismet. Nifty.

Fyodor's nmap scanner makes another cameo appearance, this time its not with Trinity in the Matrix, but with George Bush in a press conference at the NSA.

Nmap Development: NSA tracking open source security tools

Here's where the reality meter goes into overdrive. VeriSign is also the company that sells about half of the net's SSL certificates for "secure ecommerce [4]." These SSL certificates are what presumptively protect connections between consumers and merchants. It is claimed that a certificate that is signed by a certificate authority (CA) can protect against the man-in-the-middle (MITM) attack and also domain name spoofing.

A further irony is that VeriSign also runs the domain name system for the .com and the .net domains. So, indeed, they do have a hand in the business of domain name spoofing;

The point here is that, on the one hand, VeriSign is offering protection from snooping, and on the other hand, is offering to facilitate the process of snooping.

It's not just SSL certs and the .net/.com domains VeriSign is being trusting with anymore. The ability to tap mobile phone calls is on the slate now too. VeriSign is a wolf in wolf's clothing. I can't think of any reason to trust them, and they are positioned in a way where there is no choice or recourse other than to deal with them. They are a perfect example of a(n even more) major problem waiting to happen.

Financial Cryptography: VeriSign's conflict of interest creates new threat

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity.

In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude "C-tone" audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an "on-hook" signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure.

John Markoff has a story on this today.

Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it.

Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well...

Blue Boxing Wiretapping Systems

JS/UIX is an UN*X-like OS for standard web-browsers, written entirely in JavaScript (no plug-ins used). It comprises a virtual machine, shell, virtual file-system, process-management, and brings its own terminal with screen- and keyboard-mapping.

File under "stupid web tricks". This is neat, but I can't think of a single useful application.

A more advanced security model for Javascript in web browsers is necessary. I have no idea what this adds to the argument.. Aside from the fact that it's a good example of how you can do much more with Javascript then is widely understood. Acidus has been doing some interesting research in this space. I look forward to the point when he can quit being tight-lipped and share some of the stuff he has come up with. It's the kind of stuff that will send a shockwave through the security and web development community.

JS/UIX - Unix implemented in Javascript

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

Sony has gone very far over the line here. I will happily join in the chorus of people screaming lawsuit. Letting this one go would establish the premise that it's acceptable for the media industry to violate your property in order to protect theirs. That approach can only lead to worse problems.

Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.

MySpace has gotten hit with the first XSS worm to target social networking sites. Here is some analysis from Acidus:

Basically the worm was XSS embedded in someone’s profile on MySpace. When someone would view the profile, they would execute the Javascript in their own browser. The payload of the XSS was Ajax which would make GET and POST requests to MySpace, adding the XSS Payload to that user’s profile. This spreads the worm!

As with most worms using a new attack vector, this was harmless, adding the message “samy is my hero” to each infected profile along with the XSS payload.

Acidus has also posted the source code of the XSS Payload, and says he plans to post a more detailed analysis later.

BetaNews | Cross-Site Scripting Worm Hits MySpace

Aug. 16 - Last year a Chinese mathematician, Xiaoyun Wang, shook up the insular world of code breakers by exposing a new vulnerability in a crucial American standard for data encryption. On Monday, she was scheduled to explain her discovery in a keynote address to an international group of researchers meeting in California.

But a stand-in had to take her place, because she was not able to enter the country. Indeed, only one of nine Chinese researchers who sought to enter the country for the conference received a visa in time to attend.

"It's not a question of them stealing our jobs," said Stuart Haber, a Hewlett-Packard computer security expert who is program chairman for the meeting, Crypto 2005, being held this week in Santa Barbara. "We need to learn from them, but we are shooting ourselves in the foot."

A policy designed to protect national security by preventing technology transfer from the US to China has actually hurt national security by preventing technology transfer from China to the US. If you know someone at State tell them to read this article. This matter is very serious and they should have made an exception in this case and gotten the visas in time.

Chinese Cryptologists Get Invitations to a US Conference, but No Visas

] I'm Stratton, the CEO. This is a picture of me on the
] left. Nice tie eh?

IDN spoofing Verisign parody example

Essentially the issue is that you can register domain names using international character sets that look exactly like English, and obtain SSL certificates for them, and it is extremely difficult for the end user to be able to tell that he/she isn’t dealing with the English website. Working example of https://www.paypal.com/ demonstrated.

Shmoo DNS attack