DamnVulnerableLinux Strychnine has been released

Finally, after several delays:

DVL Strychnine is based on BT2. Damn Vulnerable Linux (DVL) is located at . Damn Vulnerable Linux (DVL) is for educational purposes only!

Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at

These are the cheat codes which you can use to enable specific features in DVL Strychnine:

Useful Commands:

● ati – initializes the ATI Xconf and starts KDE.
● startx – starts KDE.
● flux – starts Fluxbox.
● share – mounts a windows share to /mnt/share.
● leetmode – starts a KDE Sensor array (karamba) .
● start-kismet-ng – auto configures kismet.conf and runs kismet.
● fixvesa – restore original vesa xconf (not in beta).
● sshd-generate – creates SSH Keys. Usually followed by /usr/sbin/sshd.

Key generators and free bots

Download a keygenerator and get a free bot. If you don't have to money to buy all your software, try using opensource software. Some run on the windows platform (Openoffice, Firefox, ...) or you can run them virtually under linux. Just try VMWare player and get Ubuntu and you will have loads of software to use: document processing, photo editing, you name it.
But be careful downloading software and especially cracks and serialz from the internet or P2P networks. A lot of them contain trojans and keyloggers turning your PC into a zombie. As I told before, having anti-virus on your PC won't always help. There is no such thing as a free lunch!

Security update for Firefox and how to do an enterprise rollout

I still prefer using Firefox 2 with the NoScript, Adblock and Flashblock extension for added security. But even Firefox needs to be patched and I would do it today. Some security vulnerabilities were fixed and you should upgrade to 2.0.4 asap. Use the builtin upgrade function or download from There is also an upgrade tool from Firefox to version 2.

Do you think Firefox is hard to deploy and manage in an enterprise environment? Think again.

Did you know that rather than manually performing rollouts and
management, you can use Windows Installer, Group Policy, and Active
Directory (AD) to help automate these tasks? To push out Firefox with
Windows Installer, you of course need to have properly prepared MSI
package files, and to manage configurations, you need Firefox to
interact with AD. I found a company that has a solution to both

Firefox Community Edition not only integrates with AD, it also gives
you the ability to control the desktop icon as well as shell
integration, similar to the way Microsoft Internet Explorer (IE)
integrates with the shell. It also can be set to be the default
browser, handles uninstallation if you need that, comes with Adobe
Flash Player pre-installed, and more.

New thoughts on german anti-hacker law

Somz new thoughts on the new German "anti-hacker" law which outlaws means of circumventing security. I have been thinking about the scope of hacker tools in this. It's not only about vulnerability scanners. Do they differentiate between a password cracker and a password recovery tool? Or do they make difference between a utility designed to run DoS attacks and one designed to stress-test a networks? Even data recovery software to bypass file access permission and to gain access to deleted data is potentially illegal. So what about forensic toolkits?

I have the feeling expert advice was not consulted or ignored when making this law. Uh oh.


Black Hat USA 2007 Topics

Wondering what the topics might be on Blackhat2007? Let's get a view:

  • The Psychology of Security
  • Injecting RDS-TMC Traffic Information Signals
  • Traffic Analysis—The Most Powerful and Least Understood Attack Methods
  • Unforgivable Vulnerabilities
  • Computer and Internet Security Law—A Year in Review 2006–2007
  • Building an Effective Application Security Practice on a Shoestring Budget
  • Kernel Wars
  • Don't Tell Joanna, The Virtualized Rootkit Is Dead
  • SQL Server Database Forensics
  • Hacking the extensible Firmware Interface
  • Social Network Site Data Mining
Check the site for the complete list. At this point, I'm sad I don't have the time and budget to attend.

Should police hack?

Well, that's a good question. The topic came back to the surface after the discussion of the new German "anti-hacking" law. Apperently, F-Secure did a survey on this: Should police hack?

Out of the 1,020 respondents, 23% were in favor, 11% were undecided, and 65% were against. Approximately 70% of the responses were from one of five locations: Sweden, Germany, Great Britain, Finland, and the United States.

Over 91% of Germans were against such techniques, while only 56% of Britons were against them.

Considering the geopolitical factors and events such as the 2005 London bombings might explain the differences between these countries.

Well, the question is also, how will they "hack" the PC's? Through vulnerabilities? We should try to update everyone's system to protect them, not exploit them. Through (unknown) backdoors? Well, bad guys will also find these sooner or later. Through malware? But then, how will anti-virus vendors make the difference between good malware en bad malware? There are a lot of vendors and they are from different countries so German law doesn't apply here.
Also, as stated in the F-secure article, the amount of data collected in "Online house searches" could provide such quantities of data that it overwhelms the signal with noise. So this doesn't seem very effective. So should police hack? Give us your opinion.

Lightning links #3

Some interesting articles for today:


Phrack #64 : Reborn

Phrack is back, alive and kicking:

In the last decade, Phrack took a very annoying industry-oriented editorial policy and the original spirit was in our opinion not respected. The good old school spirit as we like had somehow disappeared from the process of creating the magazine. That is why the underground got split with a major dispute, as some part of the scene was unhappy with this new way of publishing. We clearly needed to bring together again all the relevant parties around the spirit of hacking and the values that make the Underground. The Underground is neither about making the industry richer by publishing exploits or 0day information, nor distributing hacklogs of whitehats on the Internet, but to go further the limits of technology ever and ever, in a big wave of learning and sharing with the people ready to embrace it. This is not our war to fight peoples doing this for money but we have to clearly show our difference.

It is also getting more urgent that hackers use the technology to make the world a fair place to live in, and we will not let politics decide without us what is good to do. Hackers needs to express their concerns and regulate the information despite the rules imposed by self-claimed authorities, and this is the real subject of our actions.

Current issue : #64
I wasn't always involved in IT security and I was not a regular reader of Phrack but I did read an issue or two. The underground will always have their sources of information. The best thing we can do, is to share the information between security professionals so we can better defend ourselves against it.


Windows vs Linux: which is the most secure?

Well, I won't answer this myself. Both need hardening and securing. The Register has made their own assessment:

So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms:

  1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations
  2. Open source is inherently less secure because malicious hackers can find flaws more easily
  3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows
  4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows
Read the article for the full details.

New German "anti-hacker" law

Just noticed this article on Anandtech:

The new rules tighten up the existing sanctions and prohibit any unauthorized user from disabling or circumventing computer security measures to access secure data (see the law, sections 200 and following [in German]). Manufacturing, programming, installing, or spreading software that can circumvent security measures is verboten, which means that some security scanning tools might become illegal. The Chaos Computer Club in Germany said of the decision, "Forbidding this software is about as helpful as forbidding the sale and production of hammers because sometimes they also cause damage."

Well, having up to date laws to "fight" the bad guys is good but not if it also limits the capabilities of the good guys. I wonder what impact this will have for security scanner vendors like Tenable, ISS or Qualys? It doesn't seem like a very good thought-through law.

Chaos Computer Club spokesman Andy Mueller Maguhn said that "safety research can [now] take place only in an unacceptable legal gray area." The group is also concerned that the new legislation will make it easier for the police to obtain information by hacking—something that was outlawed by the courts a few months back.

Hmmm.... it seems unlike before, police forces can hack others PC's to obtain information. Do they need warrants? For what type of crimes? I think this sets a dangerous precedent. Full article at Anandtech.

Bonus: Germany passes Anti-Hacking laws (

AudioParasitics Episode 7

In Episode 7 of our AudioParasitics podcast, we delve once again into the debate around vulnerability disclosure and bounty programs. Jim and I wrestle with the ethics of bounty programs and whether they help protect customers. Join us as we battle with the explosive and complex relationships between bounties, vulnerabilities, exploits, and malware.

Remember that (certain) podcasts can help you get CPE credits.

OWASP 2007 vs 2006

OWASP 2007 has been released. Let's see how it compares to 2006:

2006 2007

Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim²s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.


Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.


Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identit

Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code Insert non-formatted text here and data, resulting in devastating attacks, such as total server compromise.


The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user.

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.


Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.

A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.


Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.


Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.


Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.


Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.


Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.

Frequently, an application the only protection for sensitive functionality by preventing the display areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

It seems Buffer Overflows and Application DoS have left the top 10. But there is still work to be done (Web application security statistics).


Botnet attacks are old fashioned

Another blog article that caught my attention:

The new trend in organizing Distributed Denial of Service attacks are P2P networks:

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

They call it the DC++ attack. The developers have acknowledged the problem and tried to mitigate the problem in new versions. But when do users upgrade?
I don't think it's that efficient but it's another way to DDoS and you don't need C&C servers. Of course, botnets can do alot more than DDos like stealing serials, phishing, spamming etc....
I wonder how much time it will be before they will find other services to "trick" into doing a DDoS? It's sad that their talent and creativity isn't used for better things.

Bonus: Peer-to-peer app DC++ hijacked for denial-of-service attacks (Anandtech)

Statistics on malware detection

Well, let's show some statistics on malware detection. First a test done by, an independent testing group at the Otto von Guericke University (Germany). They tested 29 anti-malware products with a very large set of files The goal was to test detection capabilities only. Only current malware was used, meaning all samples were seen in the last 12 months.

Program# DetectedDetection %
AVK 2007604,25599.56%
Trend Micro552,10790.97%
Dr Web520,95985.84%

Well, Webwasher looks very good but it is a gateway product (only). For home users, look at Antivir which scores good and has a personal free edition.

Next report comes from the Shadowserver. I discovered they have more graphs and tests then only on botnets. :-)
They have honeynets and capture the files after the infection has been done. This is done live on the internet and they can be considered 0day tests. They scan them on the day the binary is acquired and they are retested regularly with updated scanners.

These reports are a summary of the types what the different malware that we intercept. Note that we may have had more malware than is indicated in these tables, these are only the ones that were able to be identified. Each AV vendor has different capabilities and success in detecting malware that we collect. No single vendor detects 100%, nor can they ever. To expect complete protection will always be science-fiction.

vendor detected total percent
NOD32 236779 243383 97.29%
DrWeb 234214 243383 96.23%
AntiVir 233398 243383 95.90%
BitDefender 180841 243383 74.30%
Panda 170225 243383 69.94%
Vexira 157145 243383 64.57%
Kaspersky 156551 243383 64.32%
Norman 154226 243383 63.37%
QuickHeal 143921 243383 59.13%
F-Prot 139872 243383 57.47%
AVG7 126586 243383 52.01%
McAfee 121048 243383 49.74%
VirusBuster 71438 243383 29.35%
Avast 0 243383 0.00%
Clam 0 243383 0.00%
VBA32 0 243383 0.00%

So malware that weren't detected by none of the vendors are not included! So you have to look at the percentages at another way then the previous one. It seems Antivir is in the Top3 in both tests. For the rest, with statistics you can prove and disprove anything depending on the way they are performed. The only sure conclusion (as Shadowserver also concludes) is that no vendor can guarantee 100% protection. So use defense in depth.
  • educate users and create awareness abut best computer/email usage
  • combine two different vendors for gateway and client purposes
  • don't let users run as administrator
  • keep your systems patched and updated
  • have incident procedures and personnel to minimize the impact (be prepared)
User awareness should become more and more important as the bad guys use recent events to convince users to run their code (see below)

Bonus: a discussion on mobile malware
Bonus: Malware claiming to be Pirates of the Caribbean trailer
Update: Sophos was not correctly tested (thanks Anonymous)
Update: The test was correctly done (in dutch from


Lightning links #2

FINAL Call for Papers for Chaos Communication Camp 2007

The Chaos Communication Camp is an international, five-day open-air event for hackers, builders, and makers organized by the Chaos Computer Club (CCC), to be held from August 8 to 12 on an old Russian military airfield near Berlin.

Till June 5th there’s still a chance to send in lectures or workshop proposals.

You too can help making this camp the best ever, by spreading the word: blog and tell your friends about the camp, and get all the cool people you know to submit lectures!

The conference languages are English and German. Don’t worry about language issues though – the Camp is a truly international event! Everyone will be happy to communicate with you in the languages of the Internet - broken English and 1337speak.


AusCERT reports and upcoming security events

Sans ISC is giving an overview of what's happening on AusCERT 2007:

Aucert 2007 Update
Auscert day 2 update
Auscert day 3 update

Some of the topics are:

  • Scott McIntyre (FIRST, KPN-CERT, XS4ALL) on the Toxbot takedown
  • Nelson Murilo (Pangeia) on chkrootkit
  • The Cyber Criminal Economy by Stas Filshtinskiy
I hope the presentations are coming online after the event. At the moment, still no update on the presentations of the past Bluehat 2007 conference.

The summer is going to be packed with security conferences:
I don't have the time or budget to visit most of them but I will be going to Chaos Computer Camp. Hopefully I will get the chance in the future to visit more of them.

PhishTank and Anti-Phishing Working Group joining forces, part of OpenDNS and the Anti-Phishing Working Group with a member list of companies like eBay, Microsoft, Yahoo!, Verisign and Cisco are joining forces. These are two of the biggest databases of phishing data. I think this is a good thing for internet users. I would like to see more organizations joining forces to combat internet crime.

PS, don't forget the 24th May: ISSA Conference on botnets on Thursday

Cryptogram May '07

The latest Crytogram has been out for a week but I didn't had time to read it before today. For those who missed it. Cryptogram is the newsletter of Bruce Schneier and isn't (only) about cryptography.

In this issue:


Google Security: New blog on the block

Introducing Google's online security efforts:

Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post.

First of all, a correction of a previous statement: it isn't 10% of all website containing malware. According to the Google study, out of a subset of suspicious websites, 10% represented drive-by malware downloads. The actual percentage of malicious pages is roughly 0.1%.

Well, another blog to add my list.

Lightning links #1

Some interesting reads:

Voip Bots: Resistance is (not) futile

Blue Box #58: The SIP Botnet edition - VoIP bots are here, now what?

The SIP Botnet edition - VoIP bots are here, now what? Also rogue firmware mini-tutorial, other VoIP security news, listener comments, more...

The site of the podcast gives an overview of the topics and gives some more links to VOIP security related topics.
Since VOIP is becoming more and more mainstream, it's important to secure it. I must admit that I need to read up on VOIP. I'm making the Blue box podcast CD as next one for my car.


The Ugly Truth About Online Anonymity

A very very long post about Tor routers and anonymity on the Internet. Don't read it before going to bed. It's quite scary. ;-)
High bandwith Tor exit points and anonymous proxies being run by NSA or other government agencies. I realised, there is no such thing anymore as anonymous. Just read the article above.
Yes, I know Tor. No, I don't use it (yet). No, I'm not a criminal. Everybody breaks the law in some level sooner or later. E-v-e-r-y-o-n-e. Should everybody go to jail for not using the zebra crossing once in a while? Of course not. Let's stay realistic. But in this whole post 9/11 period, it's all about monitoring everyone, all of the time in as many ways as possible. Luckily, Belgium doesn't have 1 camera for every 14 people. A nice fact: there are 32 cameras within 200 yards of George Orwell’s home.
The European dataretention law has not kicked in yet in Belgium but if it will, I might use Tor. Why? If this type of "data gathering" continues, privacy will be a privilege and no longer a right.

Bonus: Schneier on
Is Big Brother a Big Deal?
Bonus: Isn't Tor being used by criminals?


Battle of the Botnets

A nice piece from Kaspersky: Battle of the Botnets

The situation was becoming more and more interesting. Three groups, from different countries, who were all busy with the same thing – creating botnets to send spam and harvest email addresses. All these groups are dependent on money from spammers, who will pay good money for the biggest botnet and the largest database. This brought the three groups into conflict with each other, and they are willing to use everything at their disposal to gain an advantage. The result was an unending cycle of attacks on users. In order to infect machines, the virus writers had come up with newer and newer methods to evade antivirus filters.

Despite security features such as UAC, Patch Guard, and protection against buffer overflows, we are loosing the battle. Let's not forget about Quicktime and Flash exploits. After the latest Microsoft Patch Tuesday, let's have a look on the progress of vulnerabilities. Image from McAfee Avertlabs

And let's have a look at the latest graph

So we just reached a new record of 3 million. Ouch. Still going the wrong way. I always thought that bots were command line driven or with a crude GUI. Then I read the Pandasoftware article on Zunker.

The screenshot shows you how userfriendly the interface is. It's organized by country, and you can see how many bots you have, reports from each one, how much spam has been sent, what software has been used by the bots to send the spam (gmail, IM, forums, etc...). It even has advanced graphics on number of bots, reports, and daily/monthly spam statistics.
Zunker is mainly targetting german ip's but it seems ready to infect other specific targets with other bots.

I think one of the problems is that the bad guys communicate
better then us. They share information and they are organized. I know it's difficult to talk honestly about security failures, about what you’ve learned and how you’re adapting. There is also a legal and PR side to the story. But if we cannot find a way, we will be fighting an uphill battle.

Questions To Ask During An Information Security Interview

10 Questions to ask during an information security interview from

1. Where do you get your security news from?
2. If you had to both encrypt and compress data during transmission, which would you do first, and why?
3. What kind of computers do you run at home?
4. What port does ping work over?
5. How exactly does traceroute/tracert work?
6. Describe the last program or script that you wrote. What problem did it solve?
7. What are Linux’s strengths and weaknesses vs. Windows?
8. What’s the difference between a risk and a vulnerability?
9. What’s the goal of information security within an organization?
10. Are open-source projects more or less secure than proprietary ones?

Well, I think there are some nice questions in there. I had my share of job interviews and they didn't actually always focus on security. I think that those sort of questions should be more used in security job interviews. I also liked the quote in the end of the article: “Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.”

What questions would you ask during an interview?

Bonus (Liquidmatrix): How to prove the utility of an infosec interviewee in four questions


DNS and OpenDNS: advanced DNS features

Well, DNS has not changed much over the last 20 years. It was never designed with security in mind. Normal address resolution normally goes over UDP which makes it even worse and susceptible to spoofings attacks. DNSSEC is meant to solve some of the issues by implementing some cryptographic checks. But all dns clients and servers will need to be updated and the implementation will not be easy. So it's not for tomorrow.

Today, I stumbled upon OpenDNS. It has nothing to do with DNSSEC but it can also improve your security. The first feature is being an alternative for the DNS servers from your provider and they provide an intelligent cache of most DNS information. Thus providing excellent DNS resolving speed. They respect the TTL of the domain anyway.
Secondly, they include a phishing filter and typo correction. I fooled around with the typo correction and it didn't impress me.
What I found more interesting was the phishing filter. Apparently it's actually Phishtank: a community based phish verification system where users submit suspected phishes and other users "vote" if it is a phish or not. Phishtank is also used by Opera.

Bit with OpenDNS, you don't need new browsers or new plugins/extensions. Just fill in the following DNS server in your PC or home router/DNS forwarding server

If you don't want the antiphising features of OpenDNS, you can always disable them and simply use it as a DNS. They have other nifty features such as shortcuts. Shortcuts are a cool way to use a short word for a long address. You have to register with them to use this feature. Then you can link for example "mail" with "". From now on, you simply type "mail" and you get to your Yahoo webmail. Nice idea. It gives a new breeze to the whole DNS system. Concerning privacy, OpenDNS seems not to keep records on an individual basis. You can never be sure. Same goes for your own ISP. Unless you setup a DNS server at home.

New requirements for CISSP

ISC² is changing their requirements for the CISSP certification:

Effective 1 October 2007, the minimum experience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK®, a taxonomy of information security topics recognized by professionals worldwide, or four years of work experience with an applicable college degree or a credential from the (ISC)²-approved list. Currently, CISSP candidates are required to have four years of work experience or three years of experience with an applicable college degree or a credential from the (ISC)²-approved list, in one or more of the 10 domains of the CISSP CBK.

Also effective 1 October, CISSP candidates will be required to obtain an endorsement of their candidature exclusively from an (ISC)²-certified professional in good standing. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The professional endorsing the candidate can hold any (ISC)² base certification – CISSP, Systems Security Certified Practitioner (SSCP®) or Certification and Accreditation Professional (CAPCM).

For current CISSP holders, there is no impact or change.


24th May: ISSA Conference on botnets

This event will be held in the Club Prince Albert, Karmelietenstraat / rue des Petits Carmes 20, 1000 Brussels (access plan). Please bear in mind that the dress code at the Club is "business casual".

The Belgian Chapter of ISSA is organising a conference next week on Botnets:

The following topics will be covered:

  • Botnet basics: Short introduction into botnets, what they are and how they work.
  • What is The Shadowserver Foundation and what are they doing?
  • How can you capture malware on the network?
  • How can you analyze the captured malware and what kind of tools can you use? A little demo will be given to illustrate this.
  • What kind of activities (commands, etc..) can you see within a botnet?

The FAQ will include answers to questions such as :

  • What is the estimate in numbers and sizes of botnets?
  • How frequently are you being confronted with botnet cases?
  • Have botnets already been used to attack Belgian companies / organisations, and to what degree?
  • What can I do when someone is trying to extort me, threatening to launch a DDoS towards my infrastructure? And what can I do when effectively being confronted by a DDoS attack?
  • What is my liability when it turns out that one of my PC's has been turned into a zombie / bot and has been used to hack another company's server? And how do I prove it wasn't me who hacked them?!?
Attendance is free but you need to register! Since Botnets is one of my favorite subjects, I will do my best to attend the conference!

Security podcasts and Episode 6 of Audioparasitics

Well, I actually started listening to podcasts? Why? Not only for the CPE credits. But because I spend 2 to 3 hour per day in the car and it seemed like wasted time. After a while, you heard all the songs from the radio over and over again. Luckily, my car plays also mp3 CD's. So I started downloading podcasts and listening to them in the car. It makes my time on the road much more productive. So far I have started with:

I'm about halfway through listening to all the episodes of the last 3-4 months. On the list to add are:
But I have to try to spread them out. Enjoy it, put it on your favorite mp3 player and keep track of them if you need the CPE credits! ;-)

Keep up with the latest exploits- euh- I mean patches

Well, Google or McAfee aren't the only one looking out for malicious online content. Symantec has also a kind of watchdog: DeepSight Threat Analyst Team

The DeepSight Threat Analyst Team is constantly monitoring honeypots termed “crawlers”, which are designed to crawl the Internet looking for maliciously-crafted web pages. These crawlers emulate users surfing the Internet with various browsers that may be susceptible to client-side exploits hosted on Webpages.

As I told in It's all about the plugins, even if your browser and OS is fully patched, they can infect you through various plugins. And they're doing a good job at keeping up with the latest exploits like Apple QuickTime RTSP URI Remote Buffer Overflow and the slightly older WinZip WZFileView.FileViewCtrl.61 ActiveX Control Remote Code Execution for example. How many times do you check or upgrade you Quicktime or Winzip programs? Full article of Symantec here.


Google, the new malware sheriff in town

Ghost in the browser is a research study from Google that states that at least one in 10 web pages are booby-trapped with malware. That's 10%!! So email isn't the preferred vector of attack anymore, it's through your browser. It's not only hosting malware but also XSS attacks, webserver attacks and using banners to deliver the malware.
According to the paper, Google is preparing to use automated security analysis into its routine spidering and indexing of sites.

Our goal is to observe the malware behavior when visiting malicious URLs and discover if malware binaries are being downloaded as a result of visiting a URL. Web sites that have been identified as malicious, using our verification procedure, are labeled as potentially harmful when returned as a search result. Marking pages with a label allows users to avoid exposure to such sites and results in fewer users being infected.

I have some mixed feelings about these plans. With acquisition of Doubleclick, they have a considerate amount of information on internet users. Google has always had a 'don't be evil' mantra. This filtering gives them (even more) considerate power. Even if it's by accident or just a false positive, a site being flagged as suspicious can loose a lot of revenue. From the other side, it might help end users prevent being infected. But they are only marking the site as 'bad', but are not blocking it.
Problem is, users will click on anything. Didier Stevens did a little experiment. He launched a Google Adwords campaign for 6 months with the text: "Is your PC virus free? Click here to get it infected.."
What do you think? Nobody clicked on it? Wrong. The ad was displayed 259,723 times and clicked on 409 times. That’s click on rate of 0.16%.

To see if Google idea's is a good one or not, only time can tell. Until that time, I have been using McAfee's SiteAdvisor, which does something comparable for google searches already. Check it out and give it a try.

On a small sidenote, the title of the paper is likely a reference to the manga & anime series: Ghost in the Shell of which I'm a big fan! ;-)


Computer Security Awareness Video Contest

A post from Internet Storm Center pointed me to the Computer Security Awareness Video Contest. User awareness is a key factor to limit the damage done by crackers, infecting PC's with malware, stealing your identity and turning your PC in a zombie. Send the video to your friends! ;-)

Toorcon and Bluehat: two recent securityconferences

This year ToorCon is organizing an informal free & invite-only get together of around 100 security professionals and hackers that have helped make ToorCon what it is today. You can already find some of the presentations of Toorcon on their website. Some of the topics:

BlueHat v5: The Paradox of Innovation: BlueHat is Microsoft's own little hacker con. Hosted it twice a year -- the sessions were all about innovation in security research. The topics were:

Death by 1,000 Cuts

Breaking and Breaking Into Microsoft Security Tools

Emerging Mobile Security Problems, or How We Learned to Stop Worrying and Love Windows Mobile

Your Tamper-Resistant Hardware Makes a Great Sport for Hackers

Your Underground Vulnerability Economy
I will post the podcasts as soon as they appear!

Openid and BarCamp Brussel

Well, why a post about OpenID? Using a different login and password can be a hassle so a lot of users use the same userlogin and password for different sites. (Although a password manager can help out here.)
These credentials are often stored individually at each site. If one site is compromised, your (online) identity or login credentials could be stolen. An internet single signon is the solution.
Microsoft has been pushing Passport and more specifically Cardspace as the (next) internet SSO platform. But these platforms are centralised and not open. Not everyone is fond of basing their security on Microsoft. There is another possiblity: OpenID.
A presentation from Frank's Blog on OpenID: from Barcamp Brussels

Frank also reports that Openminds is the first OpenID provider in Belgium.
Now, I never heard of Barcamp before.

Barcamp Brussels is a free conference (’unconference‘) where all attendees must also contribute. Topics concern the influence of technology upon daily life.

If you look at the previous list of topics, it seems like an interesting event to attend to for me.

Extra, video about openID.

Hak5 Episode 2×10 Release

Episode 2×10 Release

In this season finale episode of Hak5 Paul cracks open the Apple TV for a little hacking, Wess shows us how to virtualize physical servers, Mubix joins us to show off some goodies for your USB drives, Darren benchmarks budget home servers, and we tread into web two-oh mashup territory.


Guide to NIST information security documents

The Computer Security Division of NIST is an excellent resource for us security professionals but it's almost hard to keep an good overview. Currently, there are over 250 information security documents.

That's why there is a Guide to NIST information security documents

Trojan and German Police forces

An update on the German police wanting the rights to hack computers to find evidence as reported earlier.
Luckily, the German Supreme Court deems police hacking illegal. But I remembered reading that the same rules do not apply for the German Intelligence Services. I can't seem to find the article right now. But anyway, a Trojan is using this theme for social engineering.
Downloader-AAP pretends to be send by ‘LKA Rheinland-Pfalz’ – State Office of Criminal Investigation. McAfee describes the Trojan in more detail:

The user gets notified about an online search, because his IP address was found while monitoring Peer-to-Peer networks. Backups of the content of users hard drive got taken by the “Bundestrojaner”.

Further on, the user will face a criminal prosecution because of illegal software, movies and/or music files found on the machine. Detailed information about the online search can be found in the attached protocol.

So no, don't click on it! For full details visit McAfee Avert Labs.

Distributed Open Proxy Honeypot Project

The Web Application Security Consortium (WASC) is pleased to announce the inital release of data collected by the Distributed Open Proxy Honeypot Project. This first release of information is for data gathered from January - April, 2007. During this timeframe, we had 7 internationally placed honeypot sensors deployed and sending their data back to our central logging host.

Here are some brief highlights:

- Brute Force Attacks
- OS Command Injection
- Web Defacement Attempts
- Google-Abuses (Google-Hacking and Proxying for BannerAd/Click Fraud)
- Information Leakage


State of Spam April 2007

Symantec's The May ‘State of Spam’ report is now online. This month’s report highlights several interesting spam trends seen by Symantec.

One of the phenomenons observed is the drop of image spam from 37% to 27%. The overall average of spam stayed stable around 65%. If it is a general trend that image spam is dropping, it's too soon to conclude already.

There is also a new twist on the Nigerian scam. Read the report for all the details.

(INSECURE) Magazine Issue 11

(INSECURE) Magazine Issue 11 is now available for download.


  • On the security of e-passports
  • Review: GFI LANguard Network Security Scanner 8
  • Critical steps to secure your virtualized environment
  • Interview with Howard Schmidt, President and CEO R & H Security Consulting
  • Quantitative look at penetration testing
  • Integrating ISO 17799 into your Software Development Lifecycle
  • Public Key Infrastructure (PKI): dead or alive?
  • Interview with Christen Krogh, Opera Software's Vice President of Engineering
  • Super ninja privacy techniques for web application developers
  • Security economics
  • iptables - an introduction to a robust firewall
  • Black Hat Briefings & Training Europe 2007
  • Enforcing the network security policy with digital certificates


Statistical Analysis of Internet Security Threats

There are an estimated 1.1 billion internet users worldwide. This paper gives a view of what kind of threats like spam, phishing and virusses these users are facing.
The end conclusion is that user awareness is becoming more and more important as more users join the internet. The internet is also taking a bigger role in our day to day lives. The internet is full of userfull resources but at a risk. It's important to develop safe surfing habits.
In that vision, there was an interesting post on the McAfee Avert blog: How can I tell if an e-mail or Web site is “suspicious”?

Reading displays at a distance.

Well, I knew that CRT's are susceptible to an eavesdropping attack called Van Eck phreaking. A small explanation from wikipedia:

The electron beam is deflected by several electromagnetic coils. The voltage in the coils is modulated at a high frequency and contains information related to the video image. These high frequency, high voltage signals create electromagnetic radiation that has, according to van Eck, "a remarkable resemblance to a broadcast TV signal".

So you could capture this broadcast and replay it on another screen. One way to protect from this was TEMPEST. One possibility was shielding the signal.
Well, a TFT/LCD screen works in quite a different way. Does this makes you safe from interception? According to Markus Khun apperently not:

With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time.

Makes you think not using shielding for your network cabling alone. I first read about Van Eck phreaking in Neal Stephenson's novel Cryptonomicon. It's a nice book to read and you pick up some stuff about cryptography on top of it!


It's all about the plugins

Well, as a security aware internetuser, you patch your systems? Right? You even upgrade your browser from time to time? Very good! But don't forget about the plugins like flash and quicktime. Especially in Quicktime for Apple because a vulnerability was found some while ago. Matasano explains what the problem is:

  • If you have the QuickTime for Java extensions installed (in other words, if you have QuickTime installed),

  • then a Java applet will be allowed to construct and play with QuickTime objects, which are backed with unprotected C code,

  • and specifically, some of those objects wrap pointers to memory tracked by a dynamic C library,

  • and unfortunately those objects are not careful enough with the values passed to them by Java code,

  • so Java applets can overwrite arbitrary process memory directly,

  • which they should never be able to do, because keeping Java applet code from touching memory directly is the whole point of the applet sandbox.

For more details, check the blog. And to finish it off, several Adobe products contain a buffer overflow. including Photoshop. So keep your system up to date. It's becoming a real hassle.


Upcoming ticket sales for CCC2007

I'm looking forward to CCC2007. The ticket sale will start real soon!!! There is some indication of pricing available:

They wont be much higher than the prices of What the Hack - we are expecting 160 Euros +/- 20 Euros as the price for the standard plain ticket - which is rather cool, judged by the fact that the camp is a day longer and pretty much everthing raised the prices (showers, for example, are 40% more expensive than they used to be at the camp 2003).

A possibility to preorder tickets with a lower price will be there, too. Please stand by some more days for the final prices, and we really hope that this “narrowed down” number will be already sufficient for your plannings.

PS: Reminder: The final submission deadline for our Call for Participation is May, 15th.

Follow their blog for upcoming news.

Bypassing Vista security and understanding stealth malware

Well, Vista isn't immune to security attacks. At the previous blackhat briefings, two developpers demonstrated that through what the men call "custom boot sectors" a rootkit can get itself loaded at boot time.
Since their tool "Vbootkit" can load into the kernel it can do nearly anything on the system. The proof of concept code raises a command shell to run in the context of the System account, starts the Telnet server, and more.

Vboot kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. The booting process of windows Vista is substantially different from the earlier versions of Windows. The talk will give you:

* details and know abouts for the Vista booting process.
* explain the vboot kit functionality and how it works.
* insight into the Windows Vista Kernel.

Luckily, the code isn't circulating in the wild, but they did provide binary code to several anti-virus solution makers. Potentially in the future, we will see some nasty malware abusing this vulnerability.
This is actually somewhat old news. A little more up-to-date is the upcoming Blackhat briefing from 28 juli until the 2nd of august. Joanna Rutkowska, a Polish researcher will demonstrate how to circumvent Vista security such as Bitlocker encryption. More information below:

Understanding Stealth Malware, a unique hands-on training will be run by me and Alex Tereshkin at this year's Black Hat conference! You can register at the Black Hat website here. More about the training on the blog here.


How to analyse a compromised machine?

In the context of botnet remediation tools and techniques, here is a real life example. An interesting blogpost from describing the investigation of a compromised computer.

Some interesting points are:

  • defence in depth is important!
  • anti-malware isn't that effective anymore.
  • outbound firewalling is important, be strict!!!
  • sometimes simple tools can outperform expensive security appliances