Friday, 19 November 2010

Security Weekly News 19 November 2010 - Full List


Category Index




Hacking Incidents / Cybercrime


 
A US court has heard that a couple conned at least $6 million from the great-grandson of an oil industry tycoon after he brought his virus-infected computer
in for repair.
Although the victim's name has not been released by the authorities, media reports have named him as jazz pianist and composer Roger Davidson, an heir of
oil tycoon Conrad Schlumberger. According to reports, prosecutors in Westchester (NY), have charged 36-year-old Vickram Bedi and his girlfriend Helga
Invarsdottir.

 
A Russian couple living in the US have been charged with illegally using the personal information of an American citizen living in Ireland, who says he
learned of the alleged scam through Facebook.
A criminal complaint charges the couple, whose true names are not known to police, with identity theft, bank fraud and other crimes.
The man is held until a bail hearing next week. His wife was released on bail.

 
Web of Victims [www.fbi.gov]
A Chilling Case of 'Sextortion'
The hacker knew every move the unsuspecting victim made. He controlled her computer webcam and microphone. He could see her in her bedroom, hear her
conversations, knew every keystroke she made online. And he threatened to expose her secrets unless she bowed to his demands.
It may sound like the plot for a scary teen movie, but it actually happened, and there wasn't just one victim-there were more than 200, and dozens of them
were adolescent girls.

 
Former Ford employee Xiang Dong Yu, aka Mike Yu, 49, of Beijing, China, pleaded guilty today in federal court to two counts of theft of trade secrets,
announced Barbara L. McQuade, United States Attorney for the Eastern District of Michigan. McQuade was joined in the announcement by Andrew G. Arena,
Special Agent in Charge of the FBI.
According to the plea agreement in this case, Yu was a product engineer for the Ford Motor Company from 1997 to 2007 and had access to Ford trade secrets,
including Ford design documents. In December 2006, Yu accepted a job at the China branch of a U.S. company. On the eve of his departure from Ford and before
he told Ford of his new job, Yu copied some 4,000 Ford documents onto an external hard drive, including sensitive Ford design documents

 
For 18 minutes in April, China's state-controlled telecommunications company hijacked 15 percent of the world's Internet traffic, including data from U.S.
military, civilian organizations and those of other U.S. allies.
This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the
implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world's largest
dedicated Internet security company.

 
Hacking the hackers - the data was obtained by hacking koobface command and control server ('the mothership').
The countermeasures the botnet is using:
* Koobface maintains a banlist of IP addresses that are forbidden from accessing Koobface servers.
* Koobface operators carefully monitor whether any of their URLs have been flagged as malicious by bit.ly or Facebook and they also monitor their malware
links with the Google Safe Browsing API.

 
Stuxnet: A Breakthrough [www.symantec.com]
Thanks to some tips from a Dutch Profibus expert who responded our call for help, we've connected a critical piece of the puzzle.
Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of
Stuxnet is and what its target was.
However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific
vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a
CP-342-5 Profibus communications module.

 
Stuxnet has a double payload [www.h-online.com]
According to the latest analysis, Stuxnet is aimed not at disrupting a single system, but at two different systems. According to control systems security
firm Langner Communications, the worm is not just designed to interfere with specific, variable frequency, motor control systems - it also attempts to
disrupt turbine control systems. According to Langner, this would mean that, in addition to Iran's uranium enrichment plant at Natanz, the country's Bushehr
nuclear power plant may have been a further target of the Stuxnet attack.

 
KNOXVILLE, Tenn. - A former University of Tennessee student who hacked into Sarah Palin's e-mail account during the 2008 presidential campaign was sentenced
Friday to a year and a day in custody, with the judge recommending a halfway house instead of prison.

 
Koobface server taken down [www.h-online.com]
A UK internet service provider (ISP) has taken the Koobface social networking botnet Command-and-Control server off-line after security specialists from the
SecDev Group informed the UK investigative authorities about the server. While this will temporarily obstruct the botnet, it doesn't mean that the
individuals behind Koobface have been neutralised. It's probably only a matter of time until the infected computers are redirected to a new server.

 
Scareware cold-callers target 1 in 4 [www.theregister.co.uk]
Bogus software scam riles UK.gov
A quarter of internet users have received a cold call from cyber criminals falsely claiming their computer is infected with a virus, the government said
today.
The con is designed to obtain banking credentials and control of the target machine. Victims are told they need to download software that will remove the
infection, but in fact it monitors their activity and reports personal data back to the criminals.
Despite press reports on the scam going back more than a year, the security minister Baroness Neville-Jones said today that 80 per cent of internet users
are unaware.




Unpatched Vulnerabilities


 
Thanks to our reader Seb for the heads up about a remote denial of service vulnerability within Firefox 3.6.12.
There are a number of sites showing the exploit code which has been developed by Italian members of the BackTrack project.

 
Researchers were able to use these hard-coded and unchangeable passwords, other vulnerabilities, to access internal network
Cisco's Unified Videoconferencing product contains hard-coded passwords and other vulnerabilities in the software that could be used to infiltrate an
organization's internal network.
A Cisco advisory issued yesterday said the Unified Videoconferencing 5110 and 5115 Systems' Linux shell contains three hard-coded usernames and passwords
that can't be altered, nor can the accounts themselves be deleted. 'Attackers could leverage these accounts to obtain remote access to a device by using
permitted remote access protocols,' Cisco said in the advisory.




Software Updates


 
View and comment on any PDF document more securely
Open and view any PDF document in Adobe® Reader® X software using new Protected Mode. Take advantage of enhanced review and commenting tools to share your
feedback with others.

 
Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier
9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the
affected system.
In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog ('Potential issue in Adobe
Reader'), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-
26http://www.adobe.com/support/security/bulletins/apsb10-28.html
OpenSSL updated to kill code-execution bug
Remotely exploitable
The OpenSSL server has been updated to fix a security bug that could be remotely exploited to potentially install malware on vulnerable systems.
The race condition flaw in the OpenSSL TLS server extension code could be exploited in a buffer overrun attack, maintainers of the open-source SSL and TLS
application warned on Tuesday. All versions of OpenSSL that support TLS extensions are vulnerable, including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and
1.0.0a. Apache HTTP server and Stunnel are not affected

 
The VideoLAN Project developers have announced the release of version 1.1.5 of their VLC Media Player, a free open source cross-platform multimedia player
for various audio and video formats. The latest maintenance and security update includes various translation updates, several bug fixes and addresses a
Windows only security issue.

 
Updated systemtap packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

 
CVE-ID: CVE-2010-4011
Available for: Mac OS X Server v10.6 through v10.6.5 (10H574)
Impact: A user may receive mail intended for other users
Description: A memory aliasing issue in Dovecot's handling of user names exists in Mac OS X Server v10.6.5 (10H574). On systems configured with Dovecot as a
mail server, a user may receive mail that was intended for other users. This issue is addressed through improved memory management. Dovecot is only provided
with Mac OS X Server systems. This issue only affects systems running Mac OS X Server v10.6.5 (10H574). This issue does not affect the Dovecot open source
project.

 
Vulnerabilities could let bad guys install apps on the smartphone without user's permission
Google has been issuing updates since last week to its Android platform to fix one of two recently revealed vulnerabilities that could allow an attacker to
install applications on a phone without the explicit permission of the smartphone user.
Researchers last week at Black Hat Abu Dhabi and at Intel's annual internal security conference, held in Oregon, separately demonstrated two different
vulnerabilities in the Android that each leave the door wide open for an attacker to force a malicious app onto the smartphone, bypassing user permissions
prompt




Business Case for Security


 
IT security becoming a higher priority in many organizations, CompTIA reports
Sixty-three percent of U.S. organizations have experienced at least one security incident or breach during the past year, according to a new study released
today.
Almost half of the breached organizations classified the situation as 'serious' -- meaning there was a financial threat, potential damage to the
organization's reputation, or other business-critical problem, according to the Computing Technology Industry Association's (CompTIA's) 8th Annual Global
Security Trends Study.
Human error is the perceived cause for 59 percent of security incidents, according to the study. Forty-one percent are perceived as technology errors. The
element of human error that most contributes to security breaches? Failure of end users to comply with security policies, which was cited by 49 percent of
respondents.

 
Why Counting Flaws is Flawed [krebsonsecurity.com]
Once or twice each year, some security company trots out a "study" that counts the number of vulnerabilities that were found and fixed in widely used
software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the
relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.
The reality is that these types of vulnerability count reports - like the one issued this week by application whitelisting firm Bit9 - seek to measure a
complex, multi-faceted problem from a single dimension. It's a bit like trying gauge the relative quality of different Swiss Cheese brands by comparing the
number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous
and - even humorous - conclusions.

 
Malware growth reaches record rate [www.infosecurity-magazine.com]
Malware growth has reached its highest levels, with an average of 60 000 new pieces of malware identified every day, according to the latest threat report
from security firm McAfee.
Cyber criminals are becoming more savvy and attacks increasingly more severe, said the threat report for the third quarter of 2010.
The Zeus botnet is identified as one the most sophisticated pieces of malware to plague users, with US small businesses losing $70m to Ukrainian
cybercriminals.
Most recently, cybercriminals unleashed the Zeus botnet aimed at mobile devices, designed to intercept SMS messages to validate transactions. As a result,
the report said criminals can perform the full bank operation, stealing funds from unsuspecting victims.

 
Heartland Revisited [1raindrop.typepad.com]
Heartland Payment shares have mostly recovered since the breach. On Jan 16, 2009 they traded at $15.44/share, today they are at $14.93 which is a loss of
around 3%. Certainly good news for their investors after they immediately dropped over 50% after announcing the breach. They did not go belly up as many
predicted, but how did they do against the market and their peers?
Here is HPY's performance arrayed against two similar business Global Payment and Western Union. HPY underperforms both by around 20 points. Interestingly,
the payments space has not had robust performance, since the S&P have outperformed GPN and WU by a wide margin and HPY by over 40 points.

 
Penetration tests need to accomplish business goals, not just check for random holes. Here's how to get the most value for your efforts.
Why are you performing penetration tests? Whether you're using an internal team, outside experts or a combination of the two, are you simply satisfying
regulatory or audit requirements, or do you actually expect to improve enterprise security?
We asked penetration testing experts for guidance on how to improve your program to get the most benefit for your time, money and effort. If you turn to
outside expertise, their advice will show you what to expect and demand from consultants. The following 10 tips will show you understand the goal and focus
of your testing; develop effective testing strategies; make effective use of your personnel; and make the most effective use of pen test results to
remediate issues, improve processes and continuously improve enterprise security posture.

 
The email scandal that blew up in recent days when it emerged male workers at leading accountancy firm PricewaterhouseCoopers had shared a top 10 ranking of
female colleagues highlights the importance of unambiguous acceptable usage policies in the workplace, a leading security expert said.
...
Honan said the typical non-technical email risks that organisations are faced with usually begin with the leak of confidential information by email, either
as attachments or copied and pasted into the body of an email.
The next threat - as demonstrated by what happened at PwC this week - is the reputational damage caused by the content of emails, such as inappropriate
jokes or the use of abusive, derogatory or defamatory comments about colleagues, customers or competitors.
Another situation that could arise is the organisation - not the individual - being held responsible for the intentional or unintentional distribution of
copyrighted material, such as software, music or video files, which could lead a company into a breach of copyright case.

 
An email sent in error that contained details of General Motors' upcoming flotation could have cost Swiss bank UBS an estimated $10 million.
A report by The Telegraph claimed that a UBS banker accidentally sent an email that contained details of the planned flotation and GM's listing price, to
more than 100 people. The leak was disclosed in papers filed by GM at America's Securities & Exchange Commission.
This has led to UBS being dropped as an underwriter to the carmaker on one of the biggest deals in the world at the moment. The filing said the email did
'not reflect GM's views' and said that investors who buy GM stock could seek refunds or damages because of the leak if UBS remained an underwriter on the
deal.

 
Gaining access and stealing data from companies is sometimes a joint effort between bad guys and employees, experts say
For 19 months, an employee at Johns Hopkins Hospital allegedly stole patients' identities, feeding the information to four outsiders who used the data to
charge more than $600,000 in goods on store credit. Jasmine Amber Smith, 25, has been charged with using her inside access to fuel the identity theft ring.
Employees working with cybercriminals might not be the norm for security breaches, but it's not a rare crime, either, experts say. It's not unusual for
cybercriminals to gain inside access through bribery and solicitation -- two components of social engineering, according to Verizon Business' Data Breach
Investigations Report. Social engineering accounted for 28 percent of breaches analyzed in the report, with solicitation and bribery leading to nearly a
third of those breaches.

 
The interim findings and recommendations of EU Member States participants of the 1st Pan-European Cyber Security Exercise indicate that Cyber Europe 2010
was a useful cyber stress test for Europe's public bodies. The full report is to be published at the beginning of 2011.
Some of the interim findings and recommendations of Member States (MS) participants include:
* The exercise fully met its objectives. The scenario was well balanced between technical and communication requirements.
* There is a lack of pan-European preparedness measures to test. This reflects the fact that many Member States are still refining their national
approaches.
...

 
There are quite a few extensive vulnerability databases in existence today. While their value in the field of vulnerability management is clear and
uncontroversial, a relatively new usage pattern can also be seen: the data is being incorporated into high-level analyses addressed predominantly to
executive audiences and the media to provide insight into the state of the security industry; threat reports from IBM and Symantec are good examples of
this. Which vendor is the most responsive? Who has the highest number of high-risk vulnerabilities? These and many other questions are just begging to be
objectively answered with a clean-looking pie chart.




Web Technologies


 
SSL Implementation Security FAQ [ferruh.mavituna.com]
Etiketler ssl, faq, security, web application security, secure development, english, cat-security, cat-featured, 14.05.2008
SSL Implementation Security FAQ is about implementing SSL in web and desktop applications. This FAQ doesn't cover issues directly related with SSL/TLS. Only
covers issues related with implementing SSL in applications.
Most of these are common mistakes during the implementation of SSL in the applications. These recommendations are especially critical for e-banking, e-
commerce and similar websites.

 
Announcing Release of CRS v2.0.9 [blog.modsecurity.org]
I am pleased to announce the release of the OWASP ModSecurity Core Rule Set (CRS) v2.0.9.
The most significant change is that users can now easily toggle between Traditional or Anomaly Scoring Detection modes.

 
In the latest SVN trunk version of the CRS (2.0.9), we have implemented the capability for users to easily toggle between Traditional or Anomaly Scoring
detection modes. This will most likely come as very welcomed enhancement for many users. With the initial CRS v2.0, I feel that we jumped the gun a bit
and in reality forced end users into using an Anomaly Scoring detection mode. In hindsight, this was not the right thing to do. The CRS should not force
users into using any one specific mode of operation. So, we went back to the proverbial drawing-board and implemented a number of updates which now allow a
user to more easy switch between detection modes of operation.
Once you have downloaded and unpacked the CRS archive, you should review/update the new modsecurity_crs_10_config.conf.example file. This is the central
configuration file which will allow you to control how the CRS will work. In this file, you can control the following related CRS items:
* Mode of Detection - Traditional vs. Anomaly Scoring
* Anomaly Scoring Severity Levels
* Anomaly Scoring Threshold Levels (Blocking)
* Enable/Disable Blocking
* Choose where to log events (Apache error_log and/or ModSecurity's audit log)

 
Let's start this conversation by postulating 3 immutable Laws of Application Security Testing (LAST):
1) No static application security testing tool (SAST) can catch 100% of software vulnerabilities during development (though tools like HP's Fortify SCA do
an extremely thorough job);
2) No black box testing/DAST tool can find 100% of the application vulnerabilities in live applications (though HP WebInspect identifies hard-to-find
vulnerabilities, undetectable by traditional scanners, in the world of Web 2.0 and increasingly complex web apps);
3) #1 and #2 are always true even if, as Voltaire's Dr. Pangloss erroneously states in Candide, we live in the 'best of all possible worlds.' In security,
even the most forward-thinking organizations are riddled with strategy shortfalls, cost/benefit sacrifices, staffing holes, faulty implementations, and
plain old human error.

 
Posted by Michael Coates on 11/11/2010
Strict Transport Security is a great solution to protecting against Firesheep
Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect
our traffic now.
Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)
Step 2: Install an addon that lets you add specific STS settings - STS-UI
Step 3: Configure STS-UI for the sites you're concerned about
Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that
department.
...

 
This technology agnostic document defines a set of general software security coding practices, in a checklist format, that can be integrated into the
software development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.
Table of Contents
Introduction
Software Security and Risk Principles Overview
Secure Coding Practices Checklist
Input Validation
Output Encoding
...

 
Browserscope Update [hackademix.net]
So, Firefox 4 + NoScript (with "Allow Scripts Globally"!) now leads with 15/17, the highest score, on par with Chrome.
Overtaking waits for a cross-zone CSRF / DNS Rebinding (AKA "Router Hacking Protection") test :)

 
Agnitio [sourceforge.net]
A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the
adhoc nature of manual security code review documentation, create an audit trail and reporting.




Network Security


 
Network-Based File Carving [blogs.cisco.com]
In this blog post you will first learn what file carving is and, with a simplified example, why it's useful. Next you will learn how this powerful technique
has been applied to the network and how its utility has been expanded beyond just forensics. We will talk about several tools in this article, but specific
attention will be paid to the NFEX network file carving tool.
What is File Carving?
File Carving, sometimes contextually shortened to "carving," is the name given to the technique of extracting files from a data source. It is a specialized
practice where files are located and extracted from a stream of bytes without having to rely on filesystem metadata. Most often, files are located by
searching for a specific "magic number" byte-code called a header and carving out the logically contiguous bytes in between it and a closing code called a
footer. A large list of these headers and footers is actively maintained on the File Signatures website.

 
Episode #121: Naughty Characters [blog.commandlinekungfu.com]
Hal has friends in low places:
This week's Episode comes to us courtesy of one our loyal readers who had a bit of a misadventure with vi. The intended keyboard sequence was ':w^C<Enter>',
aka 'save the file, oh wait nevermind'. Unfortunately, there was a bit of a fumble on the ^C and the command that actually got entered was ':w^X<Enter>',
aka 'save the file as '^X''. Whoops! My friend Jim always says that 'experience is what you get when you don't get what you want.' Our loyal reader was
about to get a whole bunch of experience.
Even listing a file called ^X can be problematic. On Linux and BSD, non-printable characters are represented as a '?' in the output of ls. But on older,
proprietary Unix systems like Solaris these characters will be output as-is, leading to weird output like this:

 
Microsoft's Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This
policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]
The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned
driver to load.

 
DNSSEC can help protect your organization from critical Internet threats. But how does it work? This short guide will help you get started
What Is DNSSEC?
DNS Security Extension (DNSSEC) aims to curb these emerging DNS-based attacks. By extending the capabilities of DNS servers and resolvers to look for new
record types -- and understanding what and when to trust -- organizations can eliminate attacks that exploit lack of authenticated responses and provide
authenticated denial-of-existence.
To understand DNSSEC, you need a basic grip of how DNS works. DNS is a mapping of a friendly name to an IP address, such as darkreading.com maps to
66.77.24.10. It was created to allow users to easily connect to IP systems and their services. Because there are different types of services and redundancy
required for some of these services, there are different record types within DNS.

 
When Internet ARPAnet was invented in the seventies, its goal was to interconnect military resources using packets based networks and to be strong enough to
resist to "attacks". Loosing some devices in the network could not affect the communications. Later, the same technology was re-used to build the public
network that you still use today to read to article: the Internet!
But the networks becoming more and more interconnected and complex, it was mandatory to develop protocols to dynamically route all of them. There are many
routing protocols like RIP, OSPF and... BGP!

 
URL Shorteners are online services which reduce the length of URL's. Web applications are more and more complex and their URL's can have multiple parameters
like pages, sessionsID's and much more. At the same time, we use services which limit the messages size (like Twitter) or devices (like SmartPhones) which
are not handy to type long texts. Shortened URL's are based on a limited and randomized set of alphanumeric characters and are handled by the URL shortener
website. When you access it, it will redirect you to the real URL (the common way is to use the HTTP code 301). Example: By accessing http://bit.ly/bQNokR,
you'll be redirected to this blog. Simple and powerful. This is great!So simple that such services can also be used by the bad guys to distribute malicious
URLs in pseudo-safe addresses. Hopefully, some URL Shorteners propose a preview of the original URL before redirecting you but it's not automatic. More and
more applications are able to handle short URL's and resolve them for you. On bit.ly, a good security tip is to append a "+" sign after the short URL.
You'll be redirected to the service homepage first and be able to read some useful information about the URL.

 
A hidden (and hardware password protected, by means of required special values in processor registers) debug mode has been found in AMD processors, and
documented by a reverse engineer called Czernobyl on the RCE Forums community today. It enables powerful hardware debugging features long longed for by
reverse engineers, such as hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints. And the best part is, it's
sitting right there in your processor already, just read the details and off you go with the debugging ninja powers!

 
A TechEd Europe attendee asked Marcus Murray about password auditing. He expressed his worry about the confidentiality of audited passwords. This question
reminded me about an often overlooked feature of Windows: password filters.
A password filter is generally used to implement custom password policies, but can also be used for password auditing and pentesting purposes. It is a DLL
loaded by the LSA (on a stand-alone machine or a domain controller) and called each time a new password is set. The DLL is designed to check the new
password according to custom password policies, and reply back to the LSA if it accepts the new password or rejects it.

 
One of the easiest and most common ways to hack a SAP system is try to connect with default passwords. Some of them are well known but some not (for example
TMSADM) but all are wery powerfull.
So if you thing that you are great GRC Expert and trying to secure your SAP environment with making a 5-dimentional cross-system SOD confilcts there are
some things you must do right now: CHANGE THOSE PASSWORDS!

 
As of today, Amazon EC2 is providing what they call 'Cluster GPU Instances': An instance in the Amazon cloud that provides you with the power of two NVIDIA
Tesla "Fermi" M2050 GPUs
...
GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack
SHA1 hashes?
Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes (1 hour costs 2.10$ by the way.)

 
Episode 77: Dead Botnets [www.youtube.com]
An analysis of the numbers of HTTP based vs IRC based botnet Command and Control Servers for 2010 to date, showing that IRC is practically dead compared to
web based methods of control. The real questions is: why do we still even see any IRC based botnets?

 
Data encryption specialist PGP Corporation, which is now part of Symantec, has warned Apple Mac users of updating to Mac OS X version 10.6.5. Apparently,
systems with PGP Whole Disk Encryption (WDE) no longer boot once the update has been installed. Yesterday, users had already complained about problems and
begun to exchange tips for potential workarounds.

 

 
In early September this year Microsoft released their Enhanced Mitigation Experience Toolkit v2.0 (EMET), which includes a new mitigation called Export
address table Address Filter (EAF). I decided to have a look at how this mitigation attempts to prevent exploits from succeeding and how an attacker might
bypass it.
EAF works by setting a hardware breakpoint on the export address tables of the ntdll.dll and kernel32.dll modules in a process. When the breakpoint is
triggered, EMET tries to determin if the code that is trying to access the export address table is valid code for that process or malicious code injected
into the process through an exploit.
This works because most exploits will at some point inject and run shellcode into the target process and one of the first thing most shellcodes do is
determine where certain functions are loaded in memory by reading the export address table of ntdll.dll and/or kernel32.dll. At that point EAF should detect
the shellcode and terminate the process, preventing the exploit from succeeding.




Cloud Security


 
FedRAMP Requirements Aimed to Easy Cloud Computing Adoption
The White House Tuesday issued a draft document detailing requirements to secure cloud computing in the federal government as part of FedRAMP, the Federal
Risk and Authorization Management Program.
The 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing is aimed to ease the process for government agencies to adopt
cloud computing by defining common security and risk assessment requirements that qualified private contractors must meet.

 
AWS Free Usage Tier [aws.amazon.com]
To help new AWS customers get started in the cloud, AWS is introducing a new free usage tier. Beginning November 1, new AWS customers will be able to run a
free Amazon EC2 Micro Instance for a year, while also leveraging a new free usage tier for Amazon S3, Amazon Elastic Block Store, Amazon Elastic Load
Balancing, and AWS data transfer. AWS's free usage tier can be used for anything you want to run in the cloud: launch new applications, test existing
applications in the cloud, or simply gain hands-on experience with AWS.
Below are the highlights of AWS's new free usage tiers. All are available for one year (except Amazon SimpleDB, SQS, and SNS which are free indefinitely)




Privacy


 
We're at a cusp of an era where the reputation of one's on-line social identity is becoming as critical as one's "real world" reputation. Control over
social identity data is the prize for which privacy advocates, individual consumers and business are fighting.
Who Are You?
In a formal setting of the "real world," we typically think of our identity as our name or perhaps a personal identifier such as the driver's license
number. In the on-line world, though, our identity is defined by our social network and how we interact with its participants.
We are whom we know and what we do with them. That's our social identity on-line.

 
At the heart of the controversy over "body scanners" is a promise: The images of our naked bodies will never be public. U.S. Marshals in a Florida Federal
courthouse saved 35,000 images on their scanner. These are those images.

 
Air travelers, mark your calendar. An activist opposed to the new invasive body scanners in use at airports around the country just designated Wednesday,
Nov. 24 as a National Opt-Out Day. He's encouraging airline passengers to decline the TSA's technological strip searches en masse on that day as a protest
against the scanners, as well as the new "enhanced pat-downs" inflicted on refuseniks

 
Los Angeles - Are you loving your smartphone? Crooks love it more. All they need is your phone number to creep into your private data and mess with your
life. Don't think it can't happen to you either.
You can watch Jeff Michael's video report in the media player.
Weighing in on the topic in the second video:
Don Bailey, a security consultant and expert on smartphone stalking.
Marian Merritt, Symantec's Internet Safety Advocate.




Tools


 
Update: Process Explorer v14 [blogs.technet.com]
Process Explorer v14: This major update to Process Explorer adds a slew of enhancements and new functionality including network and disk monitoring, an
improved multi-tab system information dialog, additional memory statistics, a new column that shows aggregate CPU usage for a tree of processes, improved
DLL scanning performance and accuracy, command-lines in process tree tooltips, support for more than 64 CPU systems, and more.

 
Phreebird Suite 1.0 [security-sh3ll.blogspot.com]
Dan Kaminsky DNSSEC Tool - Zero Configuration DNSSEC Proxy
Phreebird is a DNSSEC proxy that operates in front of an existing DNS server (BIND, Unbound, PowerDNS, Microsoft DNS, QIP) and supplements its records with
DNSSEC responses.

 
%28Security-Shell%29 [securityxploded.com]
HashGenerator
HashGenerator is the FREE universal hash generator tool which automates the generation of 14 different type of hashes or checksums. It support most of the
popular hashes including MD5 family, SHA family, BASE64, CRC32, ROT13, RIPEMD, ALDER32, HAVAL, WHIRLPOOL etc. It can even generate hash for the file as well
as text input also. User can directly enter or paste any text from clipboard and generate hash. It also supports 'Drag & Drop interface' which allows you to
quickly drag files onto the tool for hash generation.
Hashes or checksums are mainly used for file integrity verification. Often files downloaded from Internet are checked with MD5/SHA256 hash to make sure file
is not tempered. Hashes are also used in encryption and storage of password as well as other sensitive data to protect it from the spying eyes.
HashGenerator helps in quickly computing or verifying the hash for any such file or password text.
HashGenerator is fully portable tool which can be directly run anywhere without installing locally. It also comes with Installer for those who wants to
install it locally and use it on regular basis.
HashGenerator works on wide range of platforms starting from Windows XP to latest operating system Windows7

 
following paper: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
This tool runs with an interactive console menu, automatically detecting forms within given URL, and allowing the user to choose which forms and form fields
are desirable to use for the POST attack. In addition, the tool offers unattended execution by providing the necessary parameters within a configuration
file.

 
STUXNET Scanner: A Forensic Tool [blog.trendmicro.com]
TrendLabsSM has created a STUXNET Scanner Tool to further help administrators identify clues to determine which computers in their networks are still
infected by STUXNET.
A few months ago, STUXNET targeted SCADA systems-critical control systems that run complex infrastructure such as those that run transportation systems,
water systems, and oil refineries, among others. STUXNET searches SCADA-related strings in order to view project databases and information stored in
critical systems.
Given the nature of the attack, administrators naturally want to be doubly sure that none of their systems are infected by this malware. Despite providing
immediate protection for infected systems, we are still receiving reports from customers who need help to ensure that all of their systems are free of this
particular threat.

 

 
PenTBox 1.4 released [www.pentbox.net]
PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems.
Programmed in Ruby and oriented to GNU/Linux systems, but compatible with Windows, MacOS and every systems where Ruby works.
It is free, licensed under GNU/GPLv3.
If you want to report errors, give feedback and new code or ideas, contact.

 
Agnitio [sourceforge.net]
A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the
adhoc nature of manual security code review documentation, create an audit trail and reporting.

 
This weekly update for Metasploit Pro and Metasploit Express brings 11 new modules, including functionality to test SAP, NetWare and the BACnet SCADA
client. This update is a module-only update, in preparation for the 3.5.1 release. In addition to new exploitation capabilities, modules to fuzz HTTP and
crawl websites have been added.

 
Minibis [cert.at]
Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper 'Mass Malware Analysis: A Do-It-
Yourself Kit'.




Mobile Security


 
Omission means many businesses can't support Microsoft's newest mobile OS
Many businesses will not be able to support Microsoft's Windows Phone 7 operating system, which began shipping in the United States today. Like the
competing Google Android, Windows Phone 7 does not support on-device encryption to protect data stored on it. Many businesses require such encryption to be
able to access corporate data through EAS (Exchange ActiveSync) policies and automatically block connections from devices that don't support device-level
encryption.
Users will get the error code 85010013 when trying to sync their email on a Windows Phone 7 device, rather than an English description of the problem.
Microsoft's support forum confirms the lack of on-device encryption support.

 
Vulnerabilities could let bad guys install apps on the smartphone without user's permission
Google has been issuing updates since last week to its Android platform to fix one of two recently revealed vulnerabilities that could allow an attacker to
install applications on a phone without the explicit permission of the smartphone user.
Researchers last week at Black Hat Abu Dhabi and at Intel's annual internal security conference, held in Oregon, separately demonstrated two different
vulnerabilities in the Android that each leave the door wide open for an attacker to force a malicious app onto the smartphone, bypassing user permissions
prompt

 
MiKa and me shared some knowledge about the design flaws and the state of security in 2G/3G networks. The idea was to present an overview. Those networks
have been shrouded in NDAs for too long. It is good to see that this is changing. Given the fact that millions of people use this technology on a daily
basis, there should have been more publications and a deeper analysis many years ago.
GSM features four A5 encryption algorithms. They are called A5/0, A5/1, A5/2 and A5/3. A5/0 is basically plaintext, because no encryption is used. A5/1 is
the original A5 algorithm used in Europe. A5/2 is a weaker encryption algorithm created for export (the weakness is a design feature). A5/3 is a strong
encryption algorithm created as part of the 3rd Generation Partnership Project.




General


 
Researchers demonstrate proof-of-concept for developing malware that attacks specific hardware processors with 'surgical' precision
French researchers say it's possible to write malware that attacks specific hardware processors rather than operating systems or applications.
Anthony Desnos, Robert Erra, and Eric Filiol, of Ecole Sup?rieure d'Informatique Electronique Automatique (ESIEA) in Paris, have developed a proof-of-
concept for hardware-specific malware, which they consider a step up from Stuxnet and a potentially key weapon in cyberwarfare. The malware can easily
identify and target specific hardware systems based on the on-board processor chip, the researchers say.

 
For Your Eyes Only [www.technologyreview.com]
Everyone has a unique pattern of eye movements. A new biometric security system exploits this for a simple, hard-to-fool approach.
The way you view the world is unique, so why not use it to identify you?
A company in Israel has developed a security system that does just this--exploiting a person's unique pattern of eye movements to identify them. Most
biometric security systems measure physical features that are constant, such as fingerprints or iris patterns. An eye-tracking system has the potential to
be harder to fool and easier use, its creators say.The new system tracks the way a person's eye moves as he watches an icon roam around a computer screen.
The way the icon moves can be different every time, but the user's eye movements include 'kinetic features'-slight variations in trajectory-that are unique,
making it possible to identify him. This is less complicated than using a long pass phrase or a smart card to gain access to a computer system or a
building.
The new system tracks the way a person's eye moves as he watches an icon roam around a computer screen. The way the icon moves can be different every time,
but the user's eye movements include 'kinetic features'-slight variations in trajectory-that are unique, making it possible to identify him. This is less
complicated than using a long pass phrase or a smart card to gain access to a computer system or a building.

 
Passwords are the weakest link in access control, but there are plenty of other, less-traveled options for authentication
Be it through brute force attacks, dictionary attacks, reading them off of Post-It notes or simply guessing, cracking passwords is hardly a difficult task
for the suitably motivated. In fact, traditional text passwords for logging into accounts have been shown time and time again to be the weakest links in
modern day access control. Combine that with the fact that most users typically reuse passwords on multiple accounts--75 percent, according to a survey
conducted by BitDefender earlier in the summer--and it's clear that something has got to give.
It's not that there aren't alternatives out there. Academics and start-up businesses have worked hard over the years to develop alternatives to the
traditional password log-in.

 
The 12 most dangerous online scams [www.net-security.org]
Consumers would be wise to beware of the most commons scams of the season before heading online to book travel and do holiday shopping. McAfee revealed the
12 most dangerous online scams that computer users should be cautious of this holiday season.
1. iPad offer scams
2. "Help! I've been robbed" scam
3. Fake gift cards
...

 
What is BlackHat SEO?
Simply put, Search Engine Optimization (SEO) is used to boost a domain's ranking. The better the SEO, the higher a site will appear in the search result
listings for select keywords.
Search engines have a set of rules for wembasters to abide by when using SEO techniques on a website. The easiest split between normal SEO and BHSEO is that
the shady webmasters care little for the rules.
SEO and BHSEO have the same goal in mind, website promotion. SEO plays a big role in the advertising and marketing world. Likewise, BHSEO is heavy in the
criminal world for the same reason; both sets of webmasters need their sites to rank high to earn money

 
Adobe Flash remains a popular attack vector for malware authors. In addition to a seemingly never-ending supply of security flaws, bad guys know that people
who use Flash often ignore the updater's prompts. That leaves users in an even more tenuous position, since they're still vulnerable to attacks Adobe has
already patched.
That's one big advantage to Google Chrome's internal Flash plug-in. Since updates are delivered silently in the background to users, the internal plug-in is
always up-to-date. This keeps everyone as safe as possible, but Chrome offers one more way to protect its users: sandboxing. By running unfamiliar Web code
in its isolated sandbox, Chrome can execute that code in a safe environment -- where it can't harm your operating system.

 
While North America's airports groan under the weight of another sea-change in security protocols, one word keeps popping out of the mouths of experts:
Israelification.
That is, how can we make our airports more like Israel's, which deal with far greater terror threat with far less inconvenience.
'It is mindboggling for us Israelis to look at what happens in North America, because we went through this 50 years ago,' said Rafi Sela, the president of
AR Challenges, a global transportation security consultancy. He's worked with the RCMP, the U.S. Navy Seals and airports around the world.
'Israelis, unlike Canadians and Americans, don't take s--- from anybody. When the security agency in Israel (the ISA) started to tighten security and we had
to wait in line for - not for hours - but 30 or 40 minutes, all hell broke loose here. We said, 'We're not going to do this. You're going to find a way that
will take care of security without touching the efficiency of the airport.'

 
Fedora's refusal to accept the SQLninja tool into its repositories has met with considerable criticism. The tool attempts to penetrate Microsoft SQL
Server-based systems via SQL injection attacks in order to open a back door on these systems. What is an evil hacker tool for hijacking computers to some,
is a useful tool for testing their own servers to others. The Fedora project leaders chose the former point of view and unanimously voted against adding the
tool in a (virtual) board meeting.

 
Tweet lands woman in China labour camp [www.siliconrepublic.com]
A online activist in China has been sentenced to one year in a labour camp for retweeting a satirical message on microblogging site Twitter.
Cheng Jianping was sentenced under the grounds of "disturbing social order" for retweeting (reposting in her own account) a satirical message




Funny


 

 
the 46 stages of Twitter [www.shanenickerson.com]
1. Hear the word Twitter. Scoff.
2. Hear it again from someone else. Scoff again.
3. Hear about famous celebrity who is apparently 'On Twitter.' Scoff, but make mental note to check it out.
4. Log into Facebook to comfort self.
5. Sign up for Twitter.
...

 

 

 

 

 

 
The T-Mobile Welcome Back [www.youtube.com]