Monday, 29 November 2010

Security Weekly News 29 November 2010 - Summary

Feedback and/or contributions to make this better are appreciated and welcome

Highlighted quotes of the week:

"Real security is built, not bought." - Richard Bejtlich

"Can't believe in 2010 many web devs still tell prospective client that security is additional cost, add-on or on request only." - Drazen Drazic

"If you try to limit access to complex services by running another complex service, you're only changing, not reducing, your exposure." - Moxie Marlinspike

"McAfee: 60% of the Top Google search terms return malicious sites in the top 100 results" - McAfee at DeepSec

"I haven't slept, showered, or seen sunlight for 48 hours. Just took the OSCE exam from Offensive-Security, best certification out there." - Dave Kennedy

"Heartbreaking decision to make. subject my children to the naked body scan or patdown. just want to be together on thanksgiving" - Jeremiah Grossman


To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case For Security, Web Technologies, Network Security, Cloud Security, Mobile Security, Privacy, Cryptography / Encryption, Social Engineering, Tools, General, Funny

Highlighted news items of the week (No categories):

Not patched: Exploit code for still unpatched 0-day used by Stuxnet released, Elevation of privileges under Windows Vista/7 (UAC Bypass) - Proof of Concept, Privilege escalation 0-day in almost all Windows versions, Android vulnerability permits data theft

Patched: Adobe Reader X released with Windows sandbox, Apple closes 23 critical holes in Safari, NetBSD 5.1 feature update arrives, Wine 1.3.8 released


 
A few weeks ago at OWASP AppSec DC we made progress on an idea that several of us (@RafalLos, @secureideas, @securityninja, @TheCustOS) have been talking
about on twitter for a while. The idea is based on trying to determine a good solution to what we see as the general brokenness of the Internet's web
applications. Not only do we see current applications as badly broken but the velocity at which developers are building new insecure web application is
increasing. The panel that we hosted at OWASP AppSec DC discussed one method which we can contribute to reduce the rate at which new, insecure web
applications are being developed.
Our idea is based on improving the security of existing web application development frameworks; adding security components into their core, thus making
security more transparent to the developer and potentially having the effect of producing more secure web applications.

 
No matter what solutions you look at to help secure your network you need to ensure that whatever ones you select do not undermine your
existing security or introduce new vulnerabilities o r problems. This is true no matter if that solution is proprietary software, open source based, an
appliance or indeed a service.
The problem many face when selecting solutions is that vendors will tell you all about the strengths of their product, how many awards it has wonand show
you the glowing reviews it has received in various magazines. Not to mention the FUD (Fear Uncertainty and Doubt) factor that they rely heavily on and will
push anytime they think you may be wavering.
If you want to get beyond the hype and ensure that the company you are dealing with do indeed understand security and have a secure product then the
following are some questions that I have found to work;

 

 
Vulnerability Assessment
Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.
Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
Focus: Breadth over depth.
Penetration Test
Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.
Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker.
Focus: Depth over breadth.

 
Protecting your business against the latest Web threats has become an incredibly complicated task.The consequences of external attacks, internal security
breaches, and internet abuse have placed security high on the small business agenda-so what do you need to know about security and what are the key elements
to address? Trend Micro sheds some light on this tricky subject.
This paper addresses the top 10 ways to protect your small business against web threats including:
1. Close your doors to malware
2. Write your policy
3. Tackle social media before it trips you up
4. Protect with passwords
5. Get critical about Internet security
6. Ask employees for help
7. Make reseller/consultant relationship work for you
8. Lead by example
9. Be current
10. Choose a security partner, not just a vendor
Read this white paper to learn more about protecting your small business against web threats.

Cloud Security highlights of the week

 
Cloud providers' terms and conditions shock study
Cloud computing contracts often contain significant business risks for end user organisations, according to independent research by UK academics. Some
contracts even have clauses disclaiming responsibility for keeping the user's data secure or intact.
Others reserve the right to terminate accounts for apparent lack of use, which is potentially important if they are used for occasional backup or disaster
recovery purposes, according to the Cloud Legal Project at Queen Mary, University of London.
Other contracts can be revoked for violation of the provider's Acceptable Use Policy, or indeed for any or no reason at all, the academics found.

 
Let's Enable Cloud Computing [blog.cloppert.org]
I've been thinking a lot about 'cloud computing' over the past few months, and I keep coming back to the same conclusion every time: the InfoSec community
is inhibiting IT innovation by throwing up weak, largely unsubstantiated concerns over the security risks of 'cloud computing.' Overall, our industry's
reaction smacks of 'fear of the unknown.' [1]
After some research[2][3][4][others], I've found that most security-related arguments against cloud computing qualitatively fall into one of the following
risks, in no particular order



Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):

 
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that
their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate
eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and
supports all SSH protocol versions.
SSH is an awesome powerful tool, there are unlimited possibility when it comes to SSH, heres the top Voted SSH commands

 
AWK is a data driven programming language designed for processing text-based data, either in files or data streams. It is an example of a programming
language that extensively uses the string datatype, associative arrays (that is, arrays indexed by key strings), and regular expressions. WIKI
Here are the most Kick ass voted AWK commands.

 
Windows Server 2008 Security Checklist

 
OpenSSL CheatSheet [wiki.samat.org]

 
I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for
Internet Security (CIS).
We decided on the following approach:
* Based on the CIS templates we created a baseline document specific to our company
* I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
* The windows administrator created GPOs to apply the settings.
When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration
\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.
This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?
The settings are not irrelevant, as e.g. Peter van Eeckhoutte's blog points out. Windows 2008 does not forward IPv4 packets that have source routing on
them, but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.

 
The enemy in the network card [www.h-online.com]
Security expert Guillaume Delugré, who works for the Sogeti European Security Expertise Center (ESEC), has demonstrated that a rootkit doesn't necessarily
have to infest a computer. The expert used freely available tools and documentation to develop custom firmware for Broadcom's NetExtreme network controller.
He was then able to conceal a rootkit within the firmware, making it untraceable by the virus scanners usually installed on a PC.




Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):

 
For a long time I've said that security is a quality issue. It sounded good, it resonated with me, but by and large I am coming to the conclusion it's an
insufficient understanding. While I still believe the two issues are similar enough for discussion, the nuanced efforts required to fix a security bug vs.
a quality bug is night and day. Patching, as we'd fix a quality issue, has permeated the collective InfoSec mindset as a defensive solution in protecting
our infrastructures. Virtually or locally, however, relying on that patching mindset is a death sentence and will always lose to a skillful opponent.
...
I'd like to be careful to note here that striking back here doesn't necessarily imply "hacking back" as some others are proposing**. It simply means that
if, in the course of an interaction, we can make our opponent deal with our threats (read: countermeasures) we can regain initiative-and perhaps equally
important, time and space. There are unlimited opportunities for doing so. In fact, this is perhaps the most important bit to all of this- attack and
defense are the same. We always have the same opportunities to be creative and solve problems; it usually comes down to being bold enough to leverage them.

 
With the recent OWASP AppSec DC presentation on Slow HTTP POST DoS attacks, the issue of web server platform DoS concerns have reached a new high. Notice
that I said, web server platform and not web application code. The attack scenario raised by slow HTTP POST attack is related to web server software
(Apache, IIS, SunONE, etc...) and can not be directly mitigated by the application code. In the blog post, we will highlight the two main varieties of slow
HTTP attacks - slow request headers and slow request bodies. We will then provide some new mitigation options for the Apache web server platform with
ModSecurity.
Network DoS vs. Layer-7 DoS
Whereas network level DoS attacks aim to flood your pipe with lower-level OSI traffic (SYN packets, etc...), web application layer DoS attacks can often be
achieved with much less traffic. The point here is that the amount of traffic which can often cause an HTTP DoS condition is often much less than what a
network level device would identify as anomalous and therefore would not report on it as they would with traditional network level botnet DDoS attacks.

 
One of the most common vulnerabilities in web applications is known as HTML injection or cross-site scripting, and one of the simplest ways of showing such
a problem exists involves loading a JavaScript alert dialog. Those who understand the ramifications of such an issue know that it creates the potential for
far more malicious activity, but the alert box is an easy demonstration that the application can be automatically manipulated.
Other vulnerability, though, may be more subtle and not as readily visualized. Take cross-site request forgery, for example. It's easy to understand that
there's a problem when an application lets you manipulate the data of other users - the site should validate the account making requests before executing
them. What may not be so obvious is that problems can still arise even when the application checks the account first. If no system exists for verifying that
the account owner actually intended to perform a given action, it may be possible to hijack that user's session and make requests without them knowing. The
technical term for this behavior is cross-site request forgery.

 
Do you have a logstash? [www.loggly.com]
I'm a dev ops guy, and I've been talking about logging problems for a long while now. Talking about storing logs. Talking about parsing logs. Talking about
searching logs. Talking about reacting to logs. Now I'm at Loggly, I'm talking about it more than ever.
Today I'm releasing logstash, an Open Source tool to accomplish all that and more. You can read about the release on my blog and then go download the source
and get started with it.
If you want to see it in action, I've uploaded a demo video on YouTube. Also, Kord and I sat down today and chatted about logstash and its future. That
video is below.

 
In order to improve the security of applications running on distributed systems, six researchers at Cornell University have developed Fabric. It extends
Jif, also developed at Cornell, to add transactions, calls to functions on remote computers and the persistent storage of objects.
Different types of nodes are involved in the performance of fabric programs.
Source: cornell.edu The central idea behind Fabric and Jif is 'principals', which formulate and implement security requirements. Relationships and operators
allow users, processes, groups and application-specific units to be modelled each with their own security requirements

 
Robert Abela is a Technical Manager at Acunetix and in this interview he discusses the process of choosing a web vulnerability scanner and underlines
several factors that should be taken into consideration in the decision-making process.
Which is the best web vulnerability scanner out there?
This question has been haunting the web application security field for quite some time and rest assured that no one will ever give you a definite answer.
What works for Mr A does not work for Mr B. This is because every website, or web application - as we call them today - is different. There are some
scanners that perform better than others on websites developed in PHP and others that might perform better on websites developed in .NET, and so on. Also,
people have different needs. Some just need a scanner to generate a PCI DSS compliance report. Others use it for consulting services, to assist them during
a penetration test, and therefore need a scanner that gives them as much information as possible about the target and one that includes a good set of tools
for easing the lengthy process of manual penetration testing.




Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Training Your Developers On Your Enterprise Security API

Introduce the API HOW TO

Start with the ASVS and Top Ten. Show how the custom API for your enterprise takes them into consideration. Show much easier it is to write a more secure application when security is designed at the beginning. Explain how objects are designed and what features can be tested with each. Allow for questions and discussion.


Using the API for Audit

The API has audit functions and your developers should use them. Show them how.


Next Steps

Create a feeback mechanism for developers to drive the next iteration of the API. Security is a process that should always be developing.




Source: link



Have a great week.

Security Weekly News 29 November 2010 - Full List


Category Index




Hacking Incidents / Cybercrime


 
Details about the U.S. State Department cables obtained by WikiLeaks are starting to come out. Although WikiLeaks itself may be under a denial of service
attack, it provided several newspapers around the world access to the raw documents it is preparing to release later today. The New York Times just posted
it's first article summarizing the contents of the cables and highlighting the most newsworthy ones.

 
Security services provider BitDefender says that 'around 20%' of user's news feeds and wall posts on the Facebook social-networking site contain infections.
The data comes from the company's latest safego beta, a Facebook application that uses BitDefender's scanning technology to check a user's privacy levels,
while identifying personal information that may be visible to strangers. The application also scans each user's wall, inbox messages and comments for
malicious links, and shared content that may be compromised, such as images and videos

 
A ten year veteran of US automaker Ford pleaded guilty in federal court on November 17 to charges that he stole company secrets, including design documents,
valued at between $50 million and $100 million, and shared them with his new employer: the Chinese division of a US rival of Ford's. Xiang Dong ('Mike') Yu
admitted to copying some 4,000 Ford Documents to an external hard drive, including design specifications for key components of Ford automobiles, after
surreptitiously taking a job with a China-based competitor in 2006.

 
Cleveland Federal Reserve Hacked [www.bankinfosecurity.com]
Malaysian Caught with 400K Stolen Cards
A 32-year-old Malaysian man was arrested shortly after his arrival last month at John F. Kennedy airport in New York City. His crime? Authorities say he
hacked into the Cleveland Federal Reserve Bank and several other computer systems, including a defense contractor.
Lin Mun Poo, a Malaysian national, faces a four-count indictment that charges him with hacking into computer systems and the possession of more than 400,000
stolen credit and debit card numbers.

 
They bought 1.5 million tickets for Bruce Springsteen concerts, baseball playoff games, and more, using the network
Three California men have pleaded guilty charges they built a network of CAPTCHA-solving computers that flooded online ticket vendors and snatched up the
very best seats for Bruce Springsteen concerts, Broadway productions and even TV tapings of Dancing with the Stars.
The men ran a company called Wiseguy Tickets, and for years they had an inside track on some of the best seats in the house at many events. They scored
about 1.5 million tickets after hiring Bulgarian programmers to build 'a nationwide network of computers that impersonated individual visitors' on websites
such as Ticketmaster, MLB.com and LiveNation, the U.S. Department of Justice (DoJ) said Thursday in a press release.

 
Four teenage Saudis have been arrested over a technically implausible ATM scam said to have netted US$533,000 (two million Saudi Riyals) over two years.
The unnamed youngsters from the Taif area of Western Saudi Arabia apparently discovered game cards from the local mall allowed them to withdraw the same
amount of money as the last previous legitimate ATM customer. The Terminator 2-style trick only worked at the machines run by one particular bank which
'used an old system', according to authorities.

 
A computer hacker who accessed personal data and photos from his mother's front room in a major e-mail scam has been jailed.
Father-of-five Matthew Anderson, 33, of Drummuir, Moray, who was part of an international gang, was caught after a Scotland Yard investigation.
He sent millions of worldwide e-mails which released a virus when opened, allowing remote control of computers.
Anderson was jailed for 18 months at Southwark Crown Court.
He admitted the Computer Misuse Act crime.

 
Stuxnet continues to be a hot topic. Here's an updated set of Questions and Answers on it.
Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak
passwords.
Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.
Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.

 
Spear phishing foiled
Foreign spies targeted a senior British defence official in a sophisticated spear phishing operation that aimed to steal military secrets.
The plan was foiled last year when the official became suspicious of an email she received from a contact she had met at a conference.
The official showed the highly personalised message to Ministry of Defence IT experts, who then found the attachment contained malware designed to leak
classified material to a foreign intelligence agency.

 
China inside
A Florida woman has admitted she helped sell millions of dollars worth of counterfeit computer chips for use by the US military.
Stephanie A. McCloskey, 38, of Clearwater, Florida, pleaded guilty in federal court to one count of conspiracy for her role in the scheme, which netted
$15.9 million over three years. The chips, which came from China and Hong Kong, bore counterfeit marks falsely claiming they were industrial-grade and
military-grade goods made by companies such as Texas Instruments, according to court documents. VisionTech Components, the Clearwater company she worked
for, claimed 95 percent of its chips were made in Europe.

 
We received quite a bit of reports of people saying that Secunia's web site has been defaced. And indeed, when I visit Secunia's web site from my machine
(located in Europe), I see a defaced web site as below




Unpatched Vulnerabilities


 
After Stuxnet hit, it was discovered that it took advantage of four previously unknown Windows zero-day vulnerabilities to spread and compromise targeted
systems.
Three of those have already been patched by Microsoft - the LNK vulnerability, the vulnerability located in the Print Spooler service, and a Windows XP
local privilege escalation flaw - but the fourth one still remains unpatched.
That wouldn't be such a major problem, if it weren't for the fact that someone whose Internet handle is webDEViL hadn't released Proof-of-Concept exploit
code for it.

 
A Design Flaw in Windows Kernel API can Lead to privilege escalation.

 
Today proof of concept code (source code, with a compiled binary) of a 0-day privilege escalation vulnerability in almost all Windows operating system
versions (Windows XP, Vista, 7, Server 2008 ...) has been posted on a popular programming web site.
The vulnerability is a buffer overflow in kernel (win32k.sys) and, due to its nature allows an attacker to bypass User Access Control (UAC) on Windows Vista
and 7 operating systems.
What's interesting is that the vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create
a special (malicious) registry key. Author of the PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user
that does not even have any administrative privileges).
The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable
code in win32k.sys.
Since this is a critical area of the operating system (the kernel allows no mistakes), the published PoC only works on certain kernel versions while on
others it can cause a nice BSOD. That being said, the code can be probably relatively easily modified to work on other kernel versions.

 
Security expert Thomas Cannon has discovered a security vulnerability in the Android browser which can be exploited by attackers to read local files when a
smartphone user visits a crafted web site. The vulnerability appears to affect all versions of Android, including the current version 2.2 (Froyo). Our
colleagues at heise Security have been able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2. Cannon
reports that he has verified the vulnerability on an HTC Desire (2.2) and on the Android emulator (1.5, 1.6 and 2.2) in the SDK.




Software Updates


 
Adobe Reader X (10.0) (link to FTP-server) is now available for Windows, Mac OS X and Android - a Linux version has yet to be released. The most exciting
change is the sandbox (included only in the Windows version), which should improve the PDF reader's overall security. It aims to prevent vulnerabilities in
Reader from being used to infect PCs. The function, dubbed 'Protected Mode' by Adobe, blocks attempts by infected PDFs to write and execute code. It should
also prevent infected files from making registry changes. Future versions will reportedly control read access to prevent attackers from reading confidential
data from the file system.

 
Apple has released versions 5.0.3 and 4.1.3 of Safari, updates that address several security vulnerabilities in the WebKit-based browser. In total, the
Safari updates fix 27 security holes in the browser's open source WebKit rendering engine, most of them rated as critical.

 
The NetBSD development team has announced the arrival of the first feature update to the 5.0 release branch, NetBSD 5.1. According to the developers, the
major release includes a variety of critical security and bug fixes, as well as better hardware support and new features.

 
Wine 1.3.8 released [www.omgubuntu.co.uk]
The weekly development release of Wine landed on Friday with the usual smattering of minor additions, bug fixes and improvements.
The official announcement paints the most notable changes as being:
* Icons in "open with" menus
* Support for schemas in MSXML
* Installer fixes
* Many bug fixes - including for Civilization 4, Guild Wars & Unreal Tournament 3
* Translation updates




Business Case For Security


 
A few weeks ago at OWASP AppSec DC we made progress on an idea that several of us (@RafalLos, @secureideas, @securityninja, @TheCustOS) have been talking
about on twitter for a while. The idea is based on trying to determine a good solution to what we see as the general brokenness of the Internet's web
applications. Not only do we see current applications as badly broken but the velocity at which developers are building new insecure web application is
increasing. The panel that we hosted at OWASP AppSec DC discussed one method which we can contribute to reduce the rate at which new, insecure web
applications are being developed.
Our idea is based on improving the security of existing web application development frameworks; adding security components into their core, thus making
security more transparent to the developer and potentially having the effect of producing more secure web applications.

 
Vulnerability Assessment
Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.
Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
Focus: Breadth over depth.
Penetration Test
Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.
Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker.
Focus: Depth over breadth.

 
No matter what solutions you look at to help secure your network you need to ensure that whatever ones you select do not undermine your
existing security or introduce new vulnerabilities o r problems. This is true no matter if that solution is proprietary software, open source based, an
appliance or indeed a service.
The problem many face when selecting solutions is that vendors will tell you all about the strengths of their product, how many awards it has wonand show
you the glowing reviews it has received in various magazines. Not to mention the FUD (Fear Uncertainty and Doubt) factor that they rely heavily on and will
push anytime they think you may be wavering.
If you want to get beyond the hype and ensure that the company you are dealing with do indeed understand security and have a secure product then the
following are some questions that I have found to work;

 

 
VERIS Project Update, One Week In [securityblog.verizonbusiness.com]
A *lot* of people have asked us how the Verizon Enterprise Risk and Incident Sharing (VERIS) community project is going one week later, and so we thought a
small update was in order.
In order for this to really work, we need as much of your participation, enthusiasm and encouragement as possible. And so far, we're overwhelmed with
support. All your mentions on twitter, invitations to speak and do podcasts and so forth, it's just been more than we could ask for. So we earnestly thank
you.

 
2010 Trends Report (Q1-Q2) [www.cenzic.com]
Read the latest Cenzic Trends Report
Fill out the web registration form to get the latest 2010 Trends Report (Q1 - Q2) findings - a 22 page, PDF report. The data was analyzed between January
2010 through June 2010.
Some key findings in the report include:
* 66% of reported vulnerabilities affected Web technologies, such as Web servers, applications, and browsers.
* The most popular Web attacks were Cross Site Scripting (28%) and SQL Injection (20%).

 
Protecting your business against the latest Web threats has become an incredibly complicated task.The consequences of external attacks, internal security
breaches, and internet abuse have placed security high on the small business agenda-so what do you need to know about security and what are the key elements
to address? Trend Micro sheds some light on this tricky subject.
This paper addresses the top 10 ways to protect your small business against web threats including:
1. Close your doors to malware
2. Write your policy
3. Tackle social media before it trips you up
4. Protect with passwords
5. Get critical about Internet security
6. Ask employees for help
7. Make reseller/consultant relationship work for you
8. Lead by example
9. Be current
10. Choose a security partner, not just a vendor
Read this white paper to learn more about protecting your small business against web threats.

 
This post is the first in a series of what I consider the top ten topics for any security awareness program. This series is not designed to tell you what
your awareness program must have, instead these posts are designed to give you recommendations, a place to start.. To kick off any awareness program, I
always recommend that a program start with the topic YOU ARE THE TARGET. The purpose of this topic (or module) is to explain to end users that they are
the target. Far too often people have the misconception that they are not a target, that their information or their computers has no value to attackers. Of
course we know this to be false. Anyone with an identify, computer or private information is a target, cyber criminals have made an entire industry of
hacking the end user. This module explains this to people, specifically who is targeting them and why. There are several lesson objectives here.




Web Technologies


 
A few weeks ago at OWASP AppSec DC we made progress on an idea that several of us (@RafalLos, @secureideas, @securityninja, @TheCustOS) have been talking
about on twitter for a while. The idea is based on trying to determine a good solution to what we see as the general brokenness of the Internet's web
applications. Not only do we see current applications as badly broken but the velocity at which developers are building new insecure web application is
increasing. The panel that we hosted at OWASP AppSec DC discussed one method which we can contribute to reduce the rate at which new, insecure web
applications are being developed.
Our idea is based on improving the security of existing web application development frameworks; adding security components into their core, thus making
security more transparent to the developer and potentially having the effect of producing more secure web applications.

 
For a long time I've said that security is a quality issue. It sounded good, it resonated with me, but by and large I am coming to the conclusion it's an
insufficient understanding. While I still believe the two issues are similar enough for discussion, the nuanced efforts required to fix a security bug vs.
a quality bug is night and day. Patching, as we'd fix a quality issue, has permeated the collective InfoSec mindset as a defensive solution in protecting
our infrastructures. Virtually or locally, however, relying on that patching mindset is a death sentence and will always lose to a skillful opponent.
...
I'd like to be careful to note here that striking back here doesn't necessarily imply "hacking back" as some others are proposing**. It simply means that
if, in the course of an interaction, we can make our opponent deal with our threats (read: countermeasures) we can regain initiative-and perhaps equally
important, time and space. There are unlimited opportunities for doing so. In fact, this is perhaps the most important bit to all of this- attack and
defense are the same. We always have the same opportunities to be creative and solve problems; it usually comes down to being bold enough to leverage them.

 
Wong Onn Chee and Tom Brennan from OWASP recently published a paper* presenting a new denial of service attack against web servers.
What's special about this denial of service attack is that it's very hard to fix because it relies on a generic problem in the way HTTP protocol works.
Therefore, to properly fix it would mean to break the protocol, and that's certainly not desirable. The authors are listing some possible workarounds but in
my opinion none of them really fixes the problem.

 
The awful truth
There is no magical patch that will make everything secure
Vendors don't tell the full story
Security is rarely considered in the development process
Tools are useful, but only in the right hands
Security tools rarely prevent developers from make security mistakes
Often the term security refers to the use of security features

 
We all either love or hate compliance!
Provide guidance and best practices for software developement from a regulatory standpoint.
Target: Top 20 things a developer can do to stay on the right side of compliance.

 
With the recent OWASP AppSec DC presentation on Slow HTTP POST DoS attacks, the issue of web server platform DoS concerns have reached a new high. Notice
that I said, web server platform and not web application code. The attack scenario raised by slow HTTP POST attack is related to web server software
(Apache, IIS, SunONE, etc...) and can not be directly mitigated by the application code. In the blog post, we will highlight the two main varieties of slow
HTTP attacks - slow request headers and slow request bodies. We will then provide some new mitigation options for the Apache web server platform with
ModSecurity.
Network DoS vs. Layer-7 DoS
Whereas network level DoS attacks aim to flood your pipe with lower-level OSI traffic (SYN packets, etc...), web application layer DoS attacks can often be
achieved with much less traffic. The point here is that the amount of traffic which can often cause an HTTP DoS condition is often much less than what a
network level device would identify as anomalous and therefore would not report on it as they would with traditional network level botnet DDoS attacks.

 
One of the most common vulnerabilities in web applications is known as HTML injection or cross-site scripting, and one of the simplest ways of showing such
a problem exists involves loading a JavaScript alert dialog. Those who understand the ramifications of such an issue know that it creates the potential for
far more malicious activity, but the alert box is an easy demonstration that the application can be automatically manipulated.
Other vulnerability, though, may be more subtle and not as readily visualized. Take cross-site request forgery, for example. It's easy to understand that
there's a problem when an application lets you manipulate the data of other users - the site should validate the account making requests before executing
them. What may not be so obvious is that problems can still arise even when the application checks the account first. If no system exists for verifying that
the account owner actually intended to perform a given action, it may be possible to hijack that user's session and make requests without them knowing. The
technical term for this behavior is cross-site request forgery.

 
Do you have a logstash? [www.loggly.com]
I'm a dev ops guy, and I've been talking about logging problems for a long while now. Talking about storing logs. Talking about parsing logs. Talking about
searching logs. Talking about reacting to logs. Now I'm at Loggly, I'm talking about it more than ever.
Today I'm releasing logstash, an Open Source tool to accomplish all that and more. You can read about the release on my blog and then go download the source
and get started with it.
If you want to see it in action, I've uploaded a demo video on YouTube. Also, Kord and I sat down today and chatted about logstash and its future. That
video is below.

 
In order to improve the security of applications running on distributed systems, six researchers at Cornell University have developed Fabric. It extends
Jif, also developed at Cornell, to add transactions, calls to functions on remote computers and the persistent storage of objects.
Different types of nodes are involved in the performance of fabric programs.
Source: cornell.edu The central idea behind Fabric and Jif is 'principals', which formulate and implement security requirements. Relationships and operators
allow users, processes, groups and application-specific units to be modelled each with their own security requirements

 
Breaking HTML parsers for fun [www.thespanner.co.uk]
I was experimenting with some HTML vectors to break the various HTML parsers in the browsers, I wanted to continue till I found a cool one for Firefox
because I like to bully the memory hogging browser as I use it a lot. I found some weird rendering in Firefox, Chrome and Opera. It started off with cdata
nodes and different behaviour in IE and Firefox. Firefox didn't execute my vector but IE did. This was interesting because FF was rendering the cdata inside
the attribute.

 
Understanding and using skipfish [lcamtuf.blogspot.com]
Skipfish, my open source web application security scanner, is now about eight months old - and, over the course of over 70 releases, has undergone a number
of substantial changes. From the very beginning, the project flirted with a number of radical ideas that are not commonly seen in this class of software -
but because of this, it also proved to be deceptively easy to misuse, due to the preconceived ideas of what it could possibly offer.
So, while I maintain detailed documentation and a short troubleshooting guide, it seems appropriate to share some additional hints on how to get the most
out of this tool.

 
Robert Abela is a Technical Manager at Acunetix and in this interview he discusses the process of choosing a web vulnerability scanner and underlines
several factors that should be taken into consideration in the decision-making process.
Which is the best web vulnerability scanner out there?
This question has been haunting the web application security field for quite some time and rest assured that no one will ever give you a definite answer.
What works for Mr A does not work for Mr B. This is because every website, or web application - as we call them today - is different. There are some
scanners that perform better than others on websites developed in PHP and others that might perform better on websites developed in .NET, and so on. Also,
people have different needs. Some just need a scanner to generate a PCI DSS compliance report. Others use it for consulting services, to assist them during
a penetration test, and therefore need a scanner that gives them as much information as possible about the target and one that includes a good set of tools
for easing the lengthy process of manual penetration testing.




Network Security


 
I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for
Internet Security (CIS).
We decided on the following approach:
* Based on the CIS templates we created a baseline document specific to our company
* I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
* The windows administrator created GPOs to apply the settings.
When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration
\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.
This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?
The settings are not irrelevant, as e.g. Peter van Eeckhoutte's blog points out. Windows 2008 does not forward IPv4 packets that have source routing on
them, but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.

 
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that
their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate
eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and
supports all SSH protocol versions.
SSH is an awesome powerful tool, there are unlimited possibility when it comes to SSH, heres the top Voted SSH commands

 
AWK is a data driven programming language designed for processing text-based data, either in files or data streams. It is an example of a programming
language that extensively uses the string datatype, associative arrays (that is, arrays indexed by key strings), and regular expressions. WIKI
Here are the most Kick ass voted AWK commands.

 
Windows Server 2008 Security Checklist

 
OpenSSL CheatSheet [wiki.samat.org]

 
The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many
cases the first and last line of defence. It is quite important to get it right.
Most of us know that when we turn on password complexity in Windows it is no guarantee that the user will select a decent password. After all Passw0rd is an
8 character password that will pass complexity checking in Windows and not many of us would argue that it is a decent password. Another element needs to be
in place to get decent passwords, user awareness. When you analyse the passwords you can identify whether reasonable passwords are being used and hence
determine whether user awareness training has worked, a refresher is needed or all is good. When cracking passwords you will also be able to determine
patterns used by users, admin staff, service accounts, resource accounts, helpdesk etc. All useful information in determining the security posture.
I'll take you through the process that I've been using over the last year or so to examine passwords and get an idea of the security posture or issues
within an organisation. Following that I'll take you through some sample outputs and what they show.

 
The enemy in the network card [www.h-online.com]
Security expert Guillaume Delugré, who works for the Sogeti European Security Expertise Center (ESEC), has demonstrated that a rootkit doesn't necessarily
have to infest a computer. The expert used freely available tools and documentation to develop custom firmware for Broadcom's NetExtreme network controller.
He was then able to conceal a rootkit within the firmware, making it untraceable by the virus scanners usually installed on a PC.

 
Recent advances in IPv6 insecurity Marc "van Hauser" Heuse
In a distant future... IPv6 will come. Maybe, hopefully never!!!
If you haven't already realised it, IPv6 is already in your systems. The future is already here!
Providers are now finding issues getting IPv4 addresses. IPv6 addresses are coming, slowly.
The biggest provider in Germany (Deutsche Telekom) is working on an IPv6 rollout in 2011

 
A honeypot is a decoy IT infrastructure component that is designed and deployed to be attacked. While the development of commercial honeypots seems to have
lost steam, there is a plethora of innovative and freely available honeypot tools. Let's take a look at the pros and cons of using honeypots as part of a
modern IT infrastructure.
The Value of Honeypots
As I discussed in the Stopping Malware on its Tracks article, they can strengthen an enterprise's defensive posture in several ways

 
network enumeration [oldschooltrickbag.blogspot.com]
OK, just wanted to go over some Windows Active Directory tools found in the Windows 2003 Admin Pack. These are basic tools that often get overlooked in
favor of massive VB scripts. I use them daily to pull reports on users, groups, or computers. The Active Directory tool in Windows is very limited, and
with these commands you can pipe, output, parse, and loop to your heart's content. So lets just start off with some one-liners.
Need a list of all the PC's in the Domain?
dsquery computer -limit 0 | dsget computer -name
Working in the registry and need a SID?
dsquery user -name "*NAME*" | dsget user -sid -display

 
Do you have a logstash? [www.loggly.com]
I'm a dev ops guy, and I've been talking about logging problems for a long while now. Talking about storing logs. Talking about parsing logs. Talking about
searching logs. Talking about reacting to logs. Now I'm at Loggly, I'm talking about it more than ever.
Today I'm releasing logstash, an Open Source tool to accomplish all that and more. You can read about the release on my blog and then go download the source
and get started with it.
If you want to see it in action, I've uploaded a demo video on YouTube. Also, Kord and I sat down today and chatted about logstash and its future. That
video is below.

 
So why are these facebook transforms useful:
* Tracking spam: you can use a phrase that you know is used in spam, take this to facebookObjects, then take each of these to a phrase ('toPhrase'
transform), and then search facebook for these phrases, rinse and repeat until you have identified all the spammers.
* Tracking what is said about a specific term and who says it the most as well as how often they are talking about and who they are. You can also identify
locations/companies/other useful information by taking these terms and performing Named Entity Recognition on them.
* If it was possible to identify friends of an individual (think the typeahead bug) you could identify the spheres of influence around people on facebook
that you have found via your graphAPI queries.

 
Spoofing Geolocations on Facebook Places [marcoramilli.blogspot.com]
BlackBerry simulator allows you to tweak the GPS to any location on the planet, and the applications on the device respond as such. Of course this is just
to test out applications, but why nobody has used it on Facebook Places before is beyond me. But then again, Facebook Places has only been out for the
BlackBerry this past week, so it's not much time to really click on to this sort of thing.By editing the GPS location through Simulate > Add > then editing
the Name, Latitude and Longitude, which you can get by enabling the LatLong tool on Google Maps Labs, you can spoof your Facebook Places into thinking
you're in one place when you're not. Always add more than 7 satellites though as this makes the device think you are in a more accurate location than it is.

 
Trying Ubuntu 10.10 in AWS Free Usage Tier [taosecurity.blogspot.com]
After trying 60 Free Minutes with Ubuntu 10.10 in Amazon EC2 yesterday, I decided to take the next step and try the AWS Free Usage Tier. This blog post by
Jay Andrew Allen titled Getting Started (for Free!) with Amazon Elastic Cloud Computing (EC2) helped me.
One important caveat applies: this activity will not be completely free. The AMI chose uses a 15 GB filesystem, and the terms of the free usage stipulate no
more than a 10 GB filesystem. I'll pay $0.50 per month for the privilege of using a prebuilt Ubuntu AMI. Since I'm an AMI n00b, I decided to pay the $0.50.
At some point when I am comfortable creating or trusting 10 GB AMIs, maybe I'll switch.

 
A 'very unfortunate coincidence' when updating virus signatures and scanner software caused the free ClamWin (ClamAV for Windows) virus scanner to run amok
and move large numbers of files into quarantine on Windows systems. On the ClamWin forum, various users reported that 25,000 files, including system files,
were moved into quarantine as a result - more or less the entire system




Cloud Security


 
Cloud providers' terms and conditions shock study
Cloud computing contracts often contain significant business risks for end user organisations, according to independent research by UK academics. Some
contracts even have clauses disclaiming responsibility for keeping the user's data secure or intact.
Others reserve the right to terminate accounts for apparent lack of use, which is potentially important if they are used for occasional backup or disaster
recovery purposes, according to the Cloud Legal Project at Queen Mary, University of London.
Other contracts can be revoked for violation of the provider's Acceptable Use Policy, or indeed for any or no reason at all, the academics found.

 
Let's Enable Cloud Computing [blog.cloppert.org]
I've been thinking a lot about 'cloud computing' over the past few months, and I keep coming back to the same conclusion every time: the InfoSec community
is inhibiting IT innovation by throwing up weak, largely unsubstantiated concerns over the security risks of 'cloud computing.' Overall, our industry's
reaction smacks of 'fear of the unknown.' [1]
After some research[2][3][4][others], I've found that most security-related arguments against cloud computing qualitatively fall into one of the following
risks, in no particular order




Mobile Security


 
iPhone Security Guide [blog.itsecurityexpert.co.uk]
Last week a reporter asked for my opinion on iPhone Security, I said I thought it was a good idea.
But seriously, Apple are actually taking steps to better secure the iPhone, this is driven by Apple's desire to impact the business smart phone market more,
and better compete with the likes of Blackberry, who are the dominate force when it comes to business smart phone usage. Blackberry has been widely adopted
by larger enterprises not only because their devices are easy to centrally manage, but because it comes with a whole raft of essential business security
features, such as device level encryption and remote wipe functionality.

 
While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents
of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this
vulnerability.
The vulnerability is present because of a combination of factors. I've been asked nicely to remove some details from the following section, and as my
intention is to inform people about the risk, not about how to exploit users, I've agreed

 
The Chronic Dev team have released one of the major components of greenpois0n, the software for jailbreaking Apple's iPhones, iPads and iPods with the iOS
operating system. Once jailbroken users can bypass Apple and install arbitrary software on their devices. The component in question is the 'syringe'
injector module. The module sends the exploit to the device and then boots the device out of recovery mode and into a jailbroken state.

 
Security experts find serious flaws present in versions up through the webOS 2.0
Palm, Inc. -- new subsidiary of Hewlett-Packard -- hasn't given up on the smartphone market, despite the fact that its Pre smartphones were a relative flop
compared to the iPhone and Android platforms. It has revealed the Palm Pre 2, which will soon go on sale in the U.S. And it reportedly has a host of other
form factors in the works.
But Palm's latest version of webOS reportedly retains some serious security flaws, much like iOS (which powers the iDevices) and Android. Orlando Barrera
and Daniel Herrera of SecTheory uncovered three serious flaws unique to the platform that could be exploited for malicious purposes, plus a flaw in file
system permissions.

 
In its latest iOS version 4.2.1, Apple has introduced a new mechanism to further complicate the removal of the SIM lock, also known as a network or subsidy
lock. The operating system will check which baseband version (in simple terms, 'modem firmware') is installed on the iOS device and refuse to start if an
unauthorised version is found. With the earlier versions of iOS the TinyUmbrella tool can be used to persuade locked devices to co-operate; this tool won't
work in iOS 4.2.1.

 
The Chronic Dev team have released one of the major components of greenpois0n, the software for jailbreaking Apple's iPhones, iPads and iPods with the iOS
operating system. Once jailbroken users can bypass Apple and install arbitrary software on their devices. The component in question is the 'syringe'
injector module. The module sends the exploit to the device and then boots the device out of recovery mode and into a jailbroken state.




Privacy


 
According to the TSA, there are currently 385 full body scanners in 68 different US airports. Check to see if your local airport is using these scanners to
sneak a peak at your goodies.

 
Whoa, Google, That's A Pretty Big Security Hole [guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.]
See Updates at bottom of post.
Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of

 
immediately.

 
A fake wi-fi hotspot run by criminals could allow them to steal passwords and log into his social networking sites.
Tom Beale from security firm Vigilante Bespoke shows the BBC's Rory Cellan-Jones how easily data can be stolen from a smartphone.
Facebook has responded by saying it advises people to be careful with what data they give out to unknown networks, 'in the same way we look to draw out cash
from legitimate ATM (cashpoint) machines'.
It also pointed out that it asks members whether they want to give Facebook access to contacts stored by email providers before downloading such information
from other organisations.

 
A security researcher who specializes in online privacy had his laptop and cell phones temporarily seized after returning to the U.S. on an international
flight last night.
Moxie Marlinspike told CNET in an interview today that he had been detained and questioned after an international flight last week and appears to be on a
federal 'watch list' for domestic flights too but doesn't know why.

 
DENVER - USA - A full body scanner operator was caught masturbating during a scanning session by airport staff late Tuesday.
Airport officials at Denver International airport were on high alert yesterday when a full body scanner operator was caught masturbating in his booth as a
team of High School netball players went through the scanner.
'The young ladies were going through the scanner one by one, and every time one went through, this guys face was getting redder and redder. His hand was
moving and then he started sweating. He was then seen doing his 'O' face. That's when the security dragged him out of his booth and cuffed him. He had his
pants round his ankles and everybody was really disgusted,' Jeb Rather, a passenger on a flight to New York told CBS news.

 
Spoofing Geolocations on Facebook Places [marcoramilli.blogspot.com]
BlackBerry simulator allows you to tweak the GPS to any location on the planet, and the applications on the device respond as such. Of course this is just
to test out applications, but why nobody has used it on Facebook Places before is beyond me. But then again, Facebook Places has only been out for the
BlackBerry this past week, so it's not much time to really click on to this sort of thing.By editing the GPS location through Simulate > Add > then editing
the Name, Latitude and Longitude, which you can get by enabling the LatLong tool on Google Maps Labs, you can spoof your Facebook Places into thinking
you're in one place when you're not. Always add more than 7 satellites though as this makes the device think you are in a more accurate location than it is.

 
There was a post recently on Hacker News about how a startup that used the Google App Engine and had to switch because of various limitations. You can find
the article here. Really good read. I know the points mentioned in the article all too well. Top Hat Monocle was built on the App Engine for the first ~10
months of its life until we snapped out of our stockholm syndrome and finally switched over to EC2 (best decision we've ever made.)
I don't want to re-tread the same territory, so I'll just talk about the the details of our personal experience rather than cover the same particular
technical limitations.




Cryptography / Encryption


 
Cache Games - Bringing Access Based Cache Attacks on AES to Practice
Endre Bangerter and David Gullasch and Stephan Krenn
Abstract: Side channel attacks on cryptographic systems are attacks exploiting information gained from physical implementations rather than utilizing
theoretical weaknesses of a scheme. In particular, during the last years, major achievements were made for the class of access-driven cache-attacks. The
source of information leakage for such attacks are the locations of memory accesses performed by a victim process.
In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring
only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any
information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without
having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations
using compressed tables, where it is not possible to find out the beginning of AES rounds any more -- a corner stone for all efficient previous attacks. All
results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations

 
"Berlin" is the highly anticipated clue from artist Jim Sanborn that's meant to help crypto sleuths unlock the cipher to his enigmatic Kryptos sculpture.
The clue was revealed Saturday in a New York Times article.
Sanborn gave the newspaper six letters from the remaining 97 letters that have yet to be solved in the sculpture's final passage. The six letters - NYPVTT -
are the 64th through 69th letters of the final 97 characters. When deciphered, they read "BERLIN."
It's the first clue Sanborn has revealed in four years, after he corrected a typo in his sculpture in 2006 to keep crypto detectives from being derailed in
their search for solutions.




Social Engineering


 
Being this short is really helpful for social engineering. When a security guard comes I can hide anywhere... I've spent hours hiding under desks!
Origins of social engineering
The term sociale ingenieurs was introduced by the Dutch industrialist J.C. Van Marken in 1894
A hundred years ago was the age of the con artists.




Tools


 
BackTrack 4 R2 Download! [www.backtrack-linux.org]
Yes, the time has come again - for a new kernel, and a new release of BackTrack. Codenamed "Nemesis". This release is our finest release as of yet with
faster Desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment.

 
root@bt:~# apt-get update
root@bt:~# apt-get dist-upgrade
root@bt:~# apt-get install linux-image-2.6.35.8

 
Agnitio v1.0.0 released today [www.securityninja.co.uk]
It has been around six months since I posted any information about the security code review tool I was developing so I thought it was time for an update. To
be honest if you have read the title of this blog post you will know today's blog is bit more than just a progress update post!
In April I showed you two images of a security code review tool which was about 25% complete. It allowed you to perform a security code review tool and that
was about it but I didn't like it, it was ugly and that's not what I had in mind. I know that sounds a bit shallow but I wanted this tool to be easy to use,
make the lives of security code reviewers easier but also be easy on the eye!

 
Long URL [longurl.org]
Browse with Confidence and Increased Security!
Avoid phishing, malware, and viruses by examining short URLs before visiting them. Find out where links really take you.

 
Do you have a logstash? [www.loggly.com]
I'm a dev ops guy, and I've been talking about logging problems for a long while now. Talking about storing logs. Talking about parsing logs. Talking about
searching logs. Talking about reacting to logs. Now I'm at Loggly, I'm talking about it more than ever.
Today I'm releasing logstash, an Open Source tool to accomplish all that and more. You can read about the release on my blog and then go download the source
and get started with it.
If you want to see it in action, I've uploaded a demo video on YouTube. Also, Kord and I sat down today and chatted about logstash and its future. That
video is below.

 
Graylog2 [www.graylog2.org]
Graylog2 is an open source syslog implementation that stores your logs in MongoDB. It consists of a server written in Java that accepts your syslog messages
via TCP or UDP and stores it in the database. The second part is a Ruby on Rails web interface that allows you to view the log messages.
Click here to lend your support to: Graylog2 and make a donation at www.pledgie.com !
Why
Point the syslog clients of all your servers to your Graylog2 installation and have all your logs aggregated in one database. Use the web interface to see
all recent log messages, get an overview, see if something goes wrong, order your messages in streams, filter messages by blacklists and see only the logs
of the host you want with one click. Another use case is to use the Graylog Extended Log Format from within your logging class instead of old plain syslog.
Attach tons of payload like backtraces and environment variables, define the file and line that caused this error and use Graylog as your self-hosted
exception tracker.

 
RIPS [sourceforge.net]
RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org).

 

 
An updated build of Acunetix WVS Version 7 was released.
Improvement:
* More updates to the Client Script Analyser (CSA) engine for better Web 2.0 support
Bug Fixes:
* Fix: Added port in host header for https in manual browsing
* Fixed: Crawler not serving pages to Client Script Analyzer engine on request if pages were already queued
* Fixed: Compare results frame crashed if nodes are expanding while still comparing
* Fixed: CanonicalizeLink was incorrectly interpreted ".." style links

 
I have just released the new version of Megiddo (0.4.0) on the relevant code.google page. This release includes many new things:
* A new detection program for single encrypted file. Relatively often encryption is performed by using a short cyclic sequence (from a few bytes to a few
kilobytes) and to combine it to the plaintext (file, binaries...). It is for instance the case with encrypted malware. The program detect_singlefile.c
program enables to detect the length of that cyclic sequence. You have just then to split your encrypted file into chunks of that length and perform the
cryptanalysis as explained in the library
* New and very detailed slides explaining how to use the open source library and especially giving interesting examples (drawn from real cases) on how
trapdoors can be hidden in encryption systems. The case of dynamic cryptographic trapdoors is also presented.

 
Ravan [www.andlabs.org]
JavaScript Distributed Computing System (BETA)

 
Posted on November 23, 2010 by ChrisJohnRiley| 3 Comments
Well it's been a while since I wrote about man in the middling printers (original post here), but I've not been totally ignoring the subject. After
releasing the UA-Tester tool and writing a few small scripts for things like scr.im, I went back and had a look at the printer MITM topic with a mind to
writing up a tool (in python obviously) to automate some of it. The result is a workable PoC tool called prn-2-me

 
NessusDB v1.0 Release [www.hammackj.com]
NessusDB is a full featured Nessus XML parser and report generator. The report templates are very extendable and generate as PDF's. Each template is a small
ruby script so the report generation possibilities are endless; accessing the database is as simple as using ActiveRecord. There is also added some simple
graphing functionality using the Gruff library. The graphs are generated on the fly from the database and can be in-lined into the reports very easily.

 
The EFF launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against Firesheep and other
exploits of webpage security flaws.
HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online
reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking.
Unfortunately, while many sites on the web offer some limited support for HTTPS, it is often difficult to use. Websites may default to using the
unencrypted, and therefore vulnerable, HTTP protocol or may fill HTTPS pages with insecure HTTP references. EFF's HTTPS Everywhere tool uses carefully
crafted rules to switch sites from HTTP to HTTPS.

 
Facebook PasswordAll good pentesters have their own "survival kit" with a lot of tools and scripts grabbed here and there. Here is a new one released a few
days ago: FacebookPasswordDecryptor.

 
Process Explorer v14.01: This update fixes a bug related to the DLL view and adds a tab to the new system information dialog, Summary, that displays all the
performance graphs together.
Autoruns v10.05: This Autoruns update adds ActiveSync autostart locations, fixes a bug in that prevented offline scanning from working in some cases, and
fixes a formatting bug in the scheduled tasks display.

 
+security-shell+%28Security-Shell%29 [research.zscaler.com]
BlackSheep 1.5: more options
The latest version of BlackSheep brings new options and fixes a few bugs. I encourage all users of BlackSheep to upgrade by downloading the latest version.

 
Hydra update to v5.9 [security-sh3ll.blogspot.com]
A very fast network logon cracker which support many different service
Hydra 5.9 is now available which has updates for mysql, subversion, smtp, ftp and http-form
CHANGELOG for 5.9
* Update for the subversion module for newer SNV versions
* Mysql module now has two implementations and uses a library when found
* new logo
* Another patch to add the LOGIN auth mechanism to the smtpauth module
* Better FTP 530 error code detection
* Bugfix for the SVN module for non-standard ports

 
%28Security-Shell%29 [security-sh3ll.blogspot.com]
OWASP HTTP Post Tool Released
HTTP Denial of Service using GET or POST techniques
This QA tool was created to allow you to test your web applications to ensure its stability from HTTP GET and HTTP POST attacks - it will also make your
laptop a sniper rifle

 
%28Security-Shell%29 [security-sh3ll.blogspot.com]
Armitage v11.25.10 Released
Armitage - Cyber Attack Management for Metasploit
Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities
of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don't use Metasploit every day. If you want
to learn Metasploit and grow into the advanced features, Armitage can help you.

 
%28Security-Shell%29 [project-rainbowcrack.com]
Largest NTLM rainbow tables ever
We recently completed the generation and verification of two new NTLM rainbow tables:
ntlm_ascii-32-95#1-8 rainbow table
* Plaintext charset: space and !'#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
* Plaintext length: 1 to 8
* Success rate: 96.8%
* Table size: 576 GB
* Keyspace: 6,704,780,954,517,120 (252.5)
ntlm_loweralpha-numeric#1-10 rainbow table
* Plaintext charset: abcdefghijklmnopqrstuvwxyz0123456789
* Plaintext length: 1 to 10
* Success rate: 96.8%
* Table size 396 GB
* Keyspace: 3,760,620,109,779,060 (251.7)

 
Recently some pretty major advances have come around in the world of GPU based hash cracking. Up untill now there was not much for Linux which would utilize
multi GPUs to crack password hashs. This has been changed with the release of Oclhashcat. The release of oclhashcat signifies a signifigant jump in the
speed on linux based GPU systems. There is also a cpu based version called hashcat but for this article I will be reviewing oclhashcat
One of the nice things about Opencl is that it works on Nvidia and ATI based systems. As I do not have any ATI cards I will be focusing on Nvidia based
systems. The steps for ATI would be the same you would just have to install the stream drivers rather than the Nvidia drivers. In order for opencl to work
you are going to need the newest nvidia drivers.




General


 
If you've browsed your local stores recently, you've probably seen all the Christmas decorations, expanding toy selection and scented pine cones. Christmas
is coming, which means most of us will be gearing up to shop. The days of suffering through retail congestion are becoming a thing of the past, however:
Forrester Research predicts U.S. online sales will increase 16% this holiday season. So, how do you join this online shopping movement and avoid the
December crowds without compromising your security? Here are seven tips for shopping online safely this holiday season. (To learn more, check out the Top
Holiday Spending Mistakes.)

 
Q) What products are in scope?
A) The following security products by Barracuda Networks:
* Barracuda Spam & Virus Firewall
* Barracuda Web Filter
* Barracuda Web Application Firewall
* Barracuda NG Firewall
Other Barracuda Networks products are not currently in scope. The scope for now is limited to the Appliance form factor of each product listed above, and
not any related service or SaaS version. Only the most recent generally available version of each product qualifies.

 
What Not To Post On Twitter [www.forbes.com]
Insurance companies are seeing an increase in social-media-informed theft. Follow these tips so you don't become a victim as well.
It's generally not a good idea to blurt out everything that pops into your head. Yet millions of people do almost exactly that on a daily basis--via
Twitter.
The popular social networking tool, which now boasts 190 million users, allows anyone to broadcast the events of their day to any and all subscribers to
their feed. But the explosion of personal information can put you at risk of facing fraud, bullying, and even losing your job.

 
Microsoft has updated its security protection tools following a glitch that prevented third-party applications - including Google Chrome and Adobe Reader -
from updating properly.
The Enhanced Mitigation Experience Toolkit (EMET) is designed to thwart a range of tricks used by malware writers to infect systems. However a recent update
of the tool went awry, which meant users had to restart their systems after applying recent Adobe software patches - a potential nuisance in corporate
environments in particular.
Worse still, the misfiring Microsoft tool prevented updates of Google Chrome from installing, at least in cases where multiple users on the same machine
have installed the browser and the administrator account is yet to apply a security patch.

 
There's been a lot of discussion in the media recently about the threat that malware poses on the Mac OS X platform. It's clearly an emotive subject, with
strongly held views on both sides.
To help some of the discussions, here's a brief overview of some of the malware we have seen infecting Apple computers. From the early 1980s, right up until
the present day, here are some of the highlights in the history of Apple Mac malware

 
A DAP skimmer for Diebold ATMs.
Source: krebsonsecurity.com According to the European ATM Security Team (EAST), ATM skimming attacks are on the rise in Europe. The news is based on country
crime updates provided by representatives of 17 European countries at the 22nd EAST meeting, which was held in Lisbon on the 6th of October, 2010.

 
ATM Skimming Redux [www.liquidmatrix.org]
Interesting. First there were skimmers. Then there was anti-skimming technology. Now, the bad guys are just reprogramming the anti-skimmers.




Funny


 

 
Nailing the new TSA process [www.mckeay.net]

 
This is SportsCenter - Georges St-Pierre in the Octagon - UFC 124 Preview?

 
OMG so true [www.flickr.com]

 
Watch Adam Savage showing proof of the ineptitude/inefficacy/idiocy of the TSA's practices at airport security checkpoints. He's not the first. Plenty of
people have similar stories, even going through body scanners with knives. Clearly, we need other security policies.

 
Here's an anonymous account of a US Army soldier returning from Afghanistan who watched as his buddies -- who were all carrying high-powered rifles,
pistols, etc -- were forced to surrender their nail-clippers and multi-tools:

 
%29 [175proof.com]
Beer and brain speed

 

 
Hilarious animal fight of the day [www.blameitonthevoices.com]
A cat is being harassed by a couple of annoying crows. The situation incites another cat, who, after a while, decides to step in. An epic fight ensues.
Drama is added by the background music, which, as I understood, was cut and added by Youtube user ignoramusky.

 
Thanksgiving 2010 vs 2007 [blogs.securiteam.com]
Nothing much has changed since 2007, in regard to turkeys at least, they are still getting eaten and they have still haven't found a way to escape that

 
Virus found in C: drive on Backtrack [img839.imageshack.us]