WPA Wi-Fi encryption, the security that prevents unautorised users from accessing your wireless networks, has been cracked. Researchers report that the TKIP keystream may be decrypted in as little as 12-15 minutes:

More information here

So with both older WEP and now WPA security compromised, the only way to currently secure a wireless network is with the newer WPA2 encryption protocol. However, much older hardware doesn't support this newer protocol so check your hardware for support, switch to WPA2 if available or upgrade/replace your hardware.

For those that don't take the potential threat seriously, allow me to put it in context by reminding you of T.K.Maxx who were in the process of upgrading the WEP encryption to WPA on their wireless cash registers used to transmit customer credit card transactions when they were hacked and subsequently lost hundreds of millions of customers credit card details in an incident that still remains one of the most widely publicised security breeches ever. I'm sure T.K.Maxx have learnt their lesson so let's make sure we learn from their mistake too rather than repeating it.

Mozilla have released a critical security update for version 3 (3.0.2) of their popular Firefox web browser.

Users are advised to update immediately.

Mozilla have just released a new version of their Thunderbird email client that fixes a number of security issues:

• MFSA 2008-34 Remote code execution by overflowing CSS reference counter
• MFSA 2008-33 Crash and remote code execution in block reflow
• MFSA 2008-31 Peer-trusted certs can use alt names to spoof
• MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
• MFSA 2008-26 Buffer length checks in MIME processing
• MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
• MFSA 2008-24 Chrome script loading from fastload file
• MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

Users are advised to upgrade immediately.

In a major collaborative effort over 80 vendors simultaneously released patches to their DNS software to address a critical vulnerability. DNS, the Domain Name System, forms the basis of how today's Internet works by translating domain names into IP addresses and vice versa. Without DNS you wouldn't be able to type a domain name (such as bbc.co.uk for example) into a web browser and reach that site.

The current flaw in DNS potentially allows hackers to poison the DNS system and redirect users to malicious sites rather than the site they intended to visit. The researcher that discovered the flaw, Dan Kaminsky, had attempted to keep technical details of the vulnerability secret until next month in order to give system administrators time to patch their servers against the flaw. However, details of the vulnerability were revealed yesterday before many systems have been patched.

In a worst case scenario a major ISPs DNS servers could be subverted redirecting a major site such as Google to a malicious site designed to infect visitors PCs with malware. Such a scenario could result in hudreds of thousands of computers being infected in a very short period of time. With such rewards on offer you can bet the bad guys will be all over this in a flash.

What should you do?

Users are strongly advised to test their DNS servers now to see if they're vulnerable. Dan Kaminsky has a "Check My DNS" applet available on his site here.

If your DNS servers are vulnerable you should contact your ISP (or whoever provides your DNS) and inform them, plus ask them when they intend to patch their servers.

If your DNS servers are vulnerable then you can use the freely available DNS servers provided by OpenDNS until your normal servers can be patched. Windows users should go to Control Panel > Network Connections and right click on the connection and select "Properties". Then select Internet Protocol (TCP/IP) and click Properties. Select "Use the following DNS server addresses" and enter the following two IP addresses for the Preferred and Alternate DNS servers, respectively: 208.67.222.222 and 208.67.220.220. Linux users should edit the nameserver values in /etc/resolv.conf

Additionally, if you use a home router to automatically assign network settings then you should also update the DNS server settings in your router.

Users are then advised to retest to ensure their DNS servers are no longer vulnerable.

Mozilla have released security updates to both version 2 (2.0.0.16) and version 3 (3.0.1) of their popular Firefox web browser.

Firefox version 2 will be supported until December 2008 so users are encouraged to upgrade to version 3 if they have not already done so.

Adobe have recently released a security bulletin for Acrobat (and Acrobat Reader) affecting the latest versions of both 7 and 8.

Nothing new there, so why the rant?

Well, firstly the security update is not picked up through the application's builtin update feature (Help menu > Check for Updates) so unless you happen to regularly follow security blogs, how are end users supposed to know it's been released. Secondly, the download is in the form of a Microsoft .msi file and how many end users would know what to do with one of these? Finally, after successfully updating a system there doesn't appear to be any easily visible record that the patch has been applied making it difficult for system administrators to track which systems have been updated and which haven't.

With the current trend of exploiting vulnerabilities in 3rd party applications (Adobe Acrobat) and browser plugins (Adobe Flash), software vendors need to do more to ensure they deliver software updates in a timely and coherent fashion. In short, they need to do more to ensure end user systems stay fully patched.

End users, and home users in particular, don't always have system administrators to look after their machines, ensuring that all the relevent security patches have been applied and the Bad Guys know this and take advantage by targeting these applications and browser plugins. All it takes is for one email with a link to a malicious PDF file hosted on some website, click on it and you're infected.

Delivering updates

One way to address the paradigm of delivering software updates might be for Microsft to open up their Microsoft Updates site to 3rd party software vendors and allow them to automatically deliver their updates through that system thus ensuring that all users receive them. A "one-stop-shop" for updates really is what's needed as it's no longer reasonable to expect users to go trawling the web in search of the security updates they need. Software with an automatic update feature built in was a step in the right direction, but as Adobe have just shown it's not infallible and only works when they deliver all updates through that mechanism.

In the meantime, services such as Secunia's Online Software Inspector provide a valuable service to end users for ensuring that their systems are kept up to date.

A critical bug has been found in the Pseudo Random Number Generator (PRNG) used in OpenSSL in debian Linux and it's derivative (e.g, Ubuntu etc) that renders random numbers predictable. The bug was introduced into debin unstable on September 17th, 2006 and has since propogated into the stable branch. All keys generated on affected systems should be considered compromised.

http://www.debian.org/security/2008/dsa-1571

http://www.ubuntu.com/usn/USN-612-1

I don't use debian (or Ubuntu), so how does this affect me?

The impact of this vulnerability is far reaching and goes way beyond debian-based systems. The vulnerability directly affects all debian-based systems using OpenSSL generated keys (OpenSSH, OpenVPN, website and mail server authentication by SSL/TLS, etc) and potentially affects anyone using SSL-based security or encryption.

OpenSSH

If you have a Linux server, then you almost certainly have SSH configured by default for remote access. If you use public/private key authentication and users have generated keys on affected systems, then brute-forcing those keys to gain remote access is trivial and there are already scripts available in the wild. The same applies to OpenVPN. The important facor here is the system the keys were generated on, not whether your server is running debian or other affected Linux distribution.

Additionally, all DSA keys that were ever used on a vulnerable debian-based system for signing or authentication should also be considered compromized due to a known attack on DSA keys.

System administrators are advised to conduct a full audit of all key pairs and regenerate new keys where appropriate.

SSL-encrypted websites and mail servers

Users of debian-based systems running SSL encrypted websites or mail servers using SSL/TLS certificates generated on affected systems should generate new certificates immediately. Additionally, if you have had your certificates signed by Root Certificate Authorities (eg, Twarte, VeriSign etc), then you will need to generate new certificates and get these resigned.

By definition, the public key is publicly known, and therefore it is trivial to generate a matching private key. It then becomes trivial to launch man-in-the-middle style attacks against encrypted or secured transactions such as credit card or other banking transactions or to obtain users login credentials. The potential for exploitation is huge and has the potential to affected all users of the Internet.

If you are at all unsure about how to generate new keys or certificates, please do not hesitate to contact us and we will be happy to assist in generating new OpenSSL keys or certificates for you.

Mozilla have just released a new version of their Thunderbird email client that contains a number of security fixes

• MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
• MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

Users are advised to upgrade immediately.

Last week Grisoft, the makers of the popular AVG Anti-Virus program, released version 8 of their free product.

Users are recommended to upgrade, and the new version can be downloaded here

As Grisoft state, "AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use."

Sometimes those of us working in the Information Security (InfoSec) business feel like it's nothing but doom and gloom, and for the most part, that's probably not an unrealistic synopsis. So here's a little lighthearted weekend reading:

The six dumbest ideas in computer security

"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.

For your convenience, I've listed the dumb ideas in descending order from the most-frequently-seen. If you can avoid falling into the the trap of the first three, you're among the few true computer security elite."

Hot on the heels of last month's security release, Mozilla have just released another stability-related update to their Firefox web browser, this time fixing a JavaScript bug

Mozilla have just released a new version of their Firefox web browser that contains a number of security fixes

• MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
• MFSA 2008-18 Java socket connection to any local port via LiveConnect
• MFSA 2008-17 Privacy issue with SSL Client Authentication
• MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
• MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
• MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

Users are advised to upgrade immediately.

Today we saw yet another major spam run of the storm worm. Messages typically referred to a funny postcard (or ecard) and provided a link of the form http://ip_address contained within the message body. Clicking on the link would take a user to a website that will infect their computer with the storm worm virus. Users are reminded never to click on links in emails.

Our email servers at Pendre successfully filtered these spam messages based on body checks for raw dotted quad ip addresses, a technique regularly used by storm worm and other such spam. As such, users of Pendre email servers were not at risk. Anti-Virus detection of these new storm worm variants is now reasonably good.

Mozilla have just released a new version of their Thunderbird email client that contains a number of security fixes

• MFSA 2008-12 Heap buffer overflow in external MIME bodies
• MFSA 2008-05 Directory traversal via chrome: URI
• MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
• MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)

Users are advised to upgrade immediately.

There is currently a local privilege escalation flaw in the current Linux Kernel, affecting all kernels from 2.6.17 to 2.6.24.1 inclusive.

Exploit code for this vulnerability is available in the wild:

This vulnerability is not remotely exploitable so an attacker would first have to gain local access, however this could present significant risks for system administrators in shared environments with multiple system accounts.

Patches should be available shortly from distribution vendors and system administrators are advised to upgrade their kernel as soon as these become available.