Secure USB Flaw Exposed

Published: 2010-01-06
Last Updated: 2010-01-11 15:34:41 UTC
by Guy Bruneau (Version: 1)
1 comment(s)


Our Handler Arrigo Triulzi pointed out that the "fixed memory content" that was mentioned in the paper is actually the encryption key used internally in these devices. Due to ease of manufacturing, this key is the same for all devices manufactured.


Several ISC readers have written in regarding a security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim.

Vendor Information

SanDisk Update Information:
Verbatim Update Information:
Kingston Recall Information:


UPDATE: An ISC reader has contacted Kingston support and confirmed they will be releasing a firmware patch to fix the issue. They have described it as a randomization error and it will affect some of the drives. Thanks Tony.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

1 comment(s)

Possible new MySQL 0day

Published: 2010-01-06
Last Updated: 2010-01-06 23:02:33 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Intevydis published a flash video on Monday showing what appears to be a new 0day exploit against MySQL 5.x. The demo ( ) is for a recent exploit included in their VulnDisco exploit pack for CANVAS as of Aug 2009. The demo shows as running against 5.0.51a-24+lenny2 but the description appears to be "MySQL 5.x Exploit" which suggests it may work against other versions as well. Current versions for MySQL are 5.1 (recommended) with a 5.5 release available.

If anyone has any additional details on this vulnerability we'd love to hear about it.

0 comment(s)

Firefox update available

Published: 2010-01-06
Last Updated: 2010-01-06 21:35:21 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Just a quick note - Mozilla released Firefox 3.5.7 and 3.0.17 yesterday. Having looked through the patch list, it doesn't appear that there are any security issues though there are some stability fixes added.

Details can be found here:

Firefox 3.5.7:
Firefox 3.0.17:

0 comment(s)
New Tool: IPv6 conversions

Denial of Service Attack Aftermath (and what did Iran have to do with it?)

Published: 2010-01-06
Last Updated: 2010-01-06 04:16:58 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

I finally finished the report summarizing what we learned from yesterday's denial of service attack. Luckily it was small and easily defeated. The interesting part with attacks like this is to try to attribute them to a group or individual. In this case, my best guess is that this is an individual living in England. The individual appears to have some ties to Iran. Probably a student going to school in England.

The attack itself was rather simple, and required little skill. We got some great help from some of the administrators of the system attacking us. Most likely, the root cause was unprotected FTP accounts. These unprotected FTP accounts got used to upload a malicious ASP script, which was then used to attack our site. The script was very simple and had no "command and control" channel. Instead, it required a GET request hitting the specific URL to activate the attack.

The full report got a bit long for a diary, so I wrote it up as a PDF for download. I know... yet another PDF ;-).

Link to the PDF:

To make you feel better, here the checksums:

md5: 8eb9d6ef20c05875688d97fd3192a7e9
sha1: c097c740669869349bb5f8a3d3447ffa0376f928
ripemd160: 227feacd529de68c0634e1b5ca574d55cacf31ef

GPG signature:

Version: GnuPG v1.4.10 (Darwin)



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: ddos ipv6
6 comment(s)
Firefox security and stability update for version 3.5.7 and 3.0.17 available for download


Diary Archives