Irregular Expressions


September 28, 2012  10:30 PM

Adobe Hack



Posted by: Dan O'Connor

It appears that an Adobe server involved with code signing has been compromised.

http://helpx.adobe.com/x-productkb/global/certificate-updates.html

All of the information I can find is pretty vague, most of the Adobe posts repeat the same information over and over again.

This post has a little more information.

http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html

September 28, 2012  10:20 PM

My Favorite Story This Month



Posted by: Dan O'Connor

One of the most interesting stories I have read this month.

http://privacy-pc.com/articles/from-white-hat-to-black-the-curious-case-of-cybercrime-kingpin-max-vision.html

It’s not completed yet but a really good read. A good insight in to the carder community, although it has been sometime since I have seen a domestic operation near this size.

Many that I have seen recently are operating over a large geographic area, with the cards and money going half a world away.


September 27, 2012  9:48 PM

Mr.Assange, Enemy of the State



Posted by: Dan O'Connor

I know it’s a cheesy title but it appears that WikiLeaks along with Mr.Assange have been declared enemies of the US.

http://www.theage.com.au/opinion/political-news/us-calls-assange-enemy-of-state-20120927-26m7s.html

If you read a bit in, it does not look like this is directed at WikiLeaks or Mr.Assange. I am thinking that it is to give a stronger legal stance if they have another Mr.Manning.

‘ military personnel who contact WikiLeaks or WikiLeaks supporters may be at risk of being charged with “communicating with the enemy”, a military crime that carries a maximum sentence of death. ‘

Although I don’t think this is a good thing if Mr.Assange ever sets foot on US soil or near an unmarked van.


September 27, 2012  1:27 PM

Computer Time Keeping – Part 3



Posted by: Dan O'Connor

During it’s operation NTP will evaluate all of your servers listed and will pick a preferred one as your main.


remote refid st t when poll reach delay offset jitter
==============================================================================
+65.55.21.13 207.200.81.113 2 u 54 64 377 63.472 -1.087 7.784
*208.73.56.29 72.105.198.74 2 u 57 64 377 33.998 -0.322 1.510
-209.17.190.116 199.212.17.34 3 u 51 64 377 42.232 0.634 1.241

This server will be marked with a * the other servers will be listed referenced to this main server with either a + or – depending on how it syncs up to the main clock. If for some reason one of the time servers became too far out of sync from your computer and the rest of the clocks NTP will stop using it as a reference, the *, – or + will be removed and ti will remain on the list with a blank space in front of it.

When setting up your own time servers it’s good practice to have only a couple on your own network, these two system can then be synced to multiple external system so your entire network is not trying to synchronize time with the internet. You defiantly want at least two servers on your network, three is even better. An Active Directory domain that does not know what time it is, is in real trouble.


September 27, 2012  11:04 AM

Computer Time Keeping – Part 2



Posted by: Dan O'Connor

Once you have selected a time server to sync to, it’s a great idea to pick at least another two. You could use two or one if you really wanted to but most documentation recommends two to three. The reason for this is the way the NTP protocol works. Not only does NTP ask the server for it’s current time, it also calculates the travel time there and back and works that into the current system time. The time it takes to get to and from the remote NTP server is referred to as delay. Here is my example again below.

remote refid st t when poll reach delay offset jitter
==============================================================================
+65.55.21.13 207.200.81.113 2 u 54 64 377 63.472 -1.087 7.784

The next column in is offset, that is the measure of how far our clock is off from the remote clock. Small offsets will be gradually fix (Seconds), a larger offset will be stepped (the clock will jump). If the offset is too large, as an example of several minutes NTP will shutdown and assume something really bad has happened. If this happens the only way to restart NTP will be to use a command like ntpdate or manually fix the clock. Jitter is more complex but that is used in it’s formula to figure out a preferred server or to mark one bad.


September 22, 2012  9:59 PM

Computer Time Keeping – Part 1



Posted by: Dan O'Connor

Time keeping on computers is a fascinating subject to me. It’s extremely complex and simple at the same time.

NTP ( The Network Time Protocol ) it self is worth an entire book. First off there is several layers of time server you can sync to, these levels are referred as stratum. A top level time server or stratum 1 is a time server directly connected to a reference clock. Directly connected really means that it’s not crossing a network to get there, basically it’s a direct serial connection ( In most cases ).

When it comes to good and bad things to do, it’s generally frowned on to sync directly to a stratum 1 time server as a end user. When you are operating as a stratum 2 server is the only time you should be syncing to a stratum 1 server. Stratum 2 servers will sync to multiple stratum 1 servers and will do so over a network connection. You as a end user if you see what your machines are syncing to will be connecting to stratum 2 servers.

Now you can get the idea here, the next level down is going to be stratum 3, 4, 5 etc. Really though 2 or 3 is as many levels as can be normally expected.

Here is what my connection to time.windows.com is just as a reference;


remote refid st t when poll reach delay offset jitter
==============================================================================
65.55.21.13 207.200.81.113 2 u 47 64 1 64.999 -7.486 0.002

The third column in is the stratum, time.windows.com is at 2.


September 21, 2012  9:11 PM

CVE-2012-4969 Patch – Part 2



Posted by: Dan O'Connor

Here is the notification now MS12-063.

It’s nice to see them get it out before the regular Tuesday patching cycle. I have not seen or heard of any first hand accounts of it being exploited but there is a metaspliot module now so it won’t be too long.

It’s not the severity of this or it’s use as a zero-day attack, to me what is surprising is that it goes all of the way back to IE 6. For something to be there that long and no one to know about it is amazing. It makes me think that some organization out there knew about this and was sitting on it in case they needed it for a project.


September 20, 2012  9:11 PM

Sophos oops



Posted by: Dan O'Connor

Someone had a bad day this week.

http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

I flawed update was sent to from what I can tell is most if not all of their customers in North America. Any application and did any update checks seemed to be flagged as malware (Shh/Updater-B), even Sophos itself.

They are promising an explanation after an investigation, I would suspect it was fat fingers. From information that I have it does not appear that it did any damage besides the vast amounts of alerts I am sure it caused.


September 19, 2012  8:56 PM

CVE-2012-4969 Patch



Posted by: Dan O'Connor

There appears to be a release set for FridaySept 21st for CVE-2012-4969.

If you haven’t seen this, it is a pretty bad one. Here is some additional info;

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969

http://technet.microsoft.com/en-us/security/advisory/2757760

The short version of what is going on is there is a vulnerability inside of all current versions of IE that is being exploited to install a trojan. From what I have been seeing so far all of the attacks I have seen use a swf file for delivery. Microsoft did a quick release of some mitigation techniques and it looks like we have a full patch set for Friday.


September 18, 2012  11:51 PM

A little flame malware info



Posted by: Dan O'Connor

They don’t list the source study but I found one line of this worth pointing out.

http://www.bbc.co.uk/news/technology-19637182

” The study also suggests Flame dates back to 2006, much earlier than previously thought. ”

That right there is pretty amazing to me, for having this level of sophistication in 2006. If this is 6 years old what are the new renditions doing?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: