I finally got around to upgrade to the latest WordPress (version 2.3) and I think it was highly needed due to that I’ve received unwanted comments posted to the blog from unregistered user.

The vulnerabilities that have been reported in WordPress lets malicious users to conduct script insertion attacks and to conduct SQL injection attacks. Checking the vulnerability it states that it’s been reported in WordPress prior to 2.2.3 and WordPress MU prior to 1.2.5a.

Either there is a new vulnerability available for WordPress or similar vulnerability works as well with version 2.2.3. So if you haven’t upgraded yet, recommendation is to download the latest version as soon as possible.

Kim Haverblad

Bookmark to:

The Danish security firm CSIS was taken down by a massive attack by Russian hackers last week by using a zombie network to perform a denial of service attack against them. The best guess why they where attacked might has to do that they accidentally scanned botnet servers and properly got attacked as a counter-measure.

Several other Danish security organisations are now afraid that similar attacks will aimed towards more sensitive targets such as large Danish ISP or governmental institutions. Shehzad Ahmad from DK Cert even talks about that the entire Danish internet could be taken down by a similar attack aimed towards CSIS, but in a larger scale.

The reason why Shehzad Ahmed claims that Denmark easily could be taken down is based on that the Russian zombie network has been estimated to consist of 1.7 million zombie-computers and that it only took them around 20.000 zombie computers to take down the central part of Estonian internet.

But on what grounds does DK Cert base their assumption that there actually would be any kind of interest to take down the entire Danish internet? And would they actually waste all 1.7 million bots on one attack? No I don’t think so. It’s all about making money. Quite a few of the bots are being used for sending spam and as well, once a while one can find adds at sites such as bulkerforum.biz where you can buy 1000 bots for as low as 20-30 USD. So for 200-300 USD you can finance your own little cyber attack with 20.000 bots and take down a small country! Or?

Kim Haverblad

Note: For more reading Jyllands-Posten.dk. Update: IDG.se and PC-Word has some reading about trojans for sale as well.

Bookmark to:

By now I guess that no one has missed out on the embassy password hack that was pulled off by Swedish individual. I’m saying individual since I don’t believe in the way how the entire affair was handled or should I say miss handled? Based on what the Swedish IT tabloid press has written about this case there where several attempt to contact a few embassies but they didn’t have any interest of taking up a dialogue…. D’Oh! Come one! Why wasn’t there a more formal attempt to contact the embassies via the Swedish Ministry for Foreign Affairs? Why where there no attempt to document and publish the vulnerability via any of the major vulnerability lists available? Also when reading other comments about this story, the majority, at least in Sweden is quite negative on how the information gained was handled. They should! Next time it could be information from any of the major Swedish (or any other countries for that matter) companies that get leaked out this way to proof ones points about a security flaw.

Deranged security? Yes, it sure is! But, who has the most deranged mind when it comes to ethics and moral on how to handle with sensitive information?

Kim Haverblad

Note: For more reading check following stories at Security Focus, Computer Sweden and Computer World.

Bookmark to:

One thing that I’m quite often astonished about is how low awareness is when it comes to risk management and where risk management can and should be applied. So reading an interview with Thomas Djurling, FRA (the National Defence Radio Establishment) in Computer Sweden where he says that Swedish companies are naive when it comes to industrial espionage and I couldn’t agree more. But, I clearly don’t agree with that Swedish governmental organisation such as FRA, SÄPO (Swedish Security Service) and SITIC (Sitic is a part of the National Post and Telecom Agency, PTS) should offer the services to the public due to that there are quite a few other security vendors on the Swedish marked that have the proper knowledge.

This problem is rather that knowledge and awareness regarding how to handle risk management is quite low and if either FRA, SÄPO or SITIC should offer their services the suggestion would be to focus within their own domains, i.e. governmental institutions. For example to quote FRA’s own home page it also clearly describes their mission:

”FRA is also engaged in information assurance. On demand, we support government authorities and state owned companies regarding current IT threats as well as general advice to improve security. ”

The problem is that it says on-demand; what about a mandatory security audit once or every second year? Currently today it’s up to the local authorities if they want to perform a security audit or not and the audit material I’ve seen are often focused on technical aspects. What should be said is that I’ve also seen great efforts of implementing security standards; but the difference between governmental organisations is way too big.

I’ve seen many government authorities and state owned companies that lack a proper implemented awareness program. Risk can’t be eliminated, but it can be minimized to a level where the organisation can accept it. It’s all about how much resource you’re willing to put in. When speaking about risks most people think security and if speaking about IT-security most people think firewall, anti virus and so on. Also when speaking about changes within an organisation, for example changing a procedure or implementation of a new process, it’s quite common that no kind of risk analyse is done to see how a failure to implement the change will affect the organisation. The failure itself can be that the procedure is badly documented and by that the users or the employees don’t know how to act up on in a certain situation. This it self can then lead to that the employees can’t fulfil the duties and by that we have a monetary loss. Of course it’s not always about monetary losses since risk also includes for example negative publicity in media or employees losing the faith on the company – try defining the monetary value for that!

It’s all about identifying, minimizing and accepting risk that can be found in all activities and assets in an organisation; if this can’t be accepted; there is a serious problem.

Kim Haverblad

Note: For more reading about this topic, please check the article at Computer Sweden (Swedish).

Bookmark to:

Quite recently there have been a number of articles talking about how the KeeLoq cipher encryption has been cracked and this by using a new method to speed up the processing to crack a key 500 times. Basically what Eli Biham, Orr Dunkelman, Sebastiaan Indesteege, Nathan Keller and Bart Preneel has proven is that by sniffing the communication between the remote key and the car they can collect the needed data to crack the cipher. In their case all the need is access to the key token for one hour to send challenge/response question to it and with the collected data it took them around one day to crack the key.

KeeLoq is a cipher used in several cars manufactures anti-theft mechanisms distributed by Microchip Technology Inc. It may still protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or Jaguar. The cipher it self is included in the remote key control for the car and similar solutions can be found as well in garage ports and security gates, etc. It has been used quite widely due to that the needed hardware to produce this kind of key token is really cheap.

The biggest issue here is also that when finding one KeeLoq key it also leaks the master key and by that this cipher is now damaged severely due to that sooner or later there will be code in the public to perform this kind of trick yourself. Microchip Technology has so far not chosen to comment on this yet and the team behind the discovery will not release the full report before they’ve talked to Microchip.

I wonder what the car insurance companies has to say about this if the car gets stolen without any trace (I’m already smelling car fraud attempts).

Kim Haverblad

Note: For more readings there are several sources to download papers from so here is a range of suggestions: www.cosic.esat.kuleuven.be/keeloq/ and cryptanalysis by Andrey Bogdanov and Nicolas Courtois.

Bookmark to: