Security Weekly News 13 January 2011 – Full list

Category Index

Hacking Incidents / Cybercrime

Statement from Fine Gael regarding the hacking of the party’s website.
During the past week Fine Gael received thousands of comments from supporters all over the country. In fact, we experienced an unprecedented amount of site traffic over the previous week.
Last night, we regret to report, the Fine Gael website was professionally hacked. The group that participated in this attack called themselves the Anonymous Group. This group has been associated with the Wikileaks investigation and attacks on companies such as Visa, MasterCard and Amazon. The attack occurred from 8.00pm to 12.00am last night.
We were alerted this morning that the Anonymous Group was able to secure the database of the information submitted by members of the public during the previous week. This affected just under 2,000 subscribers.
The website for do-it-yourself giant Home Depot has been … well, screwed.
An IT analyst has uncovered the lingering remnants of a 2009 breach of security on the website of the major retailer: secret code hidden on the website that redirected the user’s browser to a site that served up malware.
Federal prosecutors this week leveled conspiracy charges against two men who allegedly used an exploit against a line of video-poker machines to win hundreds of thousands of dollars in unearned jackpots.
John Kane, 52, of Las Vegas, and Andre Nestor, 39, of western Pennsylvania, allegedly pulled the caper in Las Vegas casinos over six weeks in the spring of 2009. According to a criminal complaint filed in Las Vegas (.pdf) on Monday, the men would make small bets over and over again until finally winning a hand, then use a special button sequence to change the credits to a higher denomination and “access the previous winning hand of cards,” triggering a jackpot.
Previously quiet net is now spewing spam again, Websense researchers say
An old threat has reappeared in the new year, researchers said this week.
According to a blog by researchers at Websense, the Waledac botnet appeared in a new version in the last days of 2010, sending out large amounts of new year-related spam messages. It then stopped spamming in the evening of Jan. 4.
50,000 stolen iTunes accounts linked to stolen credit cards are being sold on a Chinese auction site, according to a report from the BBC.
Listings on TaoBao, the Chinese equivalent of eBay, are promising access to iTunes downloads for between 1 yuan ($0.15) and 200 yuan ($30).
However, customers are advised that they are likely to only have about 12 hours to download apps, movies, games and music from the online store before their accounts are suspended.
A reporter with the Global Times, who discovered the activity on Taobao, paid $5 for an iTunes username and password. When accessing the account they found that it contained credit card details and the address of a user based in the United States.
Thieves and scammers are an inventive bunch, especially when it comes to stealing you money indirectly.
And the latest discovery of a fake keyboard that is placed over an ATM’s legitimate one and records the typed-in PIN – in conjunction with a fake magnetic strip reader that can be manufactured from cheap spare electronic parts – shows that this kind of crime does not require a lot of funds and can bring in quite a lot of money.
Military man dumped into three-ring whodunit
The body of a decorated US Army officer was found dumped in a Delaware landfill on New Years Eve day, a few days after he expressed concern that the nation wasn’t adequately prepared for cyber warfare, according to news reports following the bizarre whodunit.
Events surrounding the murder of John P. Wheeler III, who most recently worked part-time for defense contractor Mitre Corporation on cyber defense topics, read like a Tom Clancy novel. The 66-year-old worked for three Republican administrations, was special assistant to the Secretary of the Air Force, served in the office of the Secretary of Defense, and penned a manual on the effectiveness of biological and chemical weapons, which urged US forces to show restraint.
Handled $1m+ in tat-bazaar loot churn cyber-cash blag
Federal investigators on the trail of a multi-million dollar identity theft ring have raided the homes of two Vietnamese exchange students in Minnesota.
The duo are suspected of selling discounted goods such as video games and Apple gift cards, which were purchased using counterfeit credit cards, through online marketplaces such as eBay. Online marketplaces are left holding the can after the legitimate owners of abused credit cards object.
Online merchants including PayPal, Amazon, Apple, Dell, Verizon Wireless and translation software firm Rosetta Stone have also been left out of pocket as a result of the scam.
Don’t stop at the lights unless you want free phone calls
The Johannesburg Road Agency is in talks with suppliers to try and stop thieves targeting its shiny new traffic lights for the SIM cards they contain.
The Agency has been forking out thousands of rand on phone calls the thieves subsequently make using the snaffled SIMs.
Renault’s electric model Fluence ZE Renault and its partner Nissan have invested extensively in electric vehicle technology
French carmaker Renault has said that suspected industrial espionage against its business poses a serious threat to its ‘strategic assets’.
The statement comes a day after Renault suspended three senior managers after an investigation into the possible leaking of electric vehicle secrets.
Commenting on the matter, French Industry Minister Eric Besson warned the country was facing ‘economic war’.
Mr Besson said the situation at Renault ‘appears serious’.
‘The expression ‘economic war’, while sometimes outrageous, for once is appropriate,’ he told France’s RTL radio station.
‘It appears to concern the electric car, but I do not want to go further.’
Mr Besson said he was calling for French companies which received public funds to improve their security.
BBC business reporter Mark Gregory said that the French government was particularly concerned because of the important role carmaking plays in the French economy.
In an effort to identify two people who may be connected to the mysterious death of a top British codebreaker, authorities have published images of a man and woman who entered his apartment building weeks before his death.
Gareth Williams, 31, was found dead and naked in a North Face duffel bag in the bathtub of his flat last August. The sports bag was padlocked on the outside.
The two, said to be in their 20s and of Mediterranean appearance, were let in to Williams’ building by another tenant in late June or July. They told the tenant they had keys to Williams’ flat but indicated they knew him as Pier Paolo.
Sophos is warning Facebook users about the latest survey scam which is spreading virally across the social network. Messages claiming to share the users’ first ever Facebook status updates are being posted on users’ walls by a rogue application.
Sorry, by point on entry, I mean the method used to attack and the entry
point for said attack.. (i.e. rfi / lfi / shitty code etc)
Anonymous offers support to Tunisian protestors (Update 2) [www.thetechherald.com]
In this latest update, The Tech Herald will address the newest developments in Tunisia. The original story will start on page three. The first update can be found on page two.
Mohamed Bouazizi, the young man who immolated himself in protest, sparking the civil unrest in Tunisia, has died. This tragic news is confirmed by both local sources in Tunisia and international media. Last week, there was confusion as to whether or not he had succumbed to his injuries. At the time we reported his survival, Tunisians on Twitter and Facebook were debating his status. Confirmation of his death came 24 hours after our last update.

Unpatched Vulnerabilities

Microsoft plans to release two updates this coming Tuesday, one of which it classes as critical, but the updates will not fix confirmed security vulnerabilities in Windows and Internet Explorer. The two updates announced by Microsoft contain a total of three patches. The ‘critical’ update affects all version of Windows. The second problem is classed as important and is only relevant to Vista users. Microsoft will not release further details until Tuesday evening.

Software Updates

On its first Patch Tuesday of 2011, Microsoft fixes three vulnerabilities within two security updates but leaves at least five confirmed security problems unpatched.
Product(s) Affected:
BlackBerry® Enterprise Server Express for IBM® Lotus® Domino®
BlackBerry® Enterprise Server Express for Microsoft® Exchange
BlackBerry® Enterprise Server for IBM® Lotus® Domino®
BlackBerry® Enterprise Server for Microsoft® Exchange
BlackBerry® Enterprise Server for Novell® GroupWise®
BlackBerry® Professional Software
Issue Severity
This vulnerability has Common Vulnerability Scoring System (CVSS) score of 9.3.
As promised, PHP versions 5.3.5 and 5.2.17 of PHP have been released to fix the so-called floating-point bug. At the end of 2010 it was discovered that errors in the way the PHP scripting language converts certain numbers may cause a system resource problem. For example, on 32-bit systems, converting the string ‘2.2250738585072011e-308’ into a floating point number using the function zend_strtod results in an infinite loop and consequent full utilisation of CPU resources.
Mono is an open source, cross-platform, implementation of C# and the CLR that is binary compatible with Microsoft.NET.
A vulnerability has been reported in Mono, which can be exploited by malicious people to disclose potentially sensitive information, according to Secunia.
The vulnerability is reported in versions prior to 2.8.2, so it’s advisable to upgrade to the latest version.
Apple today released Mac OS X 10.6.6 which which increases the stability, compatibility, and security of your Mac.
What’s also very important in this release is the introduction of the long-awaited Mac App Store with more than 1,000 free and paid apps.
MediaWiki released version 1.16.1 which is a security and maintenance release.
Wikipedia user PleaseStand pointed out that MediaWiki has no protection against ‘clickjacking’. With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki.

Business Case for Security

As practiced in many companies, Information Security is a confused discipline. There are many contributing factors, but the fact that security budgets are misspent is a leading reason. The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry.
Return of the Cocktail Napkin  [1raindrop.typepad.com]
Maybe its budgeting season or something but lots of people are talking about it. I re-ran my back of the cocktail napkin Security Budget calculation (one problem with doing this type of analysis during the day is no cocktails)
I used the publicly reported annual revenue for Network and Software companies. For Network investment I used Cisco and Juniper to get a rough idea of how much enterprises spend on network gear. For Network security I used Checkpoint and Sourcefire.
The new Fine Gael websitehas been generating a lot of press coverage and social media discussions lately. From a Fine Gael point of view though, most of that coverage is not the type of coverage they wished for their shiny new website. Last week Daragh O’Brien blogged about concerns over the hosting of the website in the US and the potential issues surrounding compliance with the Data Protection Act and using providers outside of Ireland and the EU. That issue was then picked up by a number of media outlets such as The Journal.ie and The Irish Times. The comments on the Journal.ie piece are worth reading as they go into more detail on the actual issue, while the Irish Times piece has a quote a Fine Gael spokesman from saying that the site was “absolutely secure”.
A review of the force’s response to cybercrime has been ordered by garda authorities as international studies confirm the flourishing trade in illegal transactions.
The scale of the crimes has not yet been determined, but it is estimated that global corporate losses alone stand at around €750bn a year.
Most people owning a PC are familiar with Microsoft’s patching process – it’s easy and it’s there. For a lot of them, it also gives the impression that Microsoft’s products are chock-full of flaws.
But, according to Stefan Frei, Research Analyst Director with Secunia, it’s not the vulnerabilities in Microsoft’s products we should mostly worry about, but those in third-party software.
Exploit Packs Run on Java Juice  [krebsonsecurity.com]
In October, I showed why Java vulnerabilities continue to be the top moneymaker for purveyors of “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities. Today, I’ll highlight a few more recent examples of this with brand new exploit kits on the market, and explain why even fully-patched Java installations are fast becoming major enablers of browser-based malware attacks.
Our digital affluence is making us insecure, writes Dan Geer, the CISO at In-Q-Tel. Like addled consumers trying to choose from among 20 different types of toothpaste in the supermarket aisle, IT is paralyzed by an overabundance of security products, unable to decide which products are worth the investment, which to keep, and which to remove.
Europol says the EU is now a key cybercrime target  [www.infosecurity-magazine.com]
A report issued today by Europol claims to show that the European Union is a key target for cybercrime because of its advanced internet infrastructure, rates of adoption and increasingly internet-mediated economies and payment systems.
And, says the European Union law enforcement agency, as internet connectivity continues to spread, EU citizens and organisations will be subjected both to a larger volume of cyber-attacks, and to attacks from previously underconnected areas of the world.
In its Threat Assessment on Internet Facilitated Organised Crime – iOCTA – report, the agency says that EU member states already rank amongst the most highly infected countries in the world when it comes to computer viruses and malware.
The social engineering polls have been getting a lot of interest each month. Last month we asked you to tell us if you think Social Engineering is the worst security threat to corporations. If you decided that social engineering is NOT the worst security threat, we asked you to tell us what it is that you think could be worse.
The response was overwhelming on how many came in to vote. Although the majority voted YES, here are some of the other ideas given that where worse:
Is Anyone Really Doing Continuous Monitoring?  [blogs.govinfosecurity.com]
Finding the Right Definition Would Help
An Internet image search on ‘You’re doing it wrong’ produces many funny images. Fortunately, I haven’t found one to depict the federal government’s approach to implementing continuous monitoring. But based on the way things are going, one is bound to appear soon, and it wouldn’t be funny.
There is no longer any reasonable argument regarding whether or not continuous monitoring is the right move for federal departments and agencies. Nearly a decade of the Federal Information Security Management Act – the law, its oversight and its implementation – did very little to improve security among executive branch agencies. Instead, a culture of paper-based compliance drills, checklists and scorecards enriched the vendor community and generated executive bonuses, but the security of our federal networks and systems did not appreciably improve.
World’s leading security organisations ISF, (ISC)²® and ISACA jointly launch first independent principles to Three of the leading global security organisations have joined forces to launch the first information security principles designed to promote good practice in information security. The Information Security Forum (ISF), (ISC)² and ISACA have developed a set of 12 independent, non-proprietary principles that will help the millions of security practitioners working around the world respond more effectively to the changing needs of organisations in today’s complex, interconnected world.
The emerging role of information security as integral to improved corporate governance, regulatory compliance and risk assessment has prompted the need for clear guidelines that are relevant to the business landscape and agreed to by the key players in the security profession. The principles will help individuals support business objectives, defend their organisations from risk, and promote responsible security behaviour within it.
As we noted a while back in our look at the 2011 vulnerability landscape, the number of software vulnerabilities in 2010 fell compared with the previous year though it still remained a significant threat to users.
Developers like Google and Mozilla openly pay people or organizations who find and report vulnerabilities found in their software and/or services. Some third-party groups like the Zero-Day Initiative do the same. However, despite these “whitehat” efforts, the thriving underground promises “blackhat” hackers and cybercriminals far more lucrative means to profit.
The following diagram explains how the underground market is structured. The dollar symbols indicate the steps wherein cybercriminals can profit:
Two new draft publications from the National Institute of Standards and Technology (NIST) provide the groundwork for a three-tiered risk-management approach that encompasses computer security risk planning from the highest levels of management to the level of individual systems. The draft documents have been released for public comment.
Both publications are a part of NIST’s risk management guidelines, which have been developed in support of the Federal Information Security Management Act (FISMA), and adopted government wide to improve the security of government systems and information. Both call for upper-level management to understand that information security is a key component to mission-critical functions and that top managers need to manage information security risk in coordination with chief information officers, chief information security officers and system owners to meet the organization’s goals.
The Gawker Media breach goes to show that the time to put a security incident response plan in place isn’t in the heat of the action.
There were plenty of security lessons to be learned from the recent Gawker Media breach. One of the lessons that has been glossed over was the failure of Gawker to have a plan in place to deal with a serious security breach, as the company’s chief technology officer Tom Plunkett admitted in his now famous memo:
‘First, we never planned for such an event, and therefore had no systems, or processes in place to adequately respond. Our focus as a team (and company) has been on moving forward. This put up blinders on several fronts. As a result, numerous wrong decisions were made by me this past weekend in responding to the security breach.’
A couple months ago I decided to finally dig in and see whether WAFs (Web Application Firewalls) are really useful, or merely another crappy shiny object we spend a lot of money on to get the auditors off our backs.
Sure, the WAF vendors keep telling me how well their products work and how many big clients they have, but that’s not the best way to figure out whether something really does the job. I also talk with a bunch of end users who provide darn good info, but even that isn’t always the best way to determine the security value of a tool. Not all users have good visibility and internal controls to measure the effectiveness of the tool, and many can’t deploy it in an optimal manner due to all sorts of political and technical issues.
Which of the many information security controls that an organization could implement should it focus on implementing? I don’t think one can answer this question in a generic sense, especially since there is little data to indicate what actually, really works in security. However, I can recommend a few starting points for building a security program.
The authoritative framework published as part of ISO 27001 and 27002 lists numerous controls, many of which are relevant to enterprises looking to manage information security risks. Yet, where should one start? Which of the measures are most important, providing the most bang for the buck? ISO 27001 highlights the importance of undergoing a risk assessment to decide which of the controls are relevant for the particular organization. Unfortunately, many companies don’t know how to conduct a risk assessment or, having conducted one, didn’t get much out of the exercise.
I always read Gary McGraw’s research on BSIMM. He posts plenty of very interesting data there, and we generally have so little good intelligence on secure code development that these reports are refreshing. His most recent post with Sammy Migues on Driving Efficiency and Effectiveness in Software Security raises some interesting questions, especially around the use of pen testing. The questions of where and how to best deploy resources are questions every development team has, and I enjoyed his entire analysis of the results of different methods of resource allocation.

Web Technologies

Interesting bug here. In 2008, Stefan Esser reported a bug to the PunBB team which described a SMTP command injection vulnerability. If we look at the code below, we see that PunBB opens a socket connection to a SMTP host and passes various user/attacker controlled values to the SMTP server. Because of this setup, it is possible to craft a SMTP message that tricks the SMTP server into thinking the data provided for the message is completed, and executes any data that follows as SMTP commands. The attacker accomplished this by injecting Carriage Return and Line Feed characters following by a period character on a line by itself (as defined in RFC 821 – SMTP). The PunBB developers addressed this vulnerability by sanitizing CRLFs and period characters.
HTML5 WebSockets are really a great feature for current web development. They allow you to set up a bi-directional TCP connection between a browser and a server. Sure, the protocol is being constantly updated, has it’s own issues, which will probably mean it won’t be ready for Firefox 4. But still, I think it’s great way to make the current web applications more responsive.
That being said, developers must know that using WebSockets will always have some security issues. Just to name the few:
* the client can be spoofed (it doesn’t have to be the browser)
* ws:// server can’t be trusted (MiTM attacks)
* you need to handle the authentication
* the communication over ws:// protocol is plaintext.
This week’s installment of Detecting Malice with ModSecurity will discuss how to detect and prevent Cross-Site Request Forgery (CSRF) Attacks.
Example CSRF Section of Robert ‘Rsnake’ Hansen’s book ‘Detecting Malice’ –
One form of attack that is widely found to be present on most websites is cross site request forgery (CSRF). Basically, an attacker can force a victim’s browser to connect to your site, and perform functions, like change password, change email address, and so on, unless you have some protection in place to defend yourself. The reason why CSRF is so difficult is because the Internet was designed to allow a user to connect to anything they wanted to from anywhere they wanted to, given there was a routable address. Unfortunately that leads to the possibility of attack. Here’s the process flow:
AppSecEU2011  [www.owasp.org]
The biggest application security conference in Europe will take place at Trinity College Dublin in gorgeous Dublin, Ireland on June 6th through 10th 2011. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec EU may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions received.
If you have any questions, please email the conference chair: ireland at owasp.org
In the design of a system, one of the strongest influences on that system’s security is the complexity of its design. Studies suggest that for most nontrivial software there is a nearly linear, direct relationship between the number of lines of code and the number of bugs in the software, all else being equal. Right away, this tells us that if we can, we should design simpler software.
That “all else being equal” qualifier is an important part of the whole situation, however. Playing golf with your code – trying to complete a program in as few (key)strokes as possible – changes the conditions within which the relationship between line count and bug count takes shape. This is in part because golfing your programs down to minimal source code size can actually make it much harder to read, and thus harder to maintain, improve, and debug.
Oddities of PHP file access in Windows  [security-sh3ll.blogspot.com]
Cheat-sheet
Notorious web development language, PHP, is under constant watch of the hackers, security researchers and other persons who just love to tinker around some stuff. Numerous vulnerabilities and bugs of PHP interpreter regularly highlights bug-tracks, wakes up administrators and burdens the minds of web site owners. And we never can know what nifty tricks PHP interpreter had reserved for our next day. In this paper we will describe details about how PHP treats file names on Windows operating systems, regarding the presence of different fuzzy characters
HTML5 WebSockets are really a great feature for current web development. They allow you to set up a bi-directional TCP connection between a browser and a server. Sure, the protocol is being constantly updated, has it’s own issues, which will probably mean it won’t be ready for Firefox 4. But still, I think it’s great way to make the current web applications more responsive.
That being said, developers must know that using WebSockets will always have some security issues. Just to name the few:
What language does that browser speak?
Web developers looking to play with the new features in HTML5, CSS 3 and other NEWT tools are still struggling with incomplete and inconsistent browser support. While HTML5 and its siblings are far from perfect (and complete), that doesn’t mean you can’t use them; it just means using them is a little more complicated since you need to detect the current browser’s level of support and then adjust accordingly.
One of the easiest ways to detect the current web browser’s level of HTML5 support is the Modernizr JavaScript library. We’ve covered Modernizr several times in the past and it’s a great addition to any HTML5 toolkit.
Test script for PHP DoS  [www.php.net]
A couple months ago I decided to finally dig in and see whether WAFs (Web Application Firewalls) are really useful, or merely another crappy shiny object we spend a lot of money on to get the auditors off our backs.
Sure, the WAF vendors keep telling me how well their products work and how many big clients they have, but that’s not the best way to figure out whether something really does the job. I also talk with a bunch of end users who provide darn good info, but even that isn’t always the best way to determine the security value of a tool. Not all users have good visibility and internal controls to measure the effectiveness of the tool, and many can’t deploy it in an optimal manner due to all sorts of political and technical issues.
Wayback WebApp Hacking  [www.infosecisland.com]
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that Archive.org has for a given domain.
This is great for enumerating a web applications, many times you’ll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn’t make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.org.
This report shows the historical trends in the usage of character encodings since January 2010.
Open letter to OWASP  [jeremiahgrossman.blogspot.com]
The OWASP Summit 2011 in Portugal is coming up soon! This is an opportunity for the community’s leaders and influencers to discuss the future of the organization and that of the application security industry. The working sessions are creative, diverse and forward-thinking, designed to direct standards, establish roadmaps, and improve organizational governance. Unfortunately I’ve a conflict in my schedule and unable to attend, but I am excited to be presenting at IT-Defense in Germany. Fortunately for me Jeff Williams (OWASP Chairman) put a call out for feedback on the Summit’s. Since I can’t be physically present, I’ve taken this as opportunity to share my thoughts for organizers and attendees to consider.
In order to know where we’re going, we have to understand where we have come from.
Over the weekend I had the idea of creating the Web Application Security Timeline (WAST) and posted an RFC yesterday in this post: http://www.ethicalhack3r.co.uk/security/web-application-security-timeline-rfc/. After much feedback from the WebAppSec community from various mailing lists, Twitter, email and this blog I present to you version 1.0!

Network Security

PlugBot Demo  [vimeo.com]
IPv4 to IPv6 – CIOs Who Haven’t Planned for IPv6 Transition Need to Act Now
The Internet’s supply of IPv4 addresses is quickly becoming empty, setting the clock ticking on the final exhaustion of the Internet numbering plan that the world has used for over three decades. Expected to occur in March of 2011, the event will be a wake-up call for connected organizations everywhere. It is clearer than ever before that IPv6 transition plans are urgently needed. Once all IPv4 addresses are depleted, organizations will only be able to receive IPv6 address space.
Metasploit getwlanprofiles  [www.digininja.org]
This is a simple Meterpreter script which when ran against Windows 7 or Vista boxes will extract and download all the wireless profiles that are setup with the Windows client, i.e. not with third party client apps.
It does this by using the following command to dump all the profiles to the current %TEMP% directory
netsh wlan export profile folder=%TEMP%
Then for each line of the output finding the filename of the profile and downloading it. To tidy up the file is then deleted from the directory.
The profiles are stored in the .msf3/logs/scripts/wlan_profiles/ directory.
To re-use the profiles they can be imported into another Windows box by using the following command
netsh wlan add profile filename=’the_filename.xml’
Solving problems with proc  [blog.ksplice.com]
Posted in System administration on January 11th, 2011 by keegan – 21 Comments
The Linux kernel exposes a wealth of information through the proc special filesystem. It’s not hard to find an encyclopedic reference about proc. In this article I’ll take a different approach: we’ll see how proc tricks can solve a number of real-world problems. All of these tricks should work on a recent Linux kernel, though some will fail on older systems like RHEL version 4.
Almost all Linux systems will have the proc filesystem mounted at /proc. If you look inside this directory you’ll see a ton of stuff:
After the CVE-2010-4398 (win32k.sys stack-based buffer overflow aka ‘UAC bypassing exploit’ published on Code Project) was published a discussion appears on the net (at least on the Polish side of the net) whether the bug is exploitable on Windows XP. The problem on XP is that it has stack cookies (/GS cookies) which in this case were not present in other Windows versions. With j00ru we’ve looked into this issue, and found that the high entropy of the /GS cookies is questionable (at least in case of Windows drivers). Today, we publish the results of our research.
dating an intrusion with flow data  [blather.michaelwlucas.com]
One of my Ubuntu dev boxes was broken into. While the box isn’t vital, I’ll still need to reinstall an operating system and set it back up for the developer. I want to know where the attack came from and what the intruder did. I cannot trust the logs on the system, but I can trust the flow data from our upstream router.
I’ve changed my IP addresses, but remote addresses are left unchanged. Here I examine my flow data from 1 January 2011, and remove IP addresses I expect to contact this machine.
Transitional Myths  [www.potaroo.net]
I’d like to continue this mini-series of articles on IPv6. I attended the RIPE 61 meeting this month, and, not unexpectedly for a group that has some interest in IP addresses, the topic of IPv4 address exhaustion, and the related topic of the transition of the network to IPv6 has captured a lot of attention throughout the meeting. One session I found particularly interesting was one on the transition to IPv6, where folk related their experiences and perspectives on the forthcoming transition to IPv6.
I found the session interesting, as it exposed some commonly held beliefs about the transition to IPv6, so I’d like to share them here, and discuss a little about why I find them somewhat fanciful.
Later this month I’ll be speaking at Blackhat DC and ShmooCon. The title of my Blackhat presentation is Beyond Autorun: Exploiting vulnerabilities with removable storage. The purpose of this presentation is to highlight how software vulnerabilities can lead to code execution when a user browses files on a removable storage device or even just connects one to their PC. These types of vulnerabilities can be used to spread malware on USB flash drives and to attack physical PCs, without relying on AutoRun. This research was inspired by the LNK vulnerability that Stuxnet used to spread over USB drives, and another recent example of this type of vulnerability is the thumbnail rendering vulnerability in Windows. Both of these vulnerabilities exist because of bugs in Windows shell extensions – code designed to make the user experience more pleasant by allowing custom icons and thumbnail previews for files on the file system. The problem is that files can’t always be trusted and these shell extensions will sometimes read and parse file data to show the user more information, even without the user opening the file. This means that a vulnerability in a shell extension can lead to malicious code executing when a user does nothing more than open a folder full of files
Brute force PAYG hack attack cracks SHA1 hashes – for $2
Updated A German security enthusiast has used rented computing resources to crack a secure hashing algorithm (SHA-1) password.
Thomas Roth used a GPU-based rentable computer resource to run a brute force attack to crack SHA1 hashes. Encryption experts warned for at least five years SHA-1 could no longer be considered secure so what’s noteworthy about Roth’s project is not what he did or the approach he used, which was essentially based on trying every possible combination until he found a hit, but the technology he used.
What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth’s proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer tool.
Security Onion 20110101: OSSEC and Sguil  [securityonion.blogspot.com]
Security Onion 20110101 includes OSSEC 2.5.1. OSSEC is a Host Intrusion Detection System (HIDS) and it monitors system logs for signs of intrusions. When it sees something that looks like an intrusion, it writes an alert to /var/ossec/logs/alerts/alerts.log. Security Onion 20110101 also includes the OSSEC Agent for Sguil, which takes any alerts from /var/ossec/logs/alerts/alerts.log and sends it to Sguil.
Shared libraries that are dynamically linked make more efficient use of disk space than those that are statically linked, and more importantly allow you to perform security updates in a more efficient manner, but executables compiled against a particular version of a dynamic library expect that version of the shared library to be available on the machine they run on. If you are running machines with both Fedora 9 and openSUSE 11, the versions of some shared libraries are likely to be slightly different, and if you copy an executable between the machines, the file might fail to execute because of these version differences. With ELF Statifier you can create a statically linked version of an executable, so the executable includes the shared libraries instead of seeking them at run time. A staticly linked executable is much more likely to run on a different Linux distribution or a different version of the same distribution.
On 3 January 2011, RIPE NCC officially ushered in a new era in internet routing. 73 of RIPE’s 7,000-odd members have already certified IP address blocks. The practice is intended to prevent future internet routing ‘hijacks’, but should also help prevent incorrect addressing. In practice, the latter is more frequently responsible for sites temporarily disappearing from the web than hacking.
Hi All, my name is Ron Riddle and I’m an Escalation Engineer on the core Windows team. I worked an issue recently wherein a svchost.exe was crashing due to heap corruption; so, after enabling Page Heap and breaking out the services as needed, I received a user-mode dump that would show me the culprit. I was expecting to find a legitimate bug either in our code or a third-party module; but, much to my surprise, I found that malware had caused a buffer overrun and the subsequent crash. With that, I would like to share the simple approach I took in identifying the malware within the dump file.
Disclaimer
This article should not be construed as a statement of compliance by Oracle or by DISA. It is simply the result of a casual review of Solaris 11 against current DISA Security Guidelines
With the release of Solaris 11 Express, I decided to compare it against the current US DoD Security Technical Implementation Guidelines (STIGs) as maintained by my customer DISA. Solaris 11 Express is a production ready and fully supported OS from Oracle. It was released in September 2010 at Oracle OpenWorld and provides a preview to the features and capabilities that will be available later this year in Solaris 11. It supports SPARC and X86 platforms from Oracle as well as other vendors. See the Hardware Compatibility List for options.
DISA owns and operates the DoD datacenters, develops a number of command and control applications, runs the DoD networks and is responsible for enforcing DoD security mandates. The STIG checklist is a comprehensive set of requirements that system adminstrators are expected to follow in order to attach and maintain a system on DoD networks. There are STIG documents for enclaves, dabatases, firewalls, web servers and more, but obviously, I’m only concerning myself here with the STIG document for Unix/Linux operating systems.
Akiba of Freak Labs wrote in to share how he used one of his open hardware Freakduino boards to create a realtime wireless protocol analyzer for the 802.15.4 standard.
If you haven’t heard of the concept before, a protocol analyzer is a device that captures and analyzes all of the information that is sent across a communication channel (such as a serial line, Ethernet connection, or in this case a specific wireless format). This data can then be used to debug or reverse engineer whatever protocols were being sent over the communication channel. Akiba’s project is specifically aimed at monitoring the 802.15.4 wireless protocol, which is the underlying protocol used by xBee devices, as well as anything that uses the Zigbee protocol. By feeding captured data from his Freakduino board into Wireshark, an open source protocol analyzer that knows how to decode different kinds of data packets, he shows it is easy to reconstruct the conversations between two xBee nodes.
What the cloud giveth, the cloud taketh away too. In a perfect example of the power of the cloud being used harnessed for ill will a researcher in Germany, Thomas Roth has written a program and will demonstrate it next month at Black Hat DC that uses Amazon’s EC2 to “brute force” WPA passwords. This could allow hackers onto your wireless network and access your confidential data.
Of course WEP, another form of wireless security has long been known to be vulnerable. On the other hand it was believed that the computing power necessary to brute force WPA passwords put it out of the reach of most hackers except maybe government backed attacks. But with the power of the cloud behind you many things are possible.
So get unicornscan from here: http://unicornscan.org/ — current version I could find is 0.4.7
you’ll need some depenedencies
apt-get install flex bison
apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev
* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation 🙁
This antenna is one of the easiest and cheapest things you could build to extend the range of your wifi network. Most of the materials are probably sitting in your cupboard right now so it really can be built on a shoestring budget.
Bill of Materials:
Two milo tins or similar
F-Type chassie mount
Pig tale for F to Sma
Short piece of copper wire
Tools:
Tin snips
Can Opener
Soldering Iron
Drill
Drill Bit
A while ago, I wrote a NSE script to a Java RMI Registry and dump out information about the objects in the registry. This is a blog-post to shed some light on NSE-development in general and that script in particular.
Nmap nowadays comes with a scripting engine, (Nmap Scripting Engine : NSE). When a particular service is encountered (say, “rmi”) in the service-scan, or a particular port is found open in the port-scan, a script which is “interested” in communicating with that particular port or service can be executed. NSE scripts are written in Lua, which I find very nice to work with. Nmap provides basic functionality for common tasks, such as socket communication, binary conversion, output control etc.
Metasploit payload delivery with WMI  [jeffseely.tumblr.com]
PSEXEC is great, but for a number of reasons (e.g. antivirus, system modification prohibited by rules-of-engagement) it’s not always the best choice for delivering a Metasploit payload. I started digging around the Internet for an alternative and found some potential with WMI. The WMIC.EXE on Windows and the WIn32_Process class support command execution with the “PROCESS CALL CREATE” command. Looked promising!
WMIC PROCESS CALL Create “calc.exe”

Database Security

Databases are a core component in lot of applications and websites. Almost everything is stored in databases. Let’s take a standard e-commerce website, we can find in databases a lot of business critical information: about customers (PII), articles, prices, stocks, payment (PCI), orders, logs, sessions, etc. Like any component of an IT infrastructure, databases must be properly monitored from a security point of view. There are often an Achille’s heel due to security issues. Common problems are a lack of access control on the SQL commands allowed or bad passwords. All databases have mechanisms to log events related to sessions (login, logout) or system but what about the detection of unauthorized modifications of data stored in tables? Those can compromise the database integrity. How to implement such controls with a very common database server (MySQL)?

Cloud Security

Cloud Vendor Taxonomy  [www.newbay.com]
The Cloud is here to stay. Already we are seeing stabilisation in the marketplace with some clear leaders emerging. Our Cloud Vendor Taxonomy chart is an attempt to delineate some of the relationships amongst the key players and also allow us to define new entrants. It’s not a hard and fast mapping (for instance OCCI is both a standard and a reference implementation) so expect the borders to be a little blurry.
At the bottom we have the virtualization vendors who provide the core substrate on which all “for sale or rent” clouds get built. One could argue that one of the key enablers of cloud computing is the advent of cheap ubiquitous virtualisation technology. Intel hegemony certainly helped. The gorilla in the marketplace here is VMware, with a huge footprint gained by promoting server virtualisation in enterprises. However the product has been historically expensive (though this is changing in response to significant competition) which opened the door to VMware’s major competitor Xen, an open source alternative which is now part of the Citrix stable.
Adobe To Detail Cloud DoS Attacks  [www.conceivablytech.com]
It isn’t popular to criticize cloud computing these days, even if Google, Amazon and Microsoft need to employee marketing armies to alleviate security concerns of potential customers. Adobe may crash the cloud party as a security engineer is scheduled to detail a recent discovery of a particularly nasty DoS vulnerability in PHP code.
If you believe the current cloud pitch, the best decision you can make for the security of your data is to move to the cloud. Billion-dollar data centers can provide a security level the average Joe can never match and if your bathroom sink happens to trash your notebook, you can be calm as your data is safely stored in the clouds above. Despite the story we hear, we should not forget that vulnerabilities will continue to exist and, if exploited quickly, could affect a much greater number of users than before

Physical Security

Car Theft by Antenna  [www.technologyreview.com]
Researchers beat automatic locking and ignition systems.
Car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key, according to new research that will be presented at the Network and Distributed System Security Symposium next month in San Diego, California.
The researchers successfully attacked eight car manufacturers’ passive keyless entry and start systems-wireless key fobs that open a car’s doors and start the engine by proximity alone.

Mobile Security

Popular mobile communications encryption algorithm is crackable, Karsten Nohl says
Following up on his promise from August, Karsten Nohl this week published a crack of the long-standing GSM algorithm.
The algorithm, which encrypts information on much of the world’s mobile phones, can be decrypted to eavesdrop or steal information from mobile phone users, said Nohl, speaking to an audience at the Chaos Communication Congress in Berlin.
Nohl’s report on the cracking project is now available on the Web. He said 24 people worked independently to reproduce the binary code log for the algorithm, which contains the equivalent of about 2 terabytes of data.
This is a guest post from security researcher Nitesh Dhanjani. Nitesh will be giving a talk on “Hacking and Securing Next Generation iPhone and iPad Apps” at SANS AppSec 2011.
Many iOS applications use HTTP to connect to server side resources. To protect user-data from being eavesdropped, iOS applications often use SSL to encrypt their HTTP connections.
In this article, I will present sample Objective-C code to illustrate how HTTP(S) connections are established and how to locate insecure code that can leave the iOS application vulnerable to Man in the Middle attacks. I will also discuss how to configure an iOS device to allow for interception of traffic through an HTTP proxy for testing purposes.
Kicking off 2011 with a bang is easy this year – Max Kastanas has ported the fwknop client to the Android mobile operating sytem. This brings Single Packet Authorization to Google’s smart phones, and was accomplished using Damien Stuart’s libfko implementation. All of the Android code can be found in the Cipherdyne Trac respository. A couple of screenshots of using the SPA app from an Android phone appear below – after the SPA packet is sent and verified passively by the fwknop daemon on the remote system, the fwknop Android app automatically launches Connectbot to access SSHD:
SMS of Death  [www.schneier.com]
This will be hard to fix:
Using only Short Message Service (SMS) communications-messages that can be sent between mobile phones-a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called ‘binaries,’ that run on a phone. Network operators use these files to, for example, change the settings on a device remotely. The researchers used the same approach to attack phones. They performed their tricks on handsets made by Nokia, LG, Samsung, Motorola, Sony Ericsson, and Micromax, a popular Indian cell-phone manufacturer.
Trend Micro protects Android devices  [www.net-security.org]
Trend Micro announced Mobile Security which protects digital files and secures banking transactions on Android devices by identifying and stopping online threats.
Key Features of Mobile Security for Android include:
* Safe surfing
* Parental controls
* Download protection
* Call and text filtering.
Back in October, I showed how to debug Windows Phone emulator traffic with Fiddler. Since then, I’ve acquired the LG Quantum phone, and naturally, one of my first goals was to start looking at the traffic from mobile Internet Explorer and some of my WP7 applications. The process for capturing traffic from a phone is similar to the process of capturing traffic from another computer. First, enable Fiddler to capture remote traffic, then configure the other client to point at the computer running Fiddler.
You’ll need three things:
1. A desktop PC running Fiddler
2. A Windows Phone
3. A WiFi network that bridges between the phone and the PC

Privacy

A new API in browsers would make it easier to delete Flash cookies from web browsers. Unlike browser cookies, Flash cookies cannot simply be disabled or deleted via browser settings. Until recently, Flash cookies also ignored some settings for data protection, such as the private browsing mode.
STANFORD, Calif. – President Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said here today.
It’s ‘the absolute perfect spot in the U.S. government’ to centralize efforts toward creating an ‘identity ecosystem’ for the Internet, White House Cybersecurity Coordinator Howard Schmidt said.
That news, first reported by CNET, effectively pushes the department to the forefront of the issue, beating out other potential candidates including the National Security Agency and the Department of Homeland Security. The move also is likely to please privacy and civil liberties groups that have raised concerns in the past over the dual roles of police and intelligence agencies.
The announcement came at an event today at the Stanford Institute for Economic Policy Research, where U.S. Commerce Secretary Gary Locke and Schmidt spoke.
The Obama administration is currently drafting what it’s calling the National Strategy for Trusted Identities in Cyberspace, which Locke said will be released by the president in the next few months. (An early version was publicly released last summer.)
A WEBSITE launched by Fine Gael to invite members of the public to share their views on policy and the future of Ireland may be in breach of data protection laws, an expert in the field claimed yesterday.
The party set aside its main website finegael.ie on Tuesday and replaced it with finegael2011.com – a site hosted by a US firm called ElectionMall Technologies.
More than 1,000 comments were submitted online by members of the public in the first day.
It emerged, however, that the website did not have a privacy statement and there were also concerns about whether there is a legal basis for the personal data being collected on the site to be processed in the US.
Setting tone from the Top  [obriend.info]
“Privacy by Design” is becoming the mantra of Data Protection enforcement world wide. Simply cutting and pasting a solution from another jurisdiction into an Irish or EU context invites breaches of legislation and failures of the required governance and controls. This is not just a technology issue.
Given that politicians are asking us to trust them, they should ensure that they take the necessary steps to earn that trust. Just like any other organisation embracing new technologies, they must ensure that the necessary due diligence and governance structures are in place to ensure that they are acting in compliance with long established legislation. If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.
In short they must Lead.
Google is facing further opposition to its Street View service in Europe. This time it’s not an issue with the information being collected, but just how long it is kept for.
Currently Google keeps the original Street View images on file for 12 months in their unedited form. Google states it needs to do this in case a mistake is made in the edited version where faces are blurred out. It also uses the data to help teach its automated system to recognize faces better and blur them out.
Regulators from the European Union are requesting that Google cut that time in half and only retain the data for six months. A further request asks Google to keep local residents better informed of when Street View vehicles will be capturing data, so they can better choose to stay off camera if possible.
Google is not going to change its data retention policy at the drop of a hat, though. It has labelled the 12 month time frame as “legitimate and justified”.
The request for these changes were made in a letter sent by the head of EU data protection agencies, Alan Turk. It was addressed to Peter Fleischer, Google’s data privacy chief.
Last night, Birgitta Jónsdóttir — a former WikiLeaks volunteer and current member of the Icelandic Parliament — announced (on Twitter) that she had been notified by Twitter that the DOJ had served a Subpoena demanding information ‘about all my tweets and more since November 1st 2009.’ Several news outlets, including The Guardian, wrote about Jónsdóttir’s announcement.

Social Engineering

Social engineering is frequently used in computer attacks as well as in other forms of on-line fraud. Scammers rely on psychological factors to lower the victim’s guard or otherwise make him more susceptible to persuasion. These factors include:
* Greed: The wish to have more money
* Laziness: The desire to do less work
* Social compliance: The need to fit in
* Transitive trust: The reliance on trusted brands
* Narcissism: Focus on concepts relevant to oneself

General

Faced with no response from the vendor for months, a security researcher published exploit code for a critical vulnerability in a widespread Chinese SCADA software package.
The affected software is called KingView and is developed by Beijing WellinControl Technology Development Co., Ltd., commonly referred to as WellinTech.
According to Dillon Beresford, a security researcher at NSS Labs, the latest stable version of the software (6.53) distributed from the vendor’s site, contains a heap overflow vulnerability that can be exploited to execute arbitrary code.
Sometime you open a webpage or an infected file and the antivirus still silent, without alerting about any suspicious activity on your machine, this is maybe due to not having the latest AV signature or that the malware are encrypted to make the AV not recognize it or that the file is clean and do not contain any malware.
The first thing I do if I have a suspicious file or webpage is to scan it on Virustotal , The benefit from this step is to check the file with more than 40 different antiviruses. Now there is a new service that adds the possibilities to scan files or webpages directly from the browser on Google Chrome and Mozilla Firefox.
Card theft is cheap, easy and you could be next
We’ve all heard the standard tips about preventing identity theft and credit card fraud. But what would a real identity thief tell you if he had the chance? Dan DeFelippi, who was convicted of credit card fraud and ID theft in 2004, says simply this: You can’t be too careful.
DeFelippi, 29, mostly made fake credit cards with real credit card information he bought online. ‘I would make fake IDs to go with them, and then I’d buy laptops or other expensive items in the store and sell them on eBay,’ he says. DeFelippi was also involved in several other kinds of scams, including phishing schemes that exploited AOL and PayPal customers. Committing credit card fraud is still ‘ridiculously easy to do,’ he says. ‘Anyone with a computer and $100 could start making money tomorrow.’
The PlayStation 3’s security has been broken by hackers, potentially allowing anyone to run any software – including pirated games – on the console.
A collective of hackers recently showed off a method that could force the system to reveal secret keys used to load software on to the machine.
A US hacker, who gained notoriety for unlocking Apple’s iPhone, has now used a similar method to extract the PS3’s master key and publish it online.
Sony declined to comment on the hack.
‘The complete console is compromised – there is no recovery from this,’ said pytey, a member of the fail0verflow group of hackers, who revealed the initial exploit at the Chaos Communication Congress in Berlin in December.
‘This is as bad as it gets – someone is getting into serious trouble at Sony right now.’
Samsung announced two new portable drives and a new desktop drive, featuring distinctive styling as well as SuperSpeed USB 3.0 interfaces.
The portable drives also offer up to 1TB capacity and add enhanced backup and security software. Their software offers a suite of tools with an easy-to-use graphical user interface.
If the Mac App store is supposed to be a secure and pirate free eco-system, why is it that I can buy an application, send it to a friend, and they can use it? It sounds like a bug that should have been fixed before the Mac App Store went live, but it turns out not to be the case.
We’ve tested it, and it’s true. One of our writers purchased The Incident and emailed me the application file. I copied it to my Applications folder, and ran it without a hitch: No iTunes verification needed. We don’t condone stealing software, so don’t be a dick and go reward the developers with your cash. I’ve since deleted it, and purchased the game for myself, but this still begs the question: what the hell is going on at Apple these days?
Rates of intellectual property infringement in the EU are ‘alarming’, according to the European Commission. It says that an EU law on IP rights has had some effect, but that the legal measure was not designed to deal with online piracy.
Current laws are not strong enough to combat online IP infringement effectively and powers to compel internet service providers (ISPs) and other intermediaries to take more proactive steps should be examined, the Commission said.
The Commission has published a report (10-page / 49KB PDF) on the effectiveness of 2004’s Directive on Intellectual Property Rights. It harmonised the measures that rights holders and governments could take when IP rights were infringed and established cross-border co-operation to fight piracy.
More than one million Facebook users are believed to have fallen for a hoax claiming that the popular website will close its doors on March 15th.
A bogus news story, published by the ‘Weekly World News’, said that Mark Zuckerberg had told reports that ‘managing [Facebook] has ruined my life. I need to put an end to all the madness.’
Following the recent news on global spam levels falling, Jamie Tomasello, Abuse Operations Manager at Cloudmark, outlines his thoughts on why spammers are moving from email to social networks and mobile channels.

Tools

PlugBot Demo  [vimeo.com]
The Secunia Online Software Inspector, or short OSI, is a fast way to scan your PC for the most common programs and vulnerabilities, thus checking if your PC has a minimum security baseline against known patched vulnerabilities.
Use the Secunia OSI to get a feel for the Secunia Software Inspector technology, then upgrade to the Secunia PSI or CSI, which covers practically all programs on your PC, whereas the OSI checks less than 100 programs.
WinMagic released SecureDoc 5, the full-disk encryption solution that allows organizations to integrate data protection with existing security policies to protect sensitive data in any Windows 7, Vista, XP, Mac OS X Tiger, Leopard, Snow Leopard and/or Linux environment.
web security testing runtime
Crack MD5 Online  [www.sec-track.com]
List of services for cracking MD5 over the web
Open Source Digital Forensics  [www2.opensourceforensics.org]
The Open Source Digital Forensics site is a reference for the use of open source software in digital investigations (a.k.a. digital forensics, computer forensics, incident response). Open source tools may have a legal benefit over closed source tools because they have a documented procedure and allow the investigator to verify that a tool does what it claims.
Metasploit Pro and Metasploit Express 3.5.1 Update 20110105121801  [www.metasploit.com]
This weekly update for Metasploit Pro and Metasploit Express 3.5.1 brings four new modules and two bug fixes. The Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow exploits a currently-unpatched vulnerability in Microsoft 2000 through Windows 7/2008. The exploit is currently functioning on 2000 and XP SP3. Additionally, a DOS exploit for IIS 7.5, an exploit for a stack-based buffer overflow in all versions of Microsoft word prior to the MS10-087 bulletin, and a utility to upload files to Cisco IOS are included.
The Windows UAC bypass was committed to the Metasploit Framework today. It is a bit different from running your traditional script. Instead of interacting with meterpreter and executing the commands from the meterpreter shell, you need to use the new use post/ modules. Below is how to use it:
GnackTrack.co.uk  [gnacktrack.co.uk]
Penetration Testing Distro for Gnome Fans
GnackTrack is a Live (and installable) Linux distribution designed for Penetration Testing and is based on Ubuntu. Although this sounds like BackTrack, it is most certainly not; it’s very similar but based on the much loved GNOME!
Proxbrute v0.3  [www.mcafee.com]
ProxBrute is a custom firmware written for the proxmark3. It extends the currently available firmware (revision 465) to support brute force attacks against proximity card access control systems. This version of ProxBrute requires the knowledge of a [once] valid tag value to vertically or horizontally escalate the tag’s privileges.
Nessus Viewer v1.0.0 released  [www.vulnerabilitydatabase.com]
Nessus Viewer enables IT Security auditors and penetration testers to quickly navigate inside Nessus reports by sorting and filtering each entry. It is able to import Nessus XML v2 reports and filter them by IP, host name, plugin name, operating system, keywords… It can also parse plugin outputs to extract and build clickable lists of web servers, Windows users, missing patches and much more.
Software Release – fwsnort-1.5  [www.cipherdyne.org]
The 1.5 release of fwsnort is available for download. This is a major release that moves to using the iptables-save format for instantiating the fwsnort policy, and this allows the run time for adding the fwsnort policy to the kernel to be drastically reduced
It’s been a tough few months dealing with what I can only assume is one of the worst written and conceived programs I’ve ever had to install (more about that in another port though!). I guess this is how they deter security researchers… by making it a weeks work just to get a single test instance up and working 😉
This video is intended to get you started with the I2P darknet software under Linux (Ubuntu 10.10 in this case). I’ve done a previous version that details installing I2P under Windows. I2P (originally standing for Invisible Internet Project) can be seen as a networking layer sitting on top of IP that uses cryptography to keep messages confidential, and multiple peer to peer network tunnels for anonymity and plausible deniability. While Tor is focused more for hiding your identity while surfing the public Internet, I2P is geared more toward networking multiple I2P users together. While you can surf to the public Internet using one of the I2P out proxies, it’s meant more for hiding the identity of the providers of services (for example eepSites), sort of like Tor’s concept of Hidden Services, but much faster. Another advantage I2P has is NetDB, a distributed way to let peers know about each other once initial seeding has occurred. Tor on the other hand uses it’s own directory to identify servers, which in theory could be more easily blocked. Both networks have their advantages and trade offs. This video won’t cover the details of I2P’s peering or encryption systems, and may seem kind of rambling, but it should be enough to get you up and running on the darknet.
Smart Surfing for iPhone  [free.antivirus.com]
Trend Smart Surfing for iPhone and iPod Touch devices provides a smarter, safer experience when surfing the Web. It is the first secure browser to protect you from Web pages with malicious intent. If you attempt to access a bad or malicious URL, Smart Surfing is designed to block access to the URL and a notification will appear in the browser.
TorChat  [code.google.com]
TorChat is a peer to peer instant messenger with a completely decentralized design, built on top of Tor’s location hidden services, giving you extremely strong anonymity while being very easy to use without the need to install or configure anything.
TorChat just runs from an USB drive on any Windows PC. (It can run on Linux and Mac too, in fact it was developed on Linux with cross platform usability in mind from the very first moment on, but the installation on other platforms than Windows is a bit more complicated at the moment)
opendlp  [code.google.com]
Data Loss Prevention suite with centralized web frontend to manage Windows agents that identify sensitive data at rest
Metasploit Pro Review  [www.n00bz.net]
REDWOOD SHORES, Calif., Jan. 10, 2011 /PRNewswire/ — Imperva, the leader in data security, announced that ISACA, the leading global association for information systems security, assurance and governance professionals, selected Imperva’s web application firewall (WAF) to protect ISACA’s web applications. ISACA leverages Imperva’s SecureSphere WAF as a part of a comprehensive security strategy that delivers unprecedented prevention, mitigation and protection for its on-demand platform.
beef  [code.google.com]
Browser Exploitation Framework
0.4.2.1-alpha released
rdp2tcp  [rdp2tcp.sourceforge.net]
Description
rdp2tcp is a tunneling tool on top of remote desktop protocol (RDP). It uses RDP virtual channel capabilities to multiplex several ports forwarding over an already established rdesktop session.
Available features:
* tcp port forwarding
* reverse tcp port forwarding
* process stdin/out forwarding
* SOCKS5 minimal support
Long-time blog readers should know that I don’t rely on tools to defend my enterprise. I rely on people first, followed by tools, then processes. However, today I took a moment to consider the myriad of really cool work happening (mainly) in the open source tool community. When I started counting, I found about seven projects that are likely to help you defend your enterprise.
jsploit  [code.google.com]
Java JRuby integration for Metasploit
Wireshark 1.4.3 released  [www.net-security.org]
zaproxy  [code.google.com]
An easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
Wireless Security Tools  [www.corecom.com]

Funny

Giving IE 6 browsers the experience they demand!  [drench.github.com]
With all this talk of graceful browser degradation, who is speaking for the other side?
Graceless Degradation is a WordPress plugin that gives visitors still using Internet Explorer 6 an appropriate user experience.
Good Code  [xkcd.com]
Cloud  [dilbert.com]
Backtrack  [twitpic.com]
You should work for Symantec  [www.youtube.com]
Agree  [dilbert.com]
Passwords  [2.bp.blogspot.com]
Time Travel (Dover, PA)  [york.craigslist.org]
Upside-Down-Ternet  [www.ex-parrot.com]
My neighbours are stealing my wireless internet access. I could encrypt it or alternately I could have fun.
The ungoogable man  [twitpic.com]
Game maniac  [media2.gamaniak.com]