In theory the car is using an SQL injection to drop the picture of the car. You have to give it to some people, that is human ingenuity at it’s best!

(Via Gizmodo)

This is an interesting addition to the new OS X release.  Although no one really knows what it does exactly, it does add an interesting glimpse on how things are changing for Apple.  Here is a short write up i found:

We’ve gotten reports about an interesting feature in Snow Leopard, the new version of Mac OS X due for release this Friday. According to reports we’ve seen – and the screen shot below – Snow Leopard contains an antimalware feature.

We’re not sure yet exactly how this works, but the above screen shot shows this feature working with a download made via Safari, detecting a version of the RSPlug Trojan horse in a downloaded disk image.

We’re naturally curious about this feature, and about how thorough it is. As soon as we can find out more, we’ll post an article here. We wonder just how serious Apple thinks the malware threat is, especially since their latest Get a Mac ads highlight the fact that PCs running Windows suffer from viruses…

There are several things that I can see this stemming from. Probably the most notorious was the iWork 09, that came with a nice trojan. While it is a horrible reality that companies are having to take extra steps to protect their product form illegally downloaded torrents, I applaud them for taking the first step at least.

(Via Mac Security Blog)

Even as a Mac user myself, I find myself thinking there is no need to worry about viruses and malware. Being in the security industry I know it is an absolutely ludicrous thought, but the chances are low enough that I I just push the idea to the side. Most people would say that the lack of exploits is mostly due to the low market share of the Mac, in attest to that sales are up, and we are seeing malware and even a talk about it at Black Hat this year.

“Most of the existing research (into) rootkits for OS X essentially take older Unix-based ideas and port them to OS X,” Dai Zovi told The Register. “Mine primarily uses the unique features of OS X and this makes it harder to detect the traditional tools and techniques.”

As just another Mach-based operating system, OS X is chock full of instructions that make sneaky rootkits possible. And yet there’s been little documentation, so far, of exactly what they are and how they can be used. Dai Zovi’s talk aims to fill the vacuum by showing how to extend native Mach RPC mechanisms that communicate with the Mac kernel.

“It’s not an inherent weakness in the system,” said Dai Zovi, co-author of the Mac Hacker’s Handbook. “It’s just extending the flexibility of the microkernel-based design in a malicious direction.”

I honestly haven’t looked at the code yet to see how hard the execution is. But with inclusion into the Metasploit Project, I am scared script kiddies everywhere will be able to pull it off.

(Via The Register.)

The Register has a pretty good article on an exploit using the NULL pointer. They were even nice enough to include the code. Here is a pretty good summary:

The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable doesn’t point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS.

The “NULL pointer dereference” bug has been confirmed in versions 2.6.30 and 2.6.30.1 of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that’s used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component – say, a PHP application. By itself, Spengler’s exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn’t regard the bug as a security risk.

While it does take some effort, it will surely be added into a script run on metasploit before too much longer, making it twice as dangerous.

(Via The Register)

I can’t believe I didn’t even notice this when it first came out. Credit goes over to SecurityFocus for being the first to alert us on the major upgrade to Nmap.

Security researcher Gordon “Fyodor” Lyon announced the release of the latest version of the popular network-exploration and security-auditing tool, Nmap, on Thursday, improving performance and adding several new features.

Nmap 5.0 adds two new tools, Ncat and Ndiff, allowing network administrators and security practitioners the ability to transfer and redirect traffic as well as compare differences between periodic Nmap scans. Fyodor and the project’s developers have also boosted performance of the program by scanning a large part of the internet and available networks to determine the most common ports that should be scanned.

“Some worry that Nmap is getting too bloated, but I only agree to add things that I’m confident we can maintain well and keep secure,” Fyodor said. “Also, the extra tools Ncat, Ndiff, and Zenmap are optional, and you can even choose to compile Nmap without major features such as the Nmap Scripting Engine if you don’t need them.”

Nmap allows security professionals to scan networks for open ports, which typically indicate that a running application is awaiting data from the network. Unsecured ports are frequently probed by hackers looking to attack the system.

Nmap has become an essential part of security practitioners’ toolboxes since it was released in 1997.

I couldn’t agree more with that last sentence. Nmap has really added simplicity to the quick batch scans of some complex networks.

(Via SecurityFocus)

Java has always been the problem child in the family of web browsing. Tons of exploits, and lets not even get into performance issues. Java continues its nuisance in FireFox. Mozillanow has some egg on their face as their two week old Firefox 3.5 has been identified with a remote execute exploit.

Mozilla is warning users and administrators of a critical JavaScript flaw in its Firefox 3.5 browser.

The company said that the problem exists in the browser’s JavaScript tool within a component called ‘just in time’ (JIT). If exploited, the vulnerability could allow an attacker to remotely execute code on a targeted system.

Mozilla further warned that a working exploit has been publically released, increasing the risk of attacks occurring in the wild.

A Firefox security alert offers instructions on how to temporarily disable the JIT component through the browser’s about:config menu. Doing so will slow JavaScript performance, however.

(Via V3)

The ability to track your power usage via Google, is a perk I am looking forward to. Sure I could write down my meter reading everyday, but lets be honest. Unfortunately rushing into the smart meter era has some very negative side affects.

There’s just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that’s easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.

“We can switch off hundreds of thousands of homes potentially at the same time,” Davis, who has spent the past few months analyzing a half-dozen smart meters, told The Reg. “That starts providing problems that the power company may not be able to gracefully deal with.”

While having the ability to flick the power on and off would be entertaining, I want the hack to come out that we all really want. How can I make it so it only registers 1/4 of my actual power usage?

(Via The Register)

Here is a great write up by the guys over at Offensive Security. They managed to work the iTunes OS X exploit around and got it to work in Windows too. And for all of those wanting to use it, they did post the exploit at the bottom. Here is a little about how they got there.

Our new AWE course is about to go live for the first time, in BlackHat Vegas. We chose the most interesting exploitation cases we’ve encountered, and dove really deep into them. We had many exploits to choose from, some were too easy, and believe it or not, some were just too hard. This blog post is going to be a multipart post, describing our exploitation process of the recent iTunes overflow described here. This is possibly one of our most involved and interesting exploits to date.

An exploit for OSX was released and discussed here. Being naturally inquisitive, we checked to see if this exception would occur in Windows too, and indeed it was!

After attaching a debugger to the iTunes process, we noticed it was getting terminated after around 30 seconds. It looked like iTunes had anti-debugging features implemented. Fortunately, Immunity Debugger offers anti-debugging scripts which are useful for situations just like this. Invoking the !hidedebug command within ID allowed the debugger to continue running in hidden mode, bypassing our first hurdle.

Using the OSX exploit as a template, we attempted to crash iTunes several times, however the process would keep terminating with no opportunity for code redirection. After inspecting the call stack in one of the crash cases, we saw that one function was calling ZwTerminateProcess.

We assumed this was a stack protection mechanism. We placed a breakpoint there. This would halt ID just before the stack cookie check, allowing us to examine the vulnerable function in greater depth, and also to confirm our “stack protection” theory.

We soon realised that trying to approach the stack canary head on would be difficult. We attempted to increase the buffer length we were sending in order to get a SEH overflow, which would effectively bypass the canary protection. The Gods of buffer overflows were in our favour – and an SEH overwrite was achieved!

From here on, we expected things to get easier. Little did we know….

(Via Offensive Security)

The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies Thursday, according to an Associated Press report.

A spokesperson for the U.S. Marshals Service confirmed that it had disconnected from Justice Department computers as a precaution after being hit with the virus, while an FBI spokesperson would only say that it was experiencing similar issues, according to the report.

“We too are evaluating a network issue on our external, unclassified network that’s affecting several government agencies,” FBI spokesman Mike Kortan told the AP.

The virus’ type and origin are unknown, but spokespeople for both agencies said agencies’ access to the Internet and e-mail was shut down while the issue was evaluated.

Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT), but a call to CERT late Thursday for comment was not immediately returned.

Like I have said, it only takes one outward facing machine to get in. I am sure their are tons of viruses and botnets out there going undetected. You just have to play the waiting game, update them, and make the traffic blend in…

(Via CNET)

Did you get all excited about the Windows 7 RC, so instead of waiting till Microsoft released it you downloaded it on torrent? Turns out that prerelease version had a nasty botnet built into it. But don’t worry, you were not the only one, it is spreading at roughly 500 machines an hour.

Damballa reckons malicious hackers distributed the malware by hiding it within counterfeit copies of pre-release versions of Microsoft’s next operating system on offer through BitTorrent.

Damballa reckons that the pirated package was released around 24 April. By 10 May, when security researchers effectively curtailed the operation, as many as 552 new users were becoming infected per hour as a result of the attack.

“Since the pirated package was released on 24 April, my best guess is that this botnet probably had at least 27,000 successful installs

This means if you have not done so already, you need to get the official release from Microsoft. I will even be nice and give you the link right here.

(Via The Register.)