Firewire hack

May 15th, 2008

USB ports are something most of us use everyday and they are now near mandatory interfaces on computers. They are commonplace on servers where just a few years ago they weren’t even an option. Many computers now have FireWire ports. Sony calls this interface iLink and the official name is 1394. Firewire is not used nearly as much as USB, even though it is better architecturally and even the slowest 1394 ports can push sustained data faster then the latest USB standards. This port is used mainly for working with digital video cameras and some use this port instead of USB for external drives because it is a bit faster.

There is a new exploit that can take advantage of FireWire ports. Actually, it isn’t that new. Discoverers of the vulnerability notified Microsoft years ago but the world’s largest software maker didn’t consider it that much of a risk. Unfortunately, a hacker has made this a much greater risk by publishing the tools to take advantage of this weakness. An attacker can connect his/her computer to your computer with a 1394 cable and pull your password out of memory…. at in only takes a few seconds. Having a password protected screensaver does not help.

The method used can, actually will, be modified to extract more then just a user’s password. New programs will try to gather disk encryption keys (if any) and even try to get data out of RAM such as information in an open spreadsheet. In short, until OS makers come out with a patch, the current defense is to disable the FireWire port when not in use, or to log off all accounts when the computer is not in use. If a computer is suspended (sleep mode), even hibernating, then it could still be attacked just by waking it up. As much as I prefer using external FW drives, it is wiser to use USB attached drives instead. If you would like steps on how to disable FW ports in Device Manager, post a comment or send an e-mail to ccalvert (at) umw (dot) edu.

Windows users, There’s a new exploit in town!

April 3rd, 2007

There is a newly found vulnerability that effects Internet Explorer, Outlook, Outlook Express and even the Windows’ OS itself. Actually, the discovery isn’t that new, the flaw was reported on 20 Dec. 2006 to Microsoft.

The short answer is to make sure antivirus definitions are up to date. All major AV vendors had an update over the weekend for this new attack vector. Avoid using Outlook Express if at all possible because the exploit will fire even if viewing in text mode. Use Outlook in text mode, and only use IE for going to known safe sites.

Microsoft says there will be a patch today. This must be a big threat for MS to release a patch out of cycle, which is normally the 2nd Tuesday of each month.