SSL is not everything

Secure Socket Layer (SSL) or Transport Layer Security (TLS - a standard protocol by IETF) is a cryptographic technologies used for the protection of data transmission streams by encrypting the communications streams between two end points (the client and the server). This provides confidentiality of the communication session, typically used in Web services such as online banking. The term HTTPS is commonly used to referred SSL/TLS implement on web services (which both maybe of different protocol).

Besides providing confidentiality (by having encryption and authentication), it also provide integrity, which ensure that no alteration to the data during transmission.

I wrote this posting is to share on the misconception on SSL/TLS by many people including IT professional. Below are some of the common misconception:

- "Web servers and their data are secure as long as they use SSL"

- "With SSL, applications and web servers are not susceptible to known exploits or vulnerabilities"

The fact is that using SSL don't protect you against systems and applications vulnerabilities. It only protects the data transmission. In fact, even SSL have vulnerabilities and exploits found on their previous versions. Don't blindly implement SSL and thinks that everything is secured.

Related Links:
- RFC2246 on TLS protocol

- Wiki on TLS/SSL

Electromagnetic Waves Sniffing?!?

As the title goes, the link shows an interesting way of sniffing wirelessly and potentially find out whatever that was typed on the target machine. Old school hacking?!? I find it timeless. Check the video out - EM Radition

Microsoft Out-Of-Band Security Patch

Microsoft released an out-of-band security bulletin on 24 Oct (23 Oct-US Time) while i was away for holiday. This Patch is to resolve a vulnerability in the Server service of Microsoft Windows. It affects the Windows systems across the board from Windows 2000 to Windows 2008 (including XP, 2003 and Vista).

Microsoft has detected limited, targeted attacks exploiting this vulnerability in the wild and also noted the possibility that this vulnerability could be used in the crafting of a wormable exploit on Windows XP and older operating systems.

An unauthenticated attacker can trigger this vulnerability remotely by sending a specially crafted RPC request to execute arbitrary code on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication.

However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable as the firewall is enabled on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, the RPC could be exposed in one of the following two conditions:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

Details and patches are available in Microsoft Security Bulletin MS08-067

For more technical information and advices on Microsoft Vulnerabilities, you can visit Microsoft Security Vulnerability Research & Defense Blog

Wireshark 1.0.4 is out

Wireshark (formerly known as Ethereal) had released a new version (1.0.4). The free and most popular network protocol analyzer, among IT professional, had fixed on several security vulnerbilities and program bugs in this new version. No updates on the features but some improvement on the protocol supported.

The details on the updates and patches can be found in this URL - http://www.wireshark.org/docs/relnotes/wireshark-1.0.4.html

This release can be downloaded from their official Website - http://www.wireshark.org/download.html

When Microsoft meets Oracle

Today is the scheduled monthly patches (Black Tuesday) for Microsoft. Coincidentally, it collided with Oracle quarterly patches. When two software giants patch cycles meets, it will be only be more work and headache for the administrators.

Microsoft Patches
There are 11 patches released by Microsoft. 4 are Critical, 6 are Important and 1 is moderate rating. Those patches covers products from Windows OS, IE to Office.

For more information, visit the Microsoft Security Bulletin Summary for October 2008 website.

Oracle Patches
There are 36 patches released by Oracle. It covers product ranging from Database, Application Server, E-Business Suite, PeopleSoft to BEA. DBA and System admin are advise to review the patches and their CVSS* scoring before patching.

For more information, visit the Oracle Critical Patch Update Advisory - October 2008 website

We are likely to see the re-occurrence of this patch collision on their next scheduled release on January 13th, 2009.

Note:
*CVSS - Common Vulnerability Scoring System an open framework for communicating the characteristics and impacts of IT vulnerabilities.