It Must Be Tuesday Again

Because Microsoft comes bearing gifts.

Patch Tuesday: Critical security holes in Microsoft Office

Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.

The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.

It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.

The update also patches the DLL load hijacking attack vector that haunted multiple Windows applications, including Microsoft’ own Office software.

Microsoft urges Office users to consider this a “top priority bulletin” and warned that reliable exploit code is likely within the next 30 days.

As part of the November Patch Tuesday release, the company also patched a pair of security flaws in Microsoft PowerPoint and four documented flaws in Unified Access Gateway (UAG), which is a component of Microsoft Forefront.

See also:
Microsoft Security Bulletin MS10-087 – Critical
Microsoft Office Takes Center Stage for Patch Tuesday
Small, But Serious Patch Tuesday
Microsoft Patch Tuesday: Updates for Office and Forefront
Microsoft patches critical Outlook drive-by bug
Microsoft plugs hole related to Word-launched e-mails
Microsoft Patch Tuesday Update Will Not Fix IE Flaw
IE zero-day vulnerability not part of light Patch Tuesday
Microsoft tiny Patch Tuesday has no IE fix
Microsoft’s Patch Tuesday for November does not include a fix for a zero-day flaw in Internet Explorer
Windows Update

Well, apparently Microsoft didn’t quite get to fixing everything that’s wrong with their software this time around, but you had better install the patch anyway.

/so, until next time, and you know there will be a next time . . .

Typical Government Efficiency

And remember, this is the FBI, they’re on our first line of defense against terrorism.

Audit Cites FBI Technology Problems

The Federal Bureau of Investigation’s struggles with technology are expected to continue to eat up millions of dollars and still leave agents and analysts wanting for a seamless electronic system to manage investigations, according to a federal audit released Wednesday.

Justice Department Inspector General Glenn Fine said the FBI has already spent $405 million of the $451 million budgeted for its new Sentinel case-management system, but the system, as of September, was two years behind schedule and $100 million over budget.

Thomas Harrington, FBI associate deputy director, said the audit uses an outdated and “inflated cost estimate” that is “based on a worst-case scenario for a plan that we are no longer using.”

The FBI’s technology problems aren’t new, but they have potential consequences for the bureau’s efforts to prevent terrorist attacks, particularly at a time when the domestic terrorist threat is growing.

The Sept. 11, 2001, attacks exposed the FBI’s troubles with information sharing, and the bureau accelerated plans to replace its unwieldy case-management system with new software.

That technology project was called Trilogy and was supposed to deliver software called Virtual Case File that was to help FBI agents share investigative documents electronically. The inspector general called the project a fiasco and said the FBI and its contractors wasted $170 million and three years.

FBI Director Robert Mueller canceled Virtual Case File in 2005 and started a new project called Sentinel to be completed in 2009.

The system is supposed to provide agents and analysts with a secure Web-based system to search and manage evidence and get approvals for documents.

According to Mr. Fine’s audit, the system is still far from completion.

In July 2010, the FBI issued a stop-work order to contractor Lockheed Martin Corp. and decided to take over management of the completion of Sentinel.

FBI officials now say they can complete the system by September 2011, with additional spending of $20 million, according to the audit.

Mr. Fine found cause to doubt those estimates. He cited a review conducted by Mitre, a research group that is funded by the federal government, that estimates it will cost another $351 million to complete the system.

Read the report:

Status of the Federal Bureau of Investigation’s Implementation of the Sentinel Project,
Audit Report 11-01, October 2010

See also:
FBI Sentinel project is over budget and behind schedule, say IG auditors
FBI behind schedule, over budget on computer system
Report sharply critical of delays, costs of FBI case management system
IG report hits FBI Sentinel program
FBI Computer System Behind Schedule, Over Budget After $405 Million Spent
FBI computer system years late and way over budget
More Computer Woes at FBI, New System Late Over Budget
IG: FBI’s Sentinel program still off-track, over budget
FBI’s computer woes continue, auditors say
Report: FBI case management system still falls short
FBI’s Sentinel project $100 million over budget, 2 years behind schedule
Report Finds FBI Computer System Over Budget, Behind Schedule

Are you telling me that it takes more than five years and over a half billion dollars to design a case management system and it’s still not finished? And why is Lockheed Martin designing the software, when did they become known as software designers? Even Microsoft, as crappy as they are, could have probably put out a product that works in less time and for less money.

/if this FBI computer system disaster is an example of how the U.S. government operates in this arena, I can only shudder to think what will happen and how much it’ll cost when they decide to upgrade the homeland security and military computer networks

Let’s Play ATM Or Slot Machine?

Barnaby Jack is at it again.

Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.

The demonstration was greeted with hoots and applause.

In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, though he hasn’t yet examined them.

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

Scrooge lurks on the ATM quietly in the background until someone wakes it up in person. It can be initiated in two ways — either through a touch-sequence entered on the ATM’s keypad or by inserting a special control card. Both methods activate a hidden menu that allows the attacker to spew out money from the machine or print receipts. Scrooge will also capture track data embedded in bank cards inserted into the ATM by other users.

To demonstrate, Jack punched the keys on the typed to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.

To hack the Triton, he used a key to open the machine’s front panel, then connected a USB stick containing his malware. The ATM uses a uniform lock on all of its systems — the kind used on filing cabinets — that can opened with a $10 key available on the web. The same key opens every Triton ATM.

Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys. But they said Triton offers a lock upgrade kit to customers who request it — the upgraded lock is a Medeco pick-resistant, high-security lock.

. . .

Jack said that so far he’s examined ATMs made by four manufacturers and all of them have vulnerabilities. “Every ATM I’ve looked at allows that ‘game over.’ I’m four for four,” he said at the press conference. He wouldn’t discuss the vulnerabilities in the two ATMs not attacked on Wednesday because he said his previous employer, Juniper Networks, owns that research.

Jack said his aim in demonstrating the hacks is to get people to look more closely at the security of systems that are presumed to be locked down and impenetrable.

See also:
Bunker-busting ATM attacks show security holes
Hacker breaks into ATMs, dispenses cash remotely
Security researcher demonstrates ATM hacking
Black Hat: Hacker Tricks ATMs Into Raining Cash
Researcher shows how to hack ATMs with “Dillinger” tool
Armed with exploits, ATM hacker hits the jackpot
Powered By Microsoft Windows
IOActive Labs
Tranax Technologies
Triton Systems

All your ATMs are belong to Barnaby Jack!

/I’ll bet Barnaby is really well paid and gets plenty of job offers from the Black Hats as well as the White Hats

If It’s Thursday, It Must Be Time To Patch Flash

If you watch YouTube videos or read PDF files, you’re gonna want to pay attention.

After attacks, Adobe fixes Flash bug

Less than a week after fielding reports that hackers were targeting a bug in its Flash Player software, Adobe Systems has rushed out a fix for the problem.

Adobe’s new 10.1 Flash update, released Thursday, fixed a bug that was first spotted via a small number of targeted attacks late last week.

According to Symantec, these Flash attacks are still not widespread, but users should update their Flash software as soon as possible. “We have been seeing a small but steady rise in detections of related malicious PDFs and we expect to continue to see these numbers increase over the coming hours and days,” the security vendor said in a statement.

Criminals have been exploiting the flaw using malicious Flash swf files, which are typically opened by the Web browser’s Flash Player plugin, or via PDFs that have maliciously encoded Flash components embedded inside them, Adobe said Thursday. Those malicious PDFs are typically opened by Reader or Acrobat, which include their own versions of Flash Player that have not yet been patched. That fix is due June 29.

Thursday’s update includes an unusually large number of security bug-fixes, 32 in all. “It’s a huge number of bugs fixed, something along the lines of what we’d expect of Apple,” said Andrew Storms, director of security operations with nCircle Network Security.

Adobe’s Flash and Reader software have emerged as prime hacking targets in the past year, and the company is toying with the idea of releasing more frequent security updates to keep pace.

See also:
Adobe Flash Player version 10.1
Exploit for new Flash vulnerability spreading fast
Adobe releases Flash 10.1 and patch bundle
Adobe Issues Massive Flash Security Update
Adobe plugs 32 security holes in ‘critical’ Flash Player patch
Adobe Issues Security Patch
Adobe Flash Player 10.1 released for Windows, Mac, Linux
Adobe debuts What Jobs Hates™ v10.1
Adobe Releases Flash Player 10.1, AIR 2
Adobe releases Flash Player 10.1 for Mac
Adobe Reader 9.3
Adobe Systems

Be careful, the Flash update tries to install Google Toolbar by default. So, unless you want Google Toolbar, make sure you uncheck the box for Google Toolbar before you hit the install button. If Google Toolbar gets mistakenly installed, you can always uninstall it using Control Panel/Add or Remove Programs.

/damn, I hate it when software vendors try and tack on unrelated, third party software by default to the software download you actually want to install

The Afghanistan War Explained, A PowerPoint Too Far

“When we understand that slide, we’ll have won the war.”
General Stanley McChrystal, the US and NATO force commander

“PowerPoint makes us stupid.”
Gen. James N. Mattis of the Marine Corps, the Joint Forces commander

Afghanistan Stability/COIN Dynamics

Wow, what a way to fight a war, whatever happened to just going out and killing the enemy?

See also:
Afghanistan PowerPoint slide: Generals left baffled by PowerPoint slide
Afghanistan: the PowerPoint solution
We Have Met the Enemy and He Is PowerPoint
American army declares war on Microsoft PowerPoint
The U.S. Military’s War On PowerPoint
Why the Military Declared War on Powerpoint
Can DOD really defeat PowerPoint?
PowerPoint backlash grinds onward
The Biggest Enemy In The War On Terror? PowerPoint
The PowerPoint Problem in the Military — and Science?
So what is the actual surge strategy?

/gee, imagine that, another insidious Microsoft software product spreading human misery across the planet

Patchapalooza Tuesday

It’s a triple witching day for computer patches.

Microsoft, Adobe, and Oracle Patch Nearly 100 Vulnerabilities

It’s a busy day for IT administrators and information security professionals. Not only is today Microsoft’s Patch Tuesday for the month of April, it is also the day of Adobe’s quarterly security updates. In total, there are 40 vulnerabilities being addressed today–many of them rated as critical and exposing systems to potential remote exploits.

Microsoft Patch Tuesday

A Microsoft spokesperson e-mailed the following “Today, as part of its routine monthly security update cycle, Microsoft is releasing 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania.”

Qualys CTO Wolfgang Kandek noted in his blog post “Microsoft’s patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time to evaluating which machines need patches.”

“The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts,” said Joshua Talbot, security intelligence manager, Symantec Security Response in an e-mailed statement. “Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability.”

Talbot continued “It allows an attacker to fool Windows into thinking that a malicious program was created by a legitimate vendor. If a user begins to download an application and they see the Windows’ notification telling them who created it, they might think twice before proceeding if it’s from an unfamiliar source. This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate.”

Andrew Storms, director of security operations for nCircle offered this analysis “More movies and more malware: that’s what we’ve got to look forward to on the Internet. Microsoft is patching critical bugs in Windows Media Player and Direct Show this month–both of these bugs lend themselves to online video malware. If you put these fixes together with Apple’s recent patch of Quicktime, it’s pretty obvious that attackers are finding a lot of victims through video.”

nCircle’s Tyler Reguly points out that there is also a greater message to be learned from the patches. “As an avid Windows XP user, I’m leaning more and more towards making the jump to Windows 7; with the added security it just makes sense. Looking at the top two vulnerabilities (MS10-027 and MS10-026), my Windows XP systems are vulnerable to both, yet my Windows 7 laptop isn’t affected by either of them. The newer operating system just makes sense.”

Adobe Quarterly Update

As if eleven security bulletins fixing 25 different vulnerabilities wasn’t enough, IT administrators must also address the critical updates released today from Adobe. nCircle’s Storms points out that “Every one of the 15 bugs can be used for remote code execution. Given the increase in the number of attacks that use Adobe PDF files, all users are strongly urged to upgrade immediately.”

Storms added “In stark contrast to Microsoft’s patch process, Adobe’s security bulletin information lacks details, especially critical information about potential workarounds. For enterprises that have a long test cycle, it can take weeks or even months to roll out updates. With no workaround information, Adobe leaves their enterprise customers vulnerable and security teams everywhere frustrated and annoyed.”

Andrew Brandt, lead threat research analyst with Webroot, warns “What’s more, they should be aware that Foxit Reader–which also reads PDFs–is actually more vulnerable.”

It is also worth noting that Adobe has rolled out its new update system which it has been beta testing over the past couple of months. Users can now configure Adobe software to automatically install updates, enabling security patches to be applied without requiring any user intervention.

Don’t Forget Oracle

Wait, there’s more! Not wanting to be left out of the patch day festivities, Oracle has also unleashed its own deluge of updates–more than Microsoft and Adobe combined.

There is a little bit of good news, though. Very few organizations will actually be impacted by every single one of the disclosed vulnerabilities. Qualys’ Kandek points out “This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.”

The same logic holds true for Oracle and, to a lesser extent Adobe–although Adobe Reader is fairly ubiquitous. Have fun!

See also:
Microsoft, Adobe, Oracle offer fixes in big Patch Tuesday
Patch Tuesday: Microsoft safeguards video, Adobe secures PDFs
Microsoft Patch Tuesday Fixes 5 Critical Flaws
Microsoft Targets Media Flaws In April Patches
Microsoft blocks ‘movies-to-malware’ attacks
Microsoft Releases Multiple Updates; Vista SP0 Support Ends
Microsoft Security Bulletin Summary for April 2010
New Adobe Auto-Updater Debuts On Super (Patch) Tuesday
Adobe Patches Acrobat/Reader Vulnerabilities, Updates on Updating
Security update available for Adobe Reader and Acrobat

/so, you know the drill people, get busy downloading those patches, hope you’re not on dial up!

All Your Jihad Are Belong To Geeks

How Team of Geeks Cracked Spy Trade

From a Silicon Valley office strewn with bean-bag chairs, a group of twenty-something software engineers is building an unlikely following of terrorist hunters at U.S. spy agencies.

One of the latest entrants into the government spy-services marketplace, Palantir Technologies has designed what many intelligence analysts say is the most effective tool to date to investigate terrorist networks. The software’s main advance is a user-friendly search tool that can scan multiple data sources at once, something previous search tools couldn’t do. That means an analyst who is following a tip about a planned terror attack, for example, can more quickly and easily unearth connections among suspects, money transfers, phone calls and previous attacks around the globe.

Palantir’s software has helped root out terrorist financing networks, revealed new trends in roadside bomb attacks, and uncovered details of Syrian suicide bombing networks in Iraq, according to current and former U.S. officials familiar with the events. It has also foiled a Pakistani suicide bombing plot on Western targets and discovered a spy infiltration of an allied government. It is now being used by the Central Intelligence Agency, the Pentagon and the Federal Bureau of Investigation.

Yet Palantir — which takes its name from the “seeing stones” in the “Lord of the Rings” series — remains an outlier among government security contractors. It rejected advice to hire retired generals to curry favor with the agencies and hired young government analysts frustrated by working with slow-footed technology. The company’s founders knew little about intelligence gathering when they started out. Instead, they went on a fact-finding mission, working with analysts to build the product from scratch.

“We were very naive. We just thought this was a cool idea,” says Palantir’s 41-year-old chief executive Alexander Karp, whose usual dress is a track-suit jacket, blue jeans, and red leather sneakers. “I underestimated how difficult it would be.”

Technology like Palantir’s is increasingly important to spies confronting an information explosion, where terrorists can hide communications in vast data streams on the Internet. Intelligence agencies are struggling to identify and monitor such information — and quickly send relevant data to the analysts who need it. U.S. officials say the software is also crucial as the country steps up its offensive in difficult theaters like Afghanistan. There, Palantir’s software is now being used to analyze constantly shifting tribal dynamics and distinguish potential allies from enemies, according to current and former counterterrorism officials familiar with the work.

“It’s a new way of war fighting,” says former Assistant Secretary of Defense Mary Beth Long. While there are many good systems, Ms. Long says, with Palantir’s software “you can actually point to examples where it was pretty clear that lives were saved.”

See also:
Spooks Heart Software for Rooting out Terrorists
Palantir Technologies
A conversation with Alexander Karp, CEO of Palantir Technologies
Alexander Karp

/just another example of the creative, nimble private sector entrepreneur running rings around the myopic, sloth like government bureaucracy