Security Weekly News 6 January 2011 – Full list

Category Index

Hacking Incidents / Cybercrime

The Kneber botnet is running and striking again – this time with a Christmas-themed electronic greeting card seemingly coming from The White House and targeting employees of various government offices and agencies.
“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission,’ says in the e-mail. Two links to the greeting card are offered, and the message is signed with ‘Executive Office of the President of the United States’.
An e-mail supposedly coming from Microsoft and urging the recipients to update their Windows has started making rounds yesterday:
There are a lot of people out there who will immediately recognize this message for what it is, since Microsoft isn’t in the habit of sending critical security patches via e-mail.
A critical vulnerability in the way Microsoft Office handles RTF which can allow an attacker to remotely execute arbitrary code on the victim’s computer has been by Microsoft in November, but attacks exploiting it are still popping up in the wild, reports GCN.
Even though these attacks have not been extensive so far, the situation may change since Microsoft has reported that it has discovered a publicly available sample of a successful exploit for this flaw.
Japanese automaker Honda has put some 2.2 million customers in the
United States on a security breach alert after a database containing
information on the owners and their cars was hacked, according to
reports.
The compromised list contained names, login names, e-mail addresses and
17-character Vehicle Identification Number–an automotive industry
standard–which was used to send welcome e-mail messages to customers
that had registered for an Owner Link account.
Another 2.7 million My Acura account users were also affected by the
breach, but Honda said the list contained only e-mail addresses. Acura
is the company’s luxury vehicle brand.
The Tunisian Internet Agency (Agence tunisienne d’Internet or ATI) is being blamed for the presence of injected JavaScript that captures usernames and passwords. The code has been discovered on login pages for Gmail, Yahoo, and Facebook, and said to be the reason for the recent rash of account hijackings reported by Tunisian protesters.
Researcher plans to hand off code to antivirus vendors, and then to EC-Council for ethical hacking training
A European researcher has created a rootkit that can evade detection in Windows 7 and Windows Server 2008 machines and reset user passwords.
The rootkit, created by Csaba Barta during the past two-and-half years, was initially a project meant for training purposes. But Barta, a security expert for Deloitte in Hungary who works on penetration testing and forensic cases, says he eventually discovered he could perform new types of attacks with the rootkit, which he plans to deliver to antivirus firms as well as to the International Council of E-Commerce Consultants (EC-Council) for its certified hacker training program.
Year-end roundup  [www.langner.com]
After the significant discoveries of the last days, let’s end the year with an up-to-date bottom line.
1. It is beyond reasonable doubt that Stuxnet was developed to delay the Iranian uranium enrichment program by physically damaging centrifuges.
2. The attack was not designed for one simultaneous big bang. It was designed to proceed slowly and incrementally. We expect that right now, many more centrifuges than the 984 mentioned in the ISIS report have been damaged by Stuxnet. (The next IAEA inspection, scheduled to take place in about two months, will give clarity.)
A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics–in combination with fast-flux–to attempt to compromise unsuspecting users.
The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. The messages all contain short messages similar to this:
Android malware is first to be able to receive instructions remotely and join botnets
A new, more sophisticated Trojan for Android devices has been spotting lurking on third-party Chinese Android app markets, researchers said last week.
According to a news report, researchers at the security firm Lookout believe the new Trojan, dubbed ‘Geinimi,’ is the first-ever piece of Android malware that has the capability to receive instructions from a remote server and thus become part of a botnet.
Geinimi is attached to compromised versions of legitimate applications — mostly games such as Monkey Jump 2, President vs. Aliens, City Defense, and Baseball Superstars 2010, the report states.

Unpatched Vulnerabilities

Thanks to our reader Dan for getting this started. Here is a preliminary table on various Internet Explorer and Windows vulnerabilities that are as of yet unpatched.Let me know if I forgot one. I originally planned to include some of the older issues, but none of them appears to be as relevant/serious as the issues in this list.
Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
I am happy to announce the availability of cross_fuzz – an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and is still finding more.
The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.
I stumbled upon a very strange bug in PHP; this statement sends it into an infinite loop:
(The same thing happens if you write the number without scientific notation – 324 decimal places.)
I hit this bug in the two places I tested for it: on Windows (PHP 5.3.1 under XAMPP 1.7.3), and on Linux (PHP Version 5.3.2-1ubuntu4.5) – both on an Intel Core Duo processor. I’ve written a bug report.
PHP maintainers have yet to weigh in on the report. In the meantime, possible workarounds include adding a “-ffloat-store” flag to CFLAGS or stopping the execution of decimal versions of numbers that are passed as a parameter.
PHP 5.2 and 5.3 are affected, but apparently only on Intel CPUs which use x87 instructions to process floating point numbers. The x87 design has long been known to contains a bug which triggers just this problem when computing approximations to 64-bit floating point numbers. By default, 64-bit systems instead use the SSE instruction set extension, under which the error does not occur.
The PHP development team has fixed this in the forthcoming version 5.3.5. A patch for version 5.2.16 is available from the repository. (courtesy of http://www.h-online.com/security/news/item/Floating-point-DoS-attack-1163838.html)
We’re seeing off the last days of this year, with 2010 ending a brand new year is almost upon us.
This year has been a very busy one from the perspective of security vendors: Aurora exploit, new variants of MBR rootkit, the Stuxnet earthquake along with all the 0day exploits used, TDL rootkit hitting 64 bit versions of Microsoft Windows and still there is much more to be listed.
Microsoft ended up the 2010 with an impressive December Patch Day, fixing all the 0day exploits used by Stuxnet malware along with other open vulnerabilities.
In fact, the situation at the end of 2010 can still be considered worrying, because of two 0day exploits which have been released online and have not been fixed by Microsoft yet. Furthermore both exploits, if used together, could potentially turn a happy holiday season to a nightmarish one, especially for corporate customers.
Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet
Code Execution Vulnerability Poc
The Tomcat Server, which listens for incoming connections on port 8014,
carries a world accessible Apache Axis2 Web Service with default credentials.
Also, the web service port is added to firewall exceptions, allowing all
computers, including those on the internet, to access the default Axis2 instance.
Hole in VLC Media Player  [www.h-online.com]
Virtual Security Research (VSR) has identified a vulnerability in VLC Media Player. In versions up to and including 1.1.5 of the VLC Media Player, specially crafted files can be used to inject code that will trigger a buffer overflow in the demultiplexer used for Real Media format files.
According to security specialist Secunia, a highly critical vulnerability in ImgBurn, a lightweight disk burning application, can be used to remotely compromise a user’s system. The security issue in the freeware program is reportedly caused by the application loading libraries (dwmapi.dll) in an ‘insecure manner’, which can then lead to the execution of arbitrary code.

Software Updates

VMWare today released Security Advisory VMSA-2011-0001 [1] as well as updated two of last years security advisories [2],[3]
The update patches glibc, sudo and openldap that are used as part of VMWare ESX. The vulnerabilities could be used to escalate privileges if a user has access to the VMWare console or launch a denial of service attack.
In the past, whenever we received security related questions and suggestions for Piwik, sent to our security@piwik.org address, we quickly reacted and released a fix in a new Piwik release. However, going forward, we want to be proactive, so we requested a professional and thorough review of our code base.
SektionEins, a leading software security company based in Germany, undertook the professional security review of the Piwik source code. Stefan Esser conducted the audit on the Piwik source code for 5 full days. Stefan then sent us all the details about what could be improved in Piwik regarding security (various recommendations, XSS, etc.). Anthon and Matt from the Piwik team then prepared fixes and improvements following the security audit, which were then released in Piwik 1.1.

Business Case for Security

The lure of riches has ensured phenomenal growth in the mobile application market both in terms of numbers of mobile applications and overall market value. Developers are turning their hands to this market with gusto as the opportunity for profits accelerates. However as with most opportunities there are risks and the recent decision, reported by the BBC, of groups of iPhone and iPad owners to pool resources to take application developers and brand owners to court over alleged breaches of privacy and data security highlight this.
This highlights some great food for thought for information security folk and those responsible and accountable for business decisions including brand and supply chain management.
2010 Annual Security Report  [press.pandasecurity.com]
PandaLabs, the anti-malware laboratory at Panda Security -The Cloud Security Company-, has published its 2010 Annual Security Report covering an extremely interesting year with regard to cyber-crime, cyber-war and cyber-activism. The report is available at: http://press.pandasecurity.com/press-room/reports/
In 2010, cyber-criminals have created and distributed a third of all existing viruses. That is, in just 12 months, they have created 34 percent of all malware that has ever existed and has been classified by the company. Furthermore, the Collective Intelligence system, which automatically detects, analyzes and classifies 99.4 percent of all malware received, currently stores 134 million unique files, out of which 60 million are malware (viruses, worms, Trojans and other computer threats).
Gary McGraw explains how the 32 firms in the BSIMM study determine the proper mix of security initiatives to maximize efficiency and effectiveness of their security programs.
One of the major goals that the 32 firms in the BSIMM study have in common is the desired ability to constantly adjust their software security initiatives in order to maximize efficiency and effectiveness. Put in simple terms, how do I decide on the right mix of code review, architecture risk analysis, penetration testing, training, measurement and metrics, and so on, and then how do I ensure I can react to new information about my software?
The problem is, nobody is sure how to actually solve this hard problem. In this article we take a run at the problem in the scientific spirit of the BSIMM project – gathering data first and finding out what the data have to say. We describe our findings and our data here in hopes that they may prove useful to other software security initiatives facing the effectiveness mountain.
Yesterday I got involved in an interesting Twitter discussion with Jeremiah Grossman, Chris Eng, Chris Wysopal, and Shrdlu that was inspired by Shrdlu’s post on application security over at Layer8. I sort of suck at 140 character responses, so I figured a blog post was in order.
The essence of our discussion was that in organizations with a mature SDLC (security development lifecycle), you shouldn’t need to prove that a vulnerability is exploitable. Once detected, it should be slotted for repair and prioritized based on available information.
While I think very few organizations are this mature, I can’t argue with that position (taken by Wysopal). In a mature program you will know what parts of your application the code affects, what potential data is exposed, and even the possible exploitability. You know the data flow, ingress/egress paths, code dependencies, and all the other little things that add up to exploitability. These flaws are more likely to be discovered during code assessment than a vulnerability scan.
And biggest of all, you don’t need to prove every vulnerability to management and developers.
The ‘IT as a Business’ Train Wreck  [taosecurity.blogspot.com]
I just read this year-old article by InfoWorld’s Bob Lewis titled Run IT as a business — why that’s a train wreck waiting to happen. It reminded me of comments on a CIO article I posted in 2008 as The Limits of Running IT Like a Business. Here I would like to emphasize a few of Bob’s points via excerpts from the 2010 article.
When IT is a business, selling to its internal customers, its principal product is software that ‘meets requirements.’ This all but ensures a less-than-optimal solution, lack of business ownership, and poor acceptance of the results…
This post is inspired from a conversation recently had with one of the folks who shapes our security testing tools here at HP Application Security – thanks Sam for dislodging this nugget from the back of my brain.
QA teams have some interesting ideas when it comes to answer this question: ‘Are you doing any application security testing currently?’ … and depending on who you ask it’s possible you will receive a variety of different answers. I am, of course, taking the assumption that you’ve accepted that security testing is as much a part of the QA testing cycle as oxygen is to breathing.
‘Testing for security’ can mean many things to many different people, and I wanted to take a moment to debunk some of the myths that I’ve heard spread over the last 2-3 years. I can’t help but feel like Information Security organizations are at least partially responsible for the existence of some of these myths since we’ve done little or nothing to disspell them amongst our QA brethren.
How to shop safely online  [www.enisa.europa.eu]
This white paper analyses the anatomy of ‘Online Shopping’ and warns on the risks and threats. The biggest barrier for people to get involved in e-commerce is the fear of potential fraud or identity theft. This fear still keeps millions of consumers from buying goods or services online. The paper gives a comprehensive overview of the definition, history, the main drivers and trends in online shopping. It furthermore looks into banks payment services, the underlying Internet infrastructure services and online fraud. It provides different countermeasures and guidelines to consumers in the form of 5 ‘golden rules’ on how to shop safely online and equally displays a comprehensive checklist for the online seller in order to operate secure online business. As many citizens lack trust in online purchases, this report increases awareness of the real risks and how to tackle them.
Because of a major increase in cyber attacks this year, the German government plans to set up a national cyber defense center in 2011.
The German Ministry of the Interior said that the new center will combine resources from various government agencies, including the federal police and foreign intelligence agency. It will also include participation from industry.
The German center will be modeled after the NATO Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia, as well as cybersecurity centers in the US and the UK.
This is in response to a surge in reported cyber attacks in 2010. For the first nine months of 2010, the German government recorded 1600 cyber attacks, compared with 900 cyber attacks in all of 2009, according to Deutsche Welle (DW).
The criminal in your browser is real  [www.net-security.org]
The browser has emerged as the weakest link in an enterprise’s security infrastructure. It is being successfully exploited by malware authors and criminals who use this method to steal logon credentials and inject Trojans that crack IT systems wide open, often undetected.
With these browser sessions often containing the logon details for email systems, VPNs, cloud services – such as cloud CRM, it is a critical area to secure and lock down without impacting performance.
James McGovern asks why we don’t see enterprisey folks focusing on SOA *and* security? Well there are a lot of reasons here, but lets look at some facts. Most enterprisey folks look at security in binary terms – inside the firewall or outside the firewall. When a transaction is ‘inside the firewall’ they can do silly things like load all their transaction on to something like MQ Series with no authentication, send it to the mainframe which runs their entire book of business, and in essence run their transactional backbone on anonymous ftp. Because its ‘inside the firewall’
Problem is – its just a Visio drawing, its not reality, its historical baggage. We were trained to think about things in these terms in the 90s
27C3: danger lurks in PDF documents  [www.h-online.com]
At the 27th Chaos Communication Congress (27C3) in Berlin, security researcher Julia Wolf of US company FireEye pointed out numerous, previously hardly known, security problems in connection with Adobe’s PDF standard. For instance, a PDF can reportedly contain a database scanner that becomes active and scans a network when the document is printed on a network printer. Wolf said that the document format is also full of other surprises. For example, it is reportedly possible to write PDFs which display different content in different operating systems, browsers or PDF readers – or even depending on a computer’s language settings.
Half Baked Security  [www.ghostnomad.com]
Just like cooking, managing information security requires tried and true methods mixed with new techniques. Attackers are always looking for a way in, that will not change. So making it more difficult to find your vulnerabilities is critical in thwarting many of the attacks. When you rely on the same methods that everyone else is using it becomes easy for attackers to develop a scripted attack methodology. Furthermore, if they know your response techniques they can stay several steps ahead as you try to stop them. If you mix things up, add new techniques, think ahead of the curve you may throw them for enough of a loop you get the upper hand. At a minimum, your systems become less desirable as a target to many small time attackers because there is a higher risk of detection.
You say potato, I say false positive.  [layer8.itsecuritygeek.com]
I really don’t know how anyone can practically measure a false positive rate in application security testing. Sure, there’s the case where a tool claims to find something that flat-out isn’t there, but I haven’t seen that happen much. What is more likely is that the tool finds something unorthodox, and then a long discussion ensues on whether that means there’s an exploitable flaw there. And even if there’s an exploitable flaw-theoretically-you still have to talk about how likely it is to be exploited (I’ll take “threat modeling” for 1=1, Alex) and what the potential impact could be.

Web Technologies

In the video below, Keith Turpin talks about the secure coding practices quick reference guide. It’s a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. Get it here.
A few weeks ago, I posted a description of a set of bugs that could be chained together to do “bad things”. In the PoC I provided, a SWF file reads an arbitrary file from the victim’s local file system and passes the stolen content to an attacker’s server.
One of the readers (PZ) had a question about the SWFs local-with-filesystem sandbox, which should prevent SWFs loaded from the local file system from passing data to remote systems. Looking at the documentation related to the sandbox, we see the following:
Understanding Developer Psychology  [h30501.www3.hp.com]
Happy 2011 everyone! I hope everyone’s break was restful… so now on to business.
Towards the end of last year I started to hint that some of the approaches being taken in software security assurance (SSA) needed to change and that one of the foundational pieces of software security was understanding the mind of the developer. To that end I have a request …
Attention developers!
If you’re a code-slinger I’d like to conduct a brief interview …
I need a representative (random) sample of developers to put through a series of questions and a brief interview. If you’re willing to give your name and your company – great, but not necessary. I can’t quite divulge what the details are just yet but the goal of this informal study is to further the understanding of developer psychology.
Spot the Vuln – Banks  [blogs.sans.org]
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
This week’s bug was an old SQL injection bug that affected PunBB versions < 1.3. In short, a value is taken from an attacker/user controlled POST request and is used to build a SQL statement. This bug actually requires a small amount of tracing, so here we go! First, we see that PunBB takes the attacker/user supplied content here (line 11)
11 $form = array_map(‘trim’, $_POST[‘form’]);
The line above uses the value passed via $_POST[‘form’] to populate the $form variable. The value goes through a trim() function, but is (for the most part) un-sanitized. It’s interesting that PHP allows for the submission of arrays through POST parameters. This behavior is mentioned in the comments on this page
Next, the $form variable (which contains our attacker supplied values from $_POST[‘form’]) is used in a foreach statement and each index of the $form variable value is used in some application logic. You can see this in the following line (line 19)
19 foreach ($form as $key => $input)
The just released CRS v2.1.0 includes Credit Card Tracking rules. These will both track legitimate credit card usage and also prevent full credit card number leakages. Much of the following data was taken from a previous blog post by Ofer Shezaf however many sections have been updated with current ModSecurity and CRS information.
1. Introduction
The Payment Card Industry Data Security Standard (PCI-DSS for short), requires that credit card numbers are not transmitted in clear and are not presented to users unmasked. The following post outlines several detection accuracy issues that must be addressed by a monitoring solution and we will focus on ModSecurity.
On 16th December, TYP03 released a new security update (TYPO3-SA-2010-022) for their content management system. Apparently, this web-based framework is widely used in many important websites.
Within this update, TYPO3 team fixed a vulnerability that I’ve discovered a few weeks ago. In detail, this discovery pertains to a previous vulnerability fixed in TYPO3-SA-2010-020 and discovered by Gregor Kopf.
From the advisory, we can actually deduce two important concepts:
A Remote File Disclosure vulnerability in the jumpUrl mechanism [..] Because of a non-typesafe comparison between the submitted and the calculated hash, it is possible [..]
In a nutshell, the JumpUrl mechanism allows to track access on web pages and provided files (e.g. /index.php?id=2&type=0&jumpurl=/etc/passwd&juSecure=1&locationData=2%3a&juHash=2b1928bfab)
The patch (see this shell script) simply replaces the two equal signs with three (loose vs strict comparisons
Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article
‘Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly as possible, and the complexity of the platform and vast number of configuration options often leaves the application in a less than desirable security state. In addition, the configuration requirements for debugging and production are different, which can often introduce debugging settings in production, causing a variety of issues.
Over the years, the ASP.NET platform has matured and better documentation has been made available through MSDN and community blogs, but knowing which feature or configuration setting to use is often troublesome. Even with good knowledge of the security functionality, mistakes can happen that could result in security vulnerabilities in your application.
I am pleased to announce the release of the OWASP ModSecurity Core Rule Set (CRS) v2.1.0. This is a significant update as we have added many new capabilities.
Improvements:
– Added Experimental Lua Converter script to normalize payloads. Based on PHPIDS Converter code and it used with the advanced filters conf file.
– Changed the name of PHPIDS converted rules to Advanced Filters
– Added Ignore Static Content (Performance enhancement) rule set
– Added XML Enabler (Web Services) rule set which will parse XML data
– Added Authorized Vulnerability Scanning (AVS) Whitelist rule set
– Added Denial of Service (DoS) Protection rule set
– Added Slow HTTP DoS (Connection Consumption) Protection rule set

Network Security

The Windows Server 2008 Security Guide has been replaced by the Windows Server 2008 Security Compliance Management Toolkit, part of the Security Compliance Management Toolkit Series. See the note in the Overview section for the current download location.
… because it seemed a sensible thing to do, but I couldn’t find a single concise document saying how to do it! These instructions worked for me on a recent Debian testing installation, YMMV.
For specific users (or, the right way)
1. Install the tools:
sudo aptitude install libcap2-bin
2.
Grant the necessary programs the ability to inherit the CAP_NET_RAW capability when execed:
sudo /sbin/setcap cap_net_raw+ei /usr/bin/dumpcap
sudo /sbin/setcap cap_net_raw+ei /usr/sbin/tcpdump
….
So we get a shell/meterpreter session and we escalate to system. As NT AUTHORITYSYSTEM we should be able to remove those pesky AV/HIPS products that prevent us from completing our penetration test.
Metasploit has an awesome script called killav which will defeat many AV products. Sometimes however, AV just will not die.
 [www.h-online.com]
27C3: danger lurks in PDF documents
At the 27th Chaos Communication Congress (27C3) in Berlin, security researcher Julia Wolf of US company FireEye pointed out numerous, previously hardly known, security problems in connection with Adobe’s PDF standard. For instance, a PDF can reportedly contain a database scanner that becomes active and scans a network when the document is printed on a network printer. Wolf said that the document format is also full of other surprises. For example, it is reportedly possible to write PDFs which display different content in different operating systems, browsers or PDF readers – or even depending on a computer’s language settings.
James McGovern asks why we don’t see enterprisey folks focusing on SOA *and* security? Well there are a lot of reasons here, but lets look at some facts. Most enterprisey folks look at security in binary terms – inside the firewall or outside the firewall. When a transaction is ‘inside the firewall’ they can do silly things like load all their transaction on to something like MQ Series with no authentication, send it to the mainframe which runs their entire book of business, and in essence run their transactional backbone on anonymous ftp. Because its ‘inside the firewall’
Problem is – its just a Visio drawing, its not reality, its historical baggage. We were trained to think about things in these terms in the 90s
Joseph Bonneau, a PhD candidate at the Security Group, University of Cambridge Computer Laboratory, contacted us to report a problem he found with non-Latin character passwords (Unicode) on Gawker Media sites:
I discovered that, after creating an account with the password ‘????????’, I was able to successfully log in by typing ‘????????,’ as well as ‘????????’, ‘©©©©©©©©’. It turns out that any string of exactly 8 characters whose unicode code point is >= 128 will be accepted. I’ve looked carefully at the implementation of crypt in PHP and across several platforms I tried, this is not a library problem-somehow your server is converting all of the non-ASCII characters to some fixed value prior to calling crypt() with them…..
How to set up a pentesting lab  [blog.rapid7.com]
One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your neighbors network is “frowned upon”, and hanging out in a Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow.
So what do I do? Build a test environment. The concept itself isn’t difficult, but there are easy and hard ways to do it. I wanted two machines: one with my vulnerable VMs, the other with Metasploit and NeXpose . This isn’t necessary, but in my case the Metasploit Pro machine would generate a lot of traffic and I wanted to make sure it has all the resources it needs.
Man-in-the-middle attacks are old. Really, really old. Maybe even as old as ancient times, when messengers ran between cities. Beat up a messenger, steal his funny hat, and change his scroll to say, “King Sam is really pissed at you guys”. Who knows, maybe start a war, or at least a trade disruption. Beats the heck out of banging rocks with a stick, which was pretty much the cool thing to do before TV.
The LAN version of this attack caught on in full force with the advent of switches. Hubs send all packets to all connected hosts, whereas switches are smart enough to only send each packet to its intended destination. We used to get everyone’s usernames and passwords simply by listening to the wire. Now we had to get a little smarter. This time we beat up Address Resolution Protocol (ARP), steal its funny hat, and read all the great stuff going over port 110.
I intend this post to be a sort of reference to the Linux capability system, particularly to point out the false boundaries in place with many of the existing capabilities, as I don’t think this topic has been written about in depth before. I’d also like to highlight this as an example of the importance of the PAGEEXEC/MPROTECT concepts in combination with the removal of arbitrary code execution (and in the future, hardened interpreters).
As of Linux 2.6.37, there are 35 capabilities which exist with the intent to split up the privilege associated with UID 0. Before the implementation of file capabilities, the capability support was for capability-aware applications that ran with root privilege. A knowledge of which root privileges were needed allowed the applications to drop any unneeded capabilities. In Linux 2.6.24, file capabilities were introduced, which allowed for the distribution or the administrator to set the capabilities needed for an application via modification of the application’s extended attributes on disk. The immediate application of file capabilities is to remove the need for suid-root binaries on the system. It can also be used however to reduce the capabilities used by a normal root-running daemon, by clearing the effective bit in the file capabilities.
Short version: DNS over TCP (or HTTP) is almost certainly not faster than DNS over UDP, for any definition of faster. There was some data that supported a throughput interpretation of speed, but that data is not replicating under superior experimental conditions. Thanks to Tom Ptacek for prodding me into re-evaluating my data.
Long version:
So one of the things I haven’t gotten a chance to write a diary entry about yet, is the fact that when implementing end-to-end DNSSEC, there will be environments in which arbitrary DNS queries just aren’t an option. In such environments, we will need to find a way to tunnel traffic.
Inevitably, this leads us to HTTP, the erstwhile “Universal Tunneling Protocol”.
So before I left for the holidays, I was on a pentest.
I had a meterpreter session and went to collect the evidence and I saw an error!
By stealing .gov, of course!
The .gov is the United States Government’s domain run by dotgov.gov which is part of the General Services Administration. This top-level domain is home to such entities as cia.gov, fbi.gov and everyone’s favorite spy agency nsa.gov.
DNSSEC Interlude 2: DJB@CCC  [dankaminsky.com]
Short Version: Dan Bernstein delivered a talk at the 27C3 about DNSSEC and his vision for authenticating and encrypting the net. While it is gratifying to see such consensus regarding both the need to fix authentication and encryption, and the usefulness of DNS to implement such a fix, much of his representation of DNSSEC – and his own replacement, DNSCurve – was plainly inaccurate. He attacks a straw man implementation of DNSSEC that must sign records offline, despite all major DNSSEC servers moving to deep automation to eliminate administrator errors, and despite the existence of Phreebird, my online DNSSEC signing proxy specifically designed to avoid the faults he identifies.
Security: DIY or Plug’n’Play?  [blog.rootshell.be]
Assembly Instructions Appliance or not appliance? That is the question! A computer appliance is a dedicated hardware which runs software components to offer one of more specific services. Information security has always been and is, still today, a common place where to deploy appliances: firewalls, proxies, mail relays, authentication servers, log management, Wi-Fi controllers and much more! This post is just a reflexion about appliances and their alternatives. They are two groups of people: pro & cons. Those who love appliances for their robustness and ease of use and the others who are frustrated by their limitations.

Database Security

Man-in-the-middle attacks are old. Really, really old. Maybe even as old as ancient times, when messengers ran between cities. Beat up a messenger, steal his funny hat, and change his scroll to say, “King Sam is really pissed at you guys”. Who knows, maybe start a war, or at least a trade disruption. Beats the heck out of banging rocks with a stick, which was pretty much the cool thing to do before TV.
The LAN version of this attack caught on in full force with the advent of switches. Hubs send all packets to all connected hosts, whereas switches are smart enough to only send each packet to its intended destination. We used to get everyone’s usernames and passwords simply by listening to the wire. Now we had to get a little smarter. This time we beat up Address Resolution Protocol (ARP), steal its funny hat, and read all the great stuff going over port 110.

Mobile Security

With phones falling into the wrong hands every day and California residents subject to warrantless cellphone searches, now’s a pretty good time to think about protecting your smartphone. Fortunately, it’s pretty easy and we’ll walk you through the process.http://lifehacker.com/5724683/how-to-secure-your-smartphone
Android malware enters 2011
One thing a lot of security researchers have been predicting for years is rise in mobile malware. However, due to mobile phones with low power, a lot of operating systems, closed environments and many other reasons we haven’t seen any significant mobile malware until this year.
And just in time for 2011 a new trojan for Android has been found by a company called Lookout. While Android trojans have been very popular, this one was pretty advanced and that is why it caught everyone’s attention.
The most important characteristic of this trojan is that it has botnet capabilities. This means that the trojan connects to a C&C server in order to retrieve commands and enables an attacker in effectively controlling the infected phone.
Malicious text messages can crash many types of mobile phones, including devices by Samsung, Sony Ericsson, Motorola and LG, according to a presentation given at the Chaos Communication Congress hacking conference this week in Berlin.
Nicknamed ‘SMS of Death,’ the attacks were outlined by Collin Mulliner, a security researcher at the Technical University in Berlin and his colleague, Nico Golde.
After establishing a GSM network in their lab, the two sent thousands of messages to a variety of phones. Some phones had their calls interrupted during testing, others got disconnected from their network. Some phones, however, were ‘bricked,’ or rendered inoperative by the malicious text messages.
Trusteer recently gained access to the log files of several web servers that were hosting phishing websites. Analyzing these log files provided visibility into how many users accessed the websites, when they visited them, whether they submitted their login information, and what devices they used to access the website.
Below are a few interesting findings from these logs.
A bug in the Android smartphone operating system results in texts which appear to have been correctly sent, arriving with the wrong recipient. The bug is reportedly present in all versions of Android up to at least version 2.2. Under what conditions and how frequently the problem occurs is still unknown. Concerned Android users can find out whether their texts have gone astray by consulting the messaging app. The actual recipient’s telephone number can be found by selecting the text message via the pop-up options menu.
The WordPress iOS App
I was looking for an open source iOS application and quickly came across the WordPress app. Once you log in to your WordPress blog via the app your credentials are then stored on the device itself. If done correctly this is not necessarily a bad thing. However, the WordPress app’s implementation leaves a bit to be desired. Take a look at the following snippet of code from WPcomLoginViewController.m and in Spot the Vuln fashion see if you can find the issue.

Cloud Security

As data and access get more broadly deployed, CSOs have new issues to plan for
What do CSOs and other IT security experts expect to be top-of-mind cloud security issues in 2011? Here are five things to watch for in the coming year:
1. Smartphone data slinging. More users will be accessing large amounts of data on the devices of their choice, says Randy Barr, CSO at Qualys and member of the Cloud Security Alliance (CSA). “This comes with a lot of unaddressed security issues,” Barr says. “We can expect new solutions to address mobile devices, but could see a large data breach to expose the issue of mobile security before we see a solution.” Among the possible scenarios, Barr says, are insecure cloud-based backup and highly confidential data on mobile devices.
Security Guidance for Critical Areas of Focus  [wiki.cloudsecurityalliance.org]
– Introduction
– Foreword
– Letter from the Editors
– An Editorial Note on Risk
– Section I. Cloud Architecture
Sourcefire Announces Acquisition of Immunet  [investor.sourcefire.com]
Expands Cloud-based Security Infrastructure
Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced the acquisition of Immunet, a leading provider of advanced cloud-based anti-malware technologies. The acquisition expands Sourcefire’s security solutions portfolio – adding an advanced cloud platform for delivery of malware protection – and extending the company’s real-time detection and prevention leadership to the cloud.
Immunet combines the collective intelligence of a growing user community, the speed of cloud computing, advanced data mining, and machine learning technologies to provide a groundbreaking approach to cybersecurity. This acquisition immediately enables Sourcefire to provide endpoint protection from client-side attacks and Advanced Persistent Threats (APT). The cloud-based platform also enables innovative approaches to reputation services, data loss prevention and forensics. Combined with Sourcefire’s next generation network intrusion prevention system (IPS), customers get the most comprehensive protection against today’s threats from cloud to core.

Privacy

The contents of your cell phone can reveal a lot more about you than the naked eye can: who your friends are, what you’ve been saying and when, which websites you’ve visited, and more. There has long been debate over user privacy when it comes to various data found on a cell phone, but according to the California Supreme Court, police don’t need a warrant to start digging through your phone’s contents.
The ruling comes as a result of the conviction of one Gregory Diaz, who was arrested for trying to sell ecstasy to a police informant in 2007 and had his phone confiscated when he arrived at the police station. The police eventually went through Diaz’s text message folder and found one that read ‘6 4 80.’ Such a message means nothing to most of us, but it was apparently enough to be used as evidence against Diaz (for those curious, it means six pills will cost $80).
What are the top security and privacy issues facing the healthcare industry in 2011? A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011.
These experts suggest that as health information exchanges take form, millions of patient records-soon to be available as digital files-will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.
Eavesdropping on GSM Calls  [www.schneier.com]
It’s easy and cheap:
Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network ‘sniffers,’ a laptop computer, and a variety of open source software.

General

Citizen Cyber Army Defends National Computer System  [blogs.govinfosecurity.com]
Imagine drafting the top IT security minds into a defense force to protect the nation’s critical IT infrastructure. Impossible? Highly unlikely in the United States, but leaders in Estonia – victimized by a digital invasion in 2007 believed to be backed by Russia – are mulling the possibility of instituting such a draft.
Since that virtual invasion – when a wave of attacks shuttered government, financial and media IT systems – IT and IT security professionals and enthusiasts in the Baltic nation have formed the Cyber Defense League, a volunteer group that could act as a unified military command if and when the next cyberassault occurs.
A report Tuesday on NPR says a sense of cyber vulnerability in Estonia has been a key rallying point for the Cyber Defense League. And, Defense Minister Jaak Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities may institute a draft to assure every IT expert is available in a national emergency:
In the crowded digital camera market, camera makers are continually pushing pixel counts higher and higher to attract consumers who have been led to believe that, the more pixels, the better the image. Proving that this is not necessarily the case, a team of researchers from Spain’s UJI (Universitat Jaume I) Optics Research Group (GROC) has developed a sensor of just one pixel with the ability to record high quality images.
http://news.slashdot.org/story/10/12/31/2127230/YouTube-Legally-Considered-a-TV-Station-In-Italy?from=rssorzetto writes ‘Italian newspaper La Repubblica reports that YouTube and similar websites based on user-generated content will be considered TV stations (Google translation of Italian original) in Italian law, and will be subject to the same obligations. Among these, a small tax (500 €), the obligation to publish corrections within 48 hours upon request of people who consider themselves slandered by published content, and the obligation not to broadcast content inappropriate for children in certain time slots. The main change, though, is that YouTube and similar sites will be legally responsible for all published content as long as they have any form (even if automated) of editorial control. The main reason for this is probably that it will force YouTube to assume editorial responsibility for all published content, which facilitates the ongoing € 500M lawsuit of Italian prime minister Silvio Berlusconi against YouTube because of content copyrighted by Berlusconi’s TV networks that some users uploaded on YouTube. Berlusconi’s Spanish TV station, TeleCinco, was previously defeated in court on the grounds that YouTube is not a content provider.’
Dell To Acquire Secureworks  [content.dell.com]
SecureWorks’ Security-as-a-Service Solutions Expand Dell’s Services Portfolio With Industry-Leading Enterprise Protection
Dell today announced it has signed a definitive agreement to acquire SecureWorks® Inc., a globally recognized provider of information-security services. SecureWorks’ industry leading Security-as-a-Service solutions include Managed-Security Services, Security and Risk Consulting Services and Threat Intelligence. The acquisition expands Dell’s global IT-as-a-Service offerings and information security expertise.
Organizations of all sizes and across diverse industries – including Global 500 companies, mid-sized businesses, financial services, utilities, healthcare, retail and manufacturing – rely on SecureWorks’ industry-leading security services to reduce risk, improve regulatory compliance and lower costs of managing IT security. The company’s proprietary threat management platform is scalable and integrates easily with client environments. In addition, SecureWorks’ world-class Counter Threat Unit research team helps protect clients across multiple industries from ever-changing global IT threats.
Google Mobile Payment Service  [www.liquidmatrix.org]
In the Works: A Google Mobile Payment Service?
“You’ll be able to walk in a store and do commerce,” says Google’s Eric Schmidt. “You’d bump for everything and eventually replace credit cards”
Read Article Here
Looks like Google is trying to break into the retail convenience market by developing a way to use your phone the same way you can use the RFID chips in certain credit/debit cards. A bump & pay system built into your cell phones which as the article states hopes to “replace credit cards.”
Internet Explorer loses crown in major market for first time
Boston, USA and Dublin, Ireland; Tuesday 4th January, 2011: Firefox overtook Microsoft’s Internet Explorer (IE) to become the number one browser in Europe in December 2010 according to StatCounter, the free website analytics company. The firm’s research arm StatCounter Global Stats reports that in December, Firefox took 38.11% of European market share, compared to IE’s 37.52%.
20-person team of bank personnel, outside experts said to be looking to determine what, if any, documents are held by WikiLeaks
Bank of America has assembled a 15- to 20-person team to come up with a damage control plan in the event Wikileaks follows through on its promise to release thousands of insider documents leaked to it, according to reports.
The team headed by Bruce Thompson, Bank of America’s chief risk officer. has launched a broad internal investigation to determine what internal documents have been leaked to the whistleblower Web site, the New York Times reported yesterday.
Many primary and secondary schools in the UK thought to be highly vulnerable to cyber attacks following confidential audit of two schools.
NGS Secure recently audited one selected UK secondary school and primary school to ascertain how secure each was.
At the high school, 338 computers were scanned, unearthing over 9,000 instances of missing critical software patches and multiple instances of outdated or missing anti-virus software. According to the auditors these flaws would allow an attacker or virus to exploit the systems without any prior knowledge of the target.
Sourcefire Announces Acquisition of Immunet  [investor.sourcefire.com]
Expands Cloud-based Security Infrastructure
Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced the acquisition of Immunet, a leading provider of advanced cloud-based anti-malware technologies. The acquisition expands Sourcefire’s security solutions portfolio – adding an advanced cloud platform for delivery of malware protection – and extending the company’s real-time detection and prevention leadership to the cloud.
Immunet combines the collective intelligence of a growing user community, the speed of cloud computing, advanced data mining, and machine learning technologies to provide a groundbreaking approach to cybersecurity. This acquisition immediately enables Sourcefire to provide endpoint protection from client-side attacks and Advanced Persistent Threats (APT). The cloud-based platform also enables innovative approaches to reputation services, data loss prevention and forensics. Combined with Sourcefire’s next generation network intrusion prevention system (IPS), customers get the most comprehensive protection against today’s threats from cloud to core.

Tools

This tool is for prevention. ARPFreeze/ARPFreezeNG lets you setup static ARP tables so that other attackers (using Cain, Ettercap, Arpspoof or some other tool) can’t pull off an ARP poisoning attack against you. Windows has tools built in for doing this (the arp command and netsh) but these are not easy or automated, so I created ARPFreeze, a simple automation script. It looks at your current ARP table, and lets you make entries static. It may help someone in hardening a box against Man in the Middle attacks that use ARP poisoning. I’ll describe it’s usage, and what it’s doing in the background, side by side with screen shots.
I am pleased to announce the release of the OWASP ModSecurity Core Rule Set (CRS) v2.1.0. This is a significant update as we have added many new capabilities.
Improvements:
– Added Experimental Lua Converter script to normalize payloads. Based on PHPIDS Converter code and it used with the advanced filters conf file.
– Changed the name of PHPIDS converted rules to Advanced Filters
– Added Ignore Static Content (Performance enhancement) rule set
– Added XML Enabler (Web Services) rule set which will parse XML data
– Added Authorized Vulnerability Scanning (AVS) Whitelist rule set
– Added Denial of Service (DoS) Protection rule set
– Added Slow HTTP DoS (Connection Consumption) Protection rule set
Happy New Year everyone! Here is a nice new addition to bypass UAC through meterpreter. It all came about when Kevin Mitnick was on a pentest and needed to bypass Windows 7 UAC. We stumbled upon an old post from Leo Davidson (http://www.pretentiousname.com/misc/win7_uac_whitelist2.html) on bypassing Windows UAC. This method takes advantage of process injection that has a trusted Windows Publisher Certificate (example explorer.exe which runs at medium integrity). This is fully functioning on both x86/64 bit platforms. Source code is in the zip along with the meterpreter plugin. You can download it here.
TCP Session Reconstruction Tool  [www.codeproject.com]
This is a C# utility for reconstructing sniffer captured TCP sessions (even incomplete). This is based on libnids and a translated part of WireShark. Not being able to find such a solution, I had to build one myself.
I was looking for some tools which could reconstruct a TCP session from a Pcap file. The tools I have found were mostly for Linux, or robust GUI tools like WireShark. So, I decided to build my own tool. It is time that the C# community will have a TCP session reconstruction tool.
Steganos Privacy Suite (v.12) is a suite offering most Steganos privacy and encryption products bundled up together: Safe, Portable Safe, Crypt & Hide, Password Manager, Private Favorites, E-Mail Encryption, Trace Destructor and Shredder.
Agnitio v1.1 released today  [www.securityninja.co.uk]
Sorry for taking so long to get this new version of Agnitio released! A combination of snow wrecked travel plans, Christmas and the cold I’ve currently got meant the work I’d planned to do on Agnitio got delayed, better late than never though!
I was very happy to see that v1.0.0 had over 500 downloads and I was delighted with the feedback I received. I have to thank Colin Watson, Jack Kowalsky and Dieter Van der Stock for their excellent feedback and help so far. I have included features in v1.1 that came directly from the feedback Colin, Jack and Dieter gave me so please contact me if you would like to see new features or changes in future versions.
What is RE-Google  [regoogle.carnivore.it]
RE-Google is a plugin for the Interactive DisAssembler (IDA) Pro that queries Google Code for information about the functions contained in a disassembled binary. The top results are then displayed as comments to the function and can be opened by just clicking on it.
The top results will often tell you what to the function is actually doing or what you will find in the inside.
Unrarhp – RAR -hp Password Cracker  [hashcrack.blogspot.com]
unrarhp is a Unix command line brute forcer to recover the passwords of RAR archives encrypted with the RAR 3.x ‘-hp’ option. This option, contrary to ‘-p’, also encrypts the block headers & protects metadata such as filenames, etc. As of June 2010, unrarhp is the only RAR ‘-hp’ brute forcer that is open source & free.
Progressing forward with my results from yesterday I was able to get most of the data I cared about in a JSON format. Having the JSON for each grouping of data was great, but didn’t really do me any good because I could never get it into MongoDB the way I wanted without doing some crazy queries. Instead what I needed was one object made up of all the data. Doing so required me to chain a couple tools together, but everything seems to work great.
I am releasing the tool now because it ultimately produces a single object with a good deal of information. All further updates will just add more functionality and more data to the object without changing the core use of the tool
Raphael Mudge’s Armitage is the subject of January 2011’s toolsmith in the ISSA Journal.Armitage is a ‘cyber attack management’ platform for Metasploit.Depending on your background or the availability of commercial tools in your environment (Core, Canvas, etc.), your comfort with Metasploit likely varies with the depth of your experience. Armitage1 is designed to help close some of the experience or comfort gaps, described by the developer as useful for “non-hackers”.For use as a demonstration tool to elucidate vulnerabilities and their exploit to management or customers, Armitage is excellent.Basic Armitage workflow (should be familiar to all pentesters): Create a workspace, conduct or import scans, identify vulnerabilities, determine appropriate attacks, gain access, and further your presence in the environment.
The ASTRÉE Static Analyzer  [www.astree.ens.fr]
ASTRÉE is a static program analyzer aiming at proving the absence of Run Time Errors (RTE) in programs written in the C programming language. On personal computers, such errors, commonly found in programs, usually result in unpleasant error messages and the termination of the application, and sometimes in a system crash. In embedded applications, such errors may have graver consequences.
ASTRÉE analyzes structured C programs, with complex memory usages, but without dynamic memory allocation and recursion. This encompasses many embedded programs as found in earth transportation, nuclear energy, medical instrumentation, aeronautic, and aerospace applications, in particular synchronous control/command such as electric flight control [30], [31] or space vessels maneuvers [32].
Bruter v1.1 Released  [security-sh3ll.blogspot.com]
Bruter is a parallel network login brute-forcer on Win32. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication.It currently (1.1) supports following services:FTP, HTTP, IMAP, MSSQL, MySQL, POP3, PgSQL, SIP, SMB, SMTP, SNMP, SSH2, Telnet, VNC, Web-Form
BackBox Linux 1 Final Release  [security-sh3ll.blogspot.com]
FLEXIBLE PENETRATION TESTING DISTRIBUTION
BackBox is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools.
BackBox Linux 1 features the following upstream components: Ubuntu 10.04, Linux 2.6.32 and Xfce 4.6.1
VCR is a library by Myron Marston that records your test suite’s HTTP interactions so that they can be quickly replayed during future test runs. The big win is that you get predictable, quick and accurate tests. If you need to update the data, just delete the fixtures VCR generates and you’re good to go.
SOAP functionality added to wXf  [cktricky.blogspot.com]
We’ve pre-packaged SOAP libs and wrappers in wXf and created a couple modules to demonstrate this functionality. The framework is undergoing beta testing and improvements before release. Also, we are adding a couple web specific libs prior to release (or at least trying).
Anyway, here is a video that demos the two modules mentioned above.
We’ve looked at other disposable email services, like MeltMail and SpamBox, but TrashMail provides a huge amount of control over your disposable addresses and you can create them quickly, without visiting Trashmail, using a Firefox or Chrome browser extension.
MagicTree Beta Two Released  [security-sh3ll.blogspot.com]
MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation. In case you wonder, ‘Tree’ is because all the data is stored in a tree structure, and ‘Magic’ is because it is designed to magically do the most cumbersome and boring part of penetration testing – data management and reporting.
Process Hacker v2.10  [security-sh3ll.blogspot.com]
Feature-packed tool for manipulating processes and services on your computer
Process Hacker is a free and open source process viewer and memory editor with unique features such as powerful process termination. It can show services, processes and their threads, modules, handles and memory regions.
opendlp  [code.google.com]
Data Loss Prevention suite with centralized web frontend to manage Windows agents that identify sensitive data at rest
Security Onion 20110101  [securityonion.blogspot.com]
Security Onion Live 20110101 is now available! Thanks to Matt Jonkman and Emerging Threats for hosting! You can download the ISO here: http://rules.emergingthreats.net/projects/security-onion/
If you have any problems or would like to request new features, please submit an issue here: http://code.google.com/p/security-onion/issues/list
What is logstash?
logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs.
It is fully free and fully open source. The license is New BSD, meaning you are pretty much free to use it however you want in whatever way.
Over the holidays, I used some of the vacation and down time to reorganize my home network. Part of this was to update my network maps and figure out how many of my devices do not support IPv6. I do use IPv6 extensively at home, but even some recently purchased devices do not support it.
Another problem you have with IPv6 is to find all devices on your network. The standard and simplest way to do this (aside from passively listening) is to ping the ‘all hosts’ multicast address ff02::1. If you use auto configured link local addresses, you can also look for the EUI-64 (MAC Address) derived IPv6 addresses.
The result: a shell script to run some of these scans for you
Firefox, like most modern web browsers, can be used to save login information so that they do not have to be entered by the user again on the next visit to a website or service. This behavior could be problematic on multi-user systems if users manage to get access to a user’s Firefox installation as login information are readily available for anyone who looks for them in the browser’s options.
The master password has been designed to protect the saved password listing from other users. It basically means that the password needs to be entered before the listing can be accessed for the first time protecting the user’s saved login information.

Funny

Over the past few weeks I created a new shellcode that uses the Microsoft Speech API to have the target computer say “You got pwned!” over the speakers. Needless to say, the practical applications are myriad, from impressing women in bars to expediting world peace. However, I expect that the most common application will be people impressing their friends with their 1337 hacker skills.
One more shoe accident  [www.youtube.com]
Correlation  [xkcd.com]
The Gauss Christmath Special  [www.youtube.com]