The ZERT team came to light recently due to their public, unofficial patch for the IE Buffer Overflow in VML (vgx.dll) vulnerability (CVE-2006-4868).

They also received coverage today by eWEEK. That article can be found here: http://www.eweek.com/article2/0,1895,2019162,00.asp

From the ZERT Manifesto:

ZERT is a group of engineers with extensive experience in reverse engineering software, firmware and hardware coupled with liaisons from industry, community and incident response groups. While ZERT works with several Internet security operations and has liaisons to anti-virus and network operations communities, ZERT is not affiliated with a particular vendor.

ZERT members work together as a team to release a non-vendor patch when a so-called “0day” (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to “crack” products, but rather to “uncrack” them by averting security vulnerabilities in them before they can be widely exploited.

It is always a good idea to wait for a vendor-supplied patch and apply it as soon as possible, but there will be times when an ad-hoc group such as ours can release a working patch before a vendor can release their solution.

I look forward to seeing more releases and possibly whitepapers on their findings but only time will tell if ZERT can go the distance as a organized incident response team.

There is an article in today’s Toronto Star detailing Research In Motion’s (RIM) plan to release “a wireless device that aims to thwart thieves and ease the minds of those who are prone to misplacing their handheld units.”

From the article:

Details of the new device, which has not been announced by the company, are included in a recent patent application. The new device would be carried in a holster armed with a wireless transceiver. The handheld unit could be switched to a pickpocket mode so that once it’s removed from the holster, a wireless alert message would be sent to the user.

Unless a user authentication code is input in a predetermined length of time, the device’s data would be rendered unusable, according to the application, which was filed with the Canadian Intellectual Property Office.

I think this is a good step towards wireless security and has been needed for quite some time. My only concern is careless users who set off ‘false alarm’ alarms due to not properly seating the phone in the holster. Only time will tell.

The full article can be read here.

When I was looking to purchase a new switch I needed it to meet the following requirements:

1. Needs to replace my old, low-end netgear switches
2. Needs to allow port mirroring on the switch without having to use an external hub so I can plug my IDS and sniffers in to monitor the traffic
3. Be as inexpensive as possible

This device did the trick:

When I purchased the 2708 it was on sale for $69CDN. It provides the following features:

• 8 10/100/1000 BASE-T ports
• Auto-negotiation for speed, duplex mode and flow control
• Individual port controls
• Switching Capacity 16.0 Gbps
• Forwarding Rate 11.9 Mpps
• Web-based management interface
• BootP/DHCP IP address management or Static IP address assignment
• RMON statistics
• IEEE 802.1Q port-based tagging up to 64 VLANs
• Link Aggregation, up to six groups and up to four aggregated links per group (IEEE 802.3ad)
• Port mirroring (up to four source ports)

I was able to get the switch unpacked, installed into the network, change the default password, configure VLANs, and mirror the ports for my IDS in under 20 minutes. I couldn’t be happier with this device.

Currently it’s listed at $133CDN but it is well worth the price if you’re in the market for an inexpensive and powerful switch.