How not to design a protocol

Bluetooth 2.1 is designed to, among other things, be more secure than Bluetooth 2.0.  And it is ... if you properly implement it using a one-time-password scheme.  But that requirement is buried deep within a 1,400-page protocol document, and most manufacturers aren't even aware it exists.

Fortunately, there are almost no existing Bluetooth 2.1 implementations.

Why "fortunately"?  Well, because if you don't know about and follow that one-time-password requirement, a Bluetooth 2.1 session can be hijacked and the password stolen in less than one second with a man-in-the-middle attack.

"Good protocol should be hard to get wrong and easy to get right," [Andrew Lindell, chief cryptographer for Aladdin Knowledge Systems Ltd.] said Wednesday at the Black Hat briefings.  "Even the best protocols can be badly implemented; in Bluetooth it is the opposite. Unless you really know what you are doing, it's easy to get wrong."

More security FAIL

LAS VEGAS -- Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

The new attack technique makes use of (yeah, you guessed it) Internet Explorer, and the way it and Vista handle .NET objects and active scripting, in order to load arbitrary code into any desired location on the target machine.  The attack does not exploit any particular vulnerability or pre-existing exploit, but rather is based on the underlying architecture of Vista itself.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author.  "They have attacks that let them load chosen content to a chosen location with chosen permissions.  That's completely game over."

"What this means is that almost any vulnerability in the browser is trivially exploitable," Dai Zovi added.  "A lot of exploit defenses are rendered useless by browsers.  ASLR and hardware DEP are completely useless against these attacks."

[...]

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities.  As a result, he said, there may soon be similar techniques applied to other platforms or environments.

"This is not insanely technical.  These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said.  "I definitely think this will get reused soon, sort of like heap spraying was."

It'll be interesting to see the fallout from this.  And probably not "interesting in a good way."

Interesting thought from xnguard, elsewhere:  "Can this be exploited via Firefox if the .NET plugins are installed?"