Skip to main content

Posts

Palo Alto Networks Firewalls Leaking Usernames and Password Hashes

A significant number Palo Alto Networks (PAN) firewalls are leaking critical information onto the open internet. Its vital to immediately qualify that statement. The leaks result from firewall administrators enabling Client Probing and Host Probing within the User-ID settings without explicitly limiting such probes to a trusted "zone" or subnet. Username, domain name and password hash are provided to those initiating a properly formatted SMB connection to impacted firewalls.  HD Moore , Chief Research Officer of Rapid7  and founder of MetaSploit , is responsible for the initial publication of the vulnerability. Enabling such a configuration on a production firewall appliance, with its resulting leaks, results in a somewhat unusual situation where responsibility for the resulting vulnerability ought to be shared between security administrators and PAN developers. SMB probing should be filtered to trusted subnets; this is obvious. That said, such a setting should not be

Congress to Comey: Leave Encryption Alone

Congress appears to have abandoned FBI Director James Comey's bungled attacks on consumer adoption of encryption . Its a rare glimmer of sanity from Capitol Hill; press reports quoting congressional officials using language not ripped from the pages of an Orwell novel. Readers may remember that in a recent post we mentioned some danger signs indicating that the executive wanted to take some more aggressive action to ensure that the commoners and foreign-folk don't have access to encryption tools that would help keep their data free from snooping. Top brass from the FBI and the Attorney Generals Office were telling anyone who would listen that unless tech companies stopped trying to protect their customer's data, law enforcement would be powerless in the face of modern "cyber" criminals. Congress has refused to jump on this alarmist bandwagon. Darrell Issa, a member of that rarest of species - California Republicans - had this to say about federal law enforcem

What You Need to Know About the "Sandworm" Exploit

You may have heard about last month's hack of computers belonging to NATO, Ukrainian and European Union representatives . The attack vector was a classic - a loaded email; classic enough that at first I wondered why the attacks were so successful, post-Stuxnet. Every target opened an email with an infected Microsoft Power Point document. The Power Point was executable. Under ordinary circumstances, users are provided with a security warning that they must over-ride when running and saving executable Power Points. I haven't been able to find confirmation in the news as to whether users read and confirmed these security warnings before running the loaded files; I haven't been able to get my hands on a copy of Sandworm to see for myself, either (please leave a message or email me if you have such a copy). In some sense, the incompetence entailed in triggering the infection is a bit more forgivable as apparently this infection has been running unabated since its first succe

Is Encryption Becoming Illegal Again?

Way back in 1993, the Internet was a very different place. SSL would not be released for another two years; it would take some time after that until it was used commonly. The Clipper Chip project had just been announced, threatening to offer an explicit, physical back door to all electronic communications devices for the US Justice Department and anyone with a basic understanding of computer science. In 1993, Encryption was a weapon . Washington viewed encryption's only function as a wartime tool to protect military and intelligence communications. The notion that encryption could or should be used as a foundation of protecting online commerce and banking simply did not occur to Big Brother. Into this situation came Phil Zimmerman. Phil had designed and programmed an encryption application called Pretty Good Privacy in 1991. Before that time, cryptography tools were almost entirely the purview of those with the biggest of Smarty Pants: mathematicians, logicians, researchers,

Search Tool Removed

UPDATE (7/27/2015): I created a Google CSE instead of using the miserable and useless utility described below. Unlike the Blogger tool, the CSE works. Hazaa! I actually got around to using Google's little search tool for Blogger. And you know what? It sucks. I searched for articles using the name of the article, nothing found. I searched for articles using keywords that I had used repeatedly as Blogger "Labels" - nothing found. With actual production projects I have been vehement about removing search tools from Google. Sometimes I've lost, and I've worked with companies that have bought those outrageously priced yellow servers running Googles cute, branded version of BSD. A $30,000 back door to your intranet for regulators and competitors. Brilliant. Better to do the responsible thing and buy yourself a Lexus with petty cash. Anyway, this was different, I thought. The site is hosted on Blogspot, so my users have already been sucked into the freakishly-plas

What?

LinkedIn is always good for a laugh. Here was their recent job recommendation for me: Lol, what? I admit, I find it exceedingly difficult to "Picture Myself" at the National Security Agency. LinkedIn, maybe you need to work a little bit more on your creepy career stalking software. Still needs some work.

The Guardian Calls Bullsh*t on Whisper; Whisper Calls Bullsh*t on Guardian

Big drama today re: the popular messaging app Whisper. Whisper markets itself as anonymous, calling itself “the safest place on the internet”. But The Guardian disagrees. This morning the influential British newspaper published a story alleging that whisper tracks the geographic location of users who have requested that such tracking be disabled - even more alarming, the Guardian claims that Whisper provides location data to the US Department of Defense about Whisper messages sent from military bases, ostensibly to identify whistleblowers. The Guardian also stated that Whisper sends user data to the FBI and MI5. Whisper's terms of service changed after they found out that the Guardian was moving to publish. Now their TOS explicitly allows user tracking regardless of settings. Neetzan Zimmerman , speaking for the Whisper corporate office, has responded with a series of online pronouncements that were full of sound and fury; calling the story a "pack of lies" that w