Archive | January, 2013

Internet Explorer Still Vulnerable

Regarding IE 2012 Year End Vulnerability there is ‘Fix it’ available however there is no patch in Microsoft’s January Security Updates.  This could lead to an out-of-cycle patch and the current guidance is:

Leave a Comment

Breaking Full-Disk Encryption with FireWire


Oh yes, Inception is a tool for breaking into computers with full-disk encryption; assuming you have physical access via screen-lock or a suspended state. There is a reason your told to shutdown your computer when it’s not in your possession!

One needs a FireWire interface on-board or simply, plug a FireWire card into an open slot. As the names eludes, this attack breaks into the dreams of sleeping computers – directly accessing their memory and conning secrets.


This can not be easily remedied with a simple driver update because FireWire requires direct memory access for high-speed transfers.


Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.

After running the tool you should be able to log into the victim machine using any password.


Leave a Comment

Hacking Cisco Phones

Ang Cui and Michael Costello give a talk at the 29th Chaos Communications Congress in Hamburg titled, Hacking Cisco Phones.

Just because you are paranoid doesn’t mean your phone isn’t listening to everything you say

The two speakers “demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels.” Introspectively there are social issues around convincing people that phones matter.

make security important



Print Me If You Dare

Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack).

IE – Year End 0-day

Zero day attack on Internet Explorer 0-day (CEV-2012-4792)! How quick did you respond to the interruption this holiday vacation?  IE 8, 7, and 6 makes up one-third of all desktop browser market. For consumers with XP OS, IE 9 and 10 are not supported; best to start using an additional browser such as Mozilla Firefox or Google Chrome.

Microsoft Security Advisory (2794220) explains:

The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

For corporations needing IE on XP and who are unable to upgrade, Microsoft has a Fit It tool available (KB2794220).  Remember that a ‘Fix It’ is not a patch, rather an easy method to apply workaround configuration changes. Also note that you should remove the ‘Fit It’ once the final patch is applied.

It seems that one of the reasons for lunching the attacks during the holiday period was because of the belief  that IT/Security Administrators would be slower to respond. Where you or your team?

Leave a Comment