Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks

US-CERT is aware of reports stating that multiple programming language implementations, including web platforms, are vulnerable to hash table collision attacks. This vulnerability could be used by an attacker to launch a denial-of-service attack against websites using affected products. 

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

Microsoft has released an update for the .NET Framework to address this vulnerability and three others. Additional information can be found in Microsoft Security Bulletin MS11-100 and Microsoft Security Advisory 2659883.

More information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#903934 and n.runs Security Advisory n.runs-SA-2011.004.

US-CERT will provide additional information as it becomes available.

Fighting Mobile Phone Impersonation and Surveillance

Yesterday at the 28th Chaos Communications Congress (28C3), in Berlin, security researchers along with Karsten Nohl and Luca Melette showcased a number of flaws and solutions in GSM mobile phone networks.

Karsten Nohl presenting “Defending Mobile Phones” at the 28th Chaos Communications Congress.

Day 1
Defeating GSM encryption is not new. Nohl and Melette detailed how attackers can use known network control messages to help decrypt SMS traffic and recover the TMSI, a temporary ID assigned to every device on the network. Acquiring a TMSI lets an attacker pretend to be the victim’s mobile phone. This is useful for signing up somebody’s phone for SMS subscription services or other premium-rate SMS fraud.

Impersonating mobile phones makes SMS fraud easier for attackers.

Mitigating the attack requires mobile networks to implement certain techniques that prevent the encrypting of known messages, avoiding known plain-text attacks. Making the changes can require new GSM network hardware, which carriers may have to delay due to expense.

The duo also mentioned how the use of IMSI catchers–monitoring devices used by law enforcement–by criminals is leaving mobile users at risk. Crooks can now attain relatively cheaply the same hardware tools that police use to emulate cell towers.

An additional technique used to locate mobile phones is the so-called Silent SMS. These messages are silently ignored by the majority of mobile phones and give no indication to the user. But the messages leave trails in customer service records, the logs kept by mobile carriers, and allow monitors to correlate a mobile phone’s location with that of cell towers.

Our presenters have developed free software, CatcherCatcher, which detects features used by IMSI catchers that regular cell towers don’t use. The GSM security map, a site that uses data from the CatcherCatcher tool, helps to track unauthorized mobile phone monitoring.

Day 2
Today promises additional talks on mobile security, “Apple vs. Google Client Platform,” and “Reversing a Qualcomm baseband.”

US Subway Stores POS Hacked For $3Million Dollars

Honestly there hasn’t been much news over the holiday period, well maybe there was but no one bothered reporting it. There was the Stratfor case of course, which Anonymous is saying wasn’t anything to do with them. The scale of this incident somehow reminds me of the whole TJ MAXX fiasco a few years back. [...]

Read the full post at