From Wired…
SAN DIEGO — Christopher Tarnovsky feels vindicated. The software engineer and former satellite-TV pirate has been on the hot seat for five years, accused of helping his former employer, a Rupert Murdoch company, sabotage a rival to gain the top spot in the global pay-TV wars.
But two weeks ago a jury in the civil lawsuit against that employer, NDS Group, largely cleared the company — and by extension Tarnovsky — of piracy, finding NDS guilty of only a single incident of stealing satellite signals, for which Dish was awarded $1,500 in damages.
“I knew this was going to come,” Tarnovsky says. “They didn’t have any proof or evidence.”
The trial was years in the making, yet raised more questions than it answered. It came down to testimony between admitted pirates on both sides who accused each other of lying. Now that it’s over Tarnovsky, who was fired by NDS last year, is eager to tell his side of the story.
Tip of the hat to Adam for this one
Tags: satellite hacking
In case there are any readers who might recognize me, you’ll be able to find me at the Gartner IT Security Summit next week (June 2 -3).
I’m hoping to learn something quadranty.
The Next Ten Years in Information Security
Despite rapidly advancing threats and new technology solutions, it’s relatively easy planning for the next year or two. But peering out 5-10 years is far more challenging. The Gartner IT Security Summit will provide insight and a vision of how things will evolve over the long term and provide road maps on how enterprises and solutions providers will get there.
Check my Twitter for updates on where I am and what’s good or bad.
Tags: conferences, gartner, gartner it security summit, gaylord national resort
What a week – it’s like I’m swimming uphill both ways and it’s snowing. An extra large helping of news to make up for being late this morning. And hey – thanks to all of our new subscribers that joined us yesterday. Welcome!
Click here to subscribe to Liquidmatrix Security Digest!
And now, the news…
- The Attack that made Kevin Rose Cry – Revision3
- BBC NEWS | Science/Nature | Monkey’s brain controls robot arm Always mount a scratch monkey – seriously.
- Will your mobile squeal to the police? | The Register Will your mobile find a horse head in it’s bed?
- Download al Qaeda manuals from the DoJ, go to prison? | The Register Another pair of articles analyzing the somewhat chilling effect of doing research and finding yourself in jail… do we accept this as a society or not?
- The New Order: When reading is a crime | The Register
- Facebook mob trashes £4.4m Spanish villa | The Register Anyone else surprised that the girl didn’t claim it was hackers — and faintly reminiscent of the Craigslist “The contents of this house must go” issue.
- Bletchley Park and the decay of the museum buildings Plcurecuernxf – fcraq n craal ba gur ravtzn naq fnir gur jbeyq sebz Uvgyre ntnva – be gur npnqrzvp trgf vg.
- 22 French Hackers Arrested 22 SkriptKiddies singing the Jean Valjean lines from Les Miserables… the horror.
- USA 2008 : Briefings Schedule All your briefs belong to Jeff Moss
- Rands In Repose: We Travel in Tribes I’m sneaking this one in to see if you are paying attention – which Diamond Age phyle do you belong to?
- State of the Internet It’s all about the metrics baby.
- Red Curtain: An Unsung, Free Security Application Anyone willing to sing in the comments?
- Computer trained to read minds Neo sez – BLUE PILL, take the frakkin blue one!
- National Journal Magazine – Chinas Cyber-Militia Good catch Matt Franz – is this responsible journalism or just journalistic asshattery.
- Did Hackers Cause the 2003 Northeast Blackout? Umm, No | Threat Level from Wired.com And 27/b6 weighs in on the issue… with maybe a little more journalistic integrity.
Tags: News, Daily Links, Security Blog, Information Security, Security News
Just a heads up — Liquidmatrix Security Digest will be at The Last Hope. There may even be some shwag available.
For Immediate Release
The very first of the speaker slots for The Last HOPE have been announced with many more to come next week. We have had more submissions than ever and will need to add an additional track in order to accommodate the best of them. What follows are some of the highlights to date.
- Steven Levy, author of Hackers: Heroes of the American Revolution and chief technology writer and a senior editor for Newsweek.
- Adam Savage, co-host of the popular TV show Mythbusters and “a maker of things.”
- Kevin Mitnick, “the world’s most dangerous hacker” in the eyes of the government and mass media, imprisoned for over five years, and now a successful computer security consultant.
- Jello Biafra, a tradition at the HOPE conferences, former lead singer of The Dead Kennedys and one of America’s most interesting social activists.
- Steven Rambam, private eye extraordinaire, who can find out anything about anybody and has always been willing to share his knowledge of privacy with the hacker community. (The FBI prevented his 2006 talk from being given by swooping in and arresting him moments earlier. The case against him was later found to have no merit.)
These five speakers are only the tip of the iceberg. By the time the dust settles, we expect to have over 100 presentations in four tracks. While time is now quite short, if you feel you have an amazing talk idea or panel suggestion, you can still email us at speakers@hope.net. We will try and schedule as many good talks as we can cram into the weekend.
The Last HOPE will take place from July 18-20, 2008 at the Hotel Pennsylvania in New York City.
To preregister, visit http://store.2600.com/lasthope.html
To submit a speaker proposal, email speakers@hope.net
To become a vendor, email vendors@hope.net
To volunteer to help us run the conference, email volunteers@hope.net
To visit the official Last HOPE website, go to http://www.hope.netContact: HOPE Staff +1 631 751 2600
hope@hope.net
… and since I’m temporarily in charge — shwag is only available to those who recognize me.
Tags: the last hope, hacker conferences, 2600 magazine
A couple of interesting stories over the course of the day…
Comcast Defaced (for a short while)
I can’t say that I’m all that saddened… it is Comcast after all.
Banks don’t disclose all breaches
I’d love to argue this one, but I’ve known too many bankers.
Back with more Liquidmatrix Love in the morning folks, the night is young and I’ve got work-related documentation to produce.
Tags: information security news, opinion
Wheeeeee… I’d like to take this moment to again bitch and moan about how much work this is — I don’t know how Dave finds the time and I’m not a morning person and I feel really bad and I’ve been busy and I don’t have enough coffee and… yeah. I got nothin. Have a Rockin’ Thursday! Thanks to all of our new subscribers that joined us yesterday. Welcome!
Click here to subscribe to Liquidmatrix Security Digest!
And now, the news…
- MacOS X 10.5.3 – Big Updates, Update Now! or else the bad guys will pwn your iCal.
- Defacement or Failure in Containment? Play some Russian Roulette with me! don’t believe what you see… sometimes.
- Securiosis tells us when Whole Disk Encryption isn’t enough
- Canadian government ACTAs to shoot itself in the foot… again. How do you say “Chilling Effect” when you’re up to your ass in melting ice-caps and pissed off polar bears?
- Let a million Hackerchildren bloom – OLPC style baby
- Ask /. all about security theatre HA… I didn’t get Frist Psot!!!!11!!!!
- Totally wicked xkcd all about security holes xkcd is the userfriendly for the post-dot-bomb world
Tags: News, Daily Links, Security Blog, Information Security, Security News
Summary
Name: CiscoWorks Arbitrary Code Execution Vulnerability
Release Date: 28 May 2008
Reference: LSD003-2008
Discover: Dave Lewis
CVE Number: CVE-2008-2054
Vendor: Cisco Systems
Systems Affected: CiscoWorks Common Services (various versions): Cisco Unified Operations Manager (CUOM), Cisco Unified Service Monitor (CUSM), CiscoWorks QoS Policy Manager (QPM), CiscoWorks LAN Management Solution (LMS), Cisco Security Manager (CSM), Cisco TelePresence Readiness Assessment Manager (CTRAM)
Risk: High
Status: Published (Vendor Confirmed, Patch Available)
Description
CiscoWorks Common Services versions 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, and 3.1.1 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to an unspecified error in CiscoWorks Common Services. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code resulting in complete system compromise.
Impact: Arbitrary code execution with elevated privileges. Fire bad.
TimeLine
Discovered: 14 February 2008
Reported: 14 February 2008
Fixed: 22 April 2008
Patch Release: 28 May 2008
Published: 28 May 2008
Technical Details
The vulnerability exists due to an unspecified error in CiscoWorks Common Services when it processes attacker-supplied URLs. An unauthenticated, remote attacker could exploit this vulnerability through unspecified means to execute arbitrary code with elevated privileges.
Fix Information
This issue has now been resolved.
The patch may be obtained from:
Cisco Advisory
http://www.cisco.com/en/US/products/products_security_advisory09186a00809a1f14.shtml
I would like to thank Cisco for their professional response to this issue.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Primarily because Brooks asked, but also because there are a whole lot of days where I face the “Magic Bunny” problem.
Simply put, in any complex system – say, an application stack which has a backend database, some application servers, some presentation servers and the connecting security stuff and network stuff – there are a number of Subject Matter Experts who need to be at the table when troubleshooting. The issue is that as far as each is concerned, the other areas of expertise are the domain of Magic Bunnies. The Application folks don’t really grok the network glue stuff and so they talk about how one machine “can’t see” the other. The database guys don’t grok the need for a firewall between them and the world because it makes things difficult to administer and there is where you’ll find more Magic Bunnies.
Too often when I get called in on a troubleshooting swat team, it’s because as the security dude, I’m always more aware of the entire picture (grok the whole) than the SMEs and I can walk them through the problem from foundational Layer 0 stuff (is the data centre still there?) through to the Layer 9 stuff (is there a god who cares?) And damn if every time I sit in on one of these sessions, we don’t discover that there isn’t a nice overlap between areas of expertise and there’s a huge number of Magic Bunnies infesting our applications.
Do you have Magic Bunnies?
Is there a spray or ointment?
Chat amongst yourselves.
Or the bunny gets it.
Tags: magic bunnies, security skills, troubleshooting
Insert pithy note about how much fun I’m having and how I enjoy the struggle of reading/collating/loving the links at 0-early-thirty in the frakkin morning. Thanks to all of our new subscribers that joined us yesterday. Welcome! And bunnies. Magic Bunnies!
Click here to subscribe to Liquidmatrix Security Digest!
And now, the news…
- Man Allegedly takes a penny from the cup belonging to E-Trade and Schwab then gives the money back to Lumberg just before Milton burns the place to the ground.
- Get Kraken on your botnet You want the original title or the funny title?
- Haberdashery! Or, how to tell an Aitel fanboi from a mile away
- HP SPIs SaaS appsec glory hey – if you think you’re so much smarter than me – comment! (not you CJ, you’re scary)
- Singapore firm claims to own patent on clicking an image to go to a different site does prior art from 1993 count against a patent issued in 2004?
- And the Gold goes to RFID – Olympic Tickets to contain details on legitimate holder What is the relevance of the Olympics these days anyways?
- Flash Pants! – Flash 0day vuln pwns you
- Consumer Alert – you’re keeping too much data in your phone Your drinking phone should look like you’re at a retro party
- Prepare for
Jesus-NetFamily-friendly broadband – Nanny-state sez free-Wifi is walled garden
Tags: News, Daily Links, Security Blog, Information Security, Security News
Ashlee Vance put together a well researched piece for El Reg on Switch Networks and their new Las Vegas datacentre.
It seems that Switch picked up an ex-Enron property for a song and has 20+ large scale interconnects in a harmless little LVNV location. They’ve kept it quiet for the benefit of their military customers, but are now coming out with a bit of a cotillion in November for their “SuperNAP”.
I think that it could be construed as a civic duty on the part of attendees to this year’s DEFCON to have a bit of a drop by and see how things are going…
Anyone in?
Tags: DEFCON, SuperNAP, Field Trip
