InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘vulnerability’ Category

Global InfoSec Surveys and Adobe Reader Vulnerabilities

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008

Ernst & Young’s 2008 Information Security Survey

EY released their Global Information Security Survey 2008 a few weeks ago. The survey was conducted from June 6 – August 1, 2008, in more than 50 countries and with nearly 1,400 participating organizations.

Some of the key findings were:

  • Protecting reputation and brand has become a significant driver for InfoSec
  • People remain the weakest link
  • International InfoSec standards are gaining greater acceptance
  • Growing third-party risk are not being addressed
  • Business continuity still bound to IT
  • Another notable finding is that despite of the current period of economic pressures and of slowed growth, only 5% of respondents indicated a planned reduction in InfoSec expenditures, while 50% were planning to increase their investment in InfoSec. This is supported by similar numbers from CIO Magazine, CSO Magazine and PWC’s Global state of information security survey 2008 (pdf, 2.79 MB). Key highlights are stated here, and another summary can be found in a NetworkWorld.com article.

    For more information about the survey, click here. If you want a pdf copy of Ernst & Young’s 2008 Global Information Security Survey (1.42 MB) click here. For other informative pdfs from Ernst & Young regarding InfoSec, check out their Technology and Security Risk Services page.


    Adobe Reader vulns remind us why updating ASAP matters

    What I mean by ASAP here is after the correct patch management or change management procedures have been done. Patching/updating with no concern for proper procedures can easily lead to downtime and possibly even more vulnerabilities.

    I’m saying this after the SANS Internet Storm Center came across pdf files that exploited the recently found Javascript buffer overflow vulnerability. They also took note that at the time of writing (Nov 7, 2008) NO ANTI VIRUS could detect the malicious pdf.

    However, had you updated your Adobe Reader to version 9 (Windows systems) a few weeks back, you wouldn’t even need to think of the problem.

    Posted in ISMS, News, vulnerability | Tagged: , , , , , , , , , , , , | Leave a Comment »

    Wireless Hacking part 2

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 7, 2008

    Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

    For the history buffs, there is a A Brief History of Wireless Security from SecurityUncorked.com. CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

    News from SC Magazine US, SecurityFocus.com and Heise Security just came out that WPA can now be cracked in around 15 minutes.

    The SecurityFocus.com news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

    I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

    If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog WillHackforSushi.com and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

    I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

    Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

    Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.

    Posted in ISMS, News, Philippines, vulnerability, Wireless | Tagged: , , , , , , , , , , , , , , , , , | 1 Comment »

    Obama and McCain Campaign Computers Hacked

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 7, 2008

    Newsweek reports that both the Obama and McCain camps had computers that were hacked. This is apparently also around the time Gov. Palin’s Yahoo account got hacked (details of how the hacker got into Palin’s account are here). SecurityFocus reports on the hack here.


    On a related topic, SCMagazineUS reports that hackers began spreading malware soon after Obama got elected. In the typical bait-and-switch method of social engineering, spam e-mails that were supposed to contain a link to Obama’s “amazing speech” were actually links to trojans.


    New critical vulnerabilities were found for the popular VLC media player. However the Window’s version has not been updated to close the said vulnerabilities. Workarounds can be found in a Heise Security report.


    Heise Security also reports that the BotHunter tool has been updated with the new features listed here. The tool helps network administrators find out if their network has zombie computers.


    There are now more worms that exploit the MS08-67 Critical vulnerability that was reported last month. So if your Windows system uses the “Server” service, you’ll hopefully have it patched soon. For home users that do not need this dis-service, they can easily disable it, by going to services.msc while using their Admin account.

    Posted in News, vulnerability | Tagged: , , , , , , , , , , , , , , , , | Leave a Comment »