The Pwnie Awards @ Blackhat

The Pwnie Awards will be presented at Blackhat USA this week. An annual award ceremony celebrating (or making fun of) the achievements and failures of security researchers and the wider security community. The nominees are:

Pwnie for Best Server-Side Bug

  • Sendmail signal handler race condition
  • Solaris in.telnetd remote root exploit
  • Microsoft DNS Server RPC interface buffer overflow
Pwnie for Best Client-Side Bug
  • Unhandled exception filter chaining vulnerability
  • ANI buffer overflow
  • QuickTime Java extensions vulnerability
  • RSA signature forgery for a public exponent of 3
Pwnie for Mass 0wnage
  • QuickTime scripting bug used in a MySpace worm
  • ANI buffer overflow exploitable through IE and Firefox
Pwnie for Most Innovative Research
  • Temporal Return Addresses
  • Attacks on Uninitialized Local Variables
  • Heap Feng Shui in JavaScript
  • Exploiting Embedded Systems at CanSecWest 2007
  • Automated vulnerability auditing in machine code
Pwnie for Lamest Vendor Response
  • BMC Performance Manager SNMP Command Execution (BMC)
  • OpenBSD IPv6 mbuf kernel buffer overflow (OpenBSD team)
  • Detection bypass in Norman Antivirus (Norman)
  • EnCase vulnerabilities reported by iSEC (Guidance Software)
Pwnie for Most Overhyped Bug
  • BluePill - Joana Rutkowska
  • MacBook Wi-Fi Vulnerabilities - David Maynor
  • www.exploitingiphone.com - Charlie Miller, Jake Honoroff, Joshua Mason
Pwnie for Best Song
  • Symantec Revolution - Symantec
  • Set I.T. Managers Free - Intel
  • Trade Secrets - Spamtec
  • Let's talk about Sec - anonymous

Firefox release fixes 0-day exploit

An update is out to address the Firefox 0-day exploit.

What's New in Firefox

SC Magazine Podcasts relaunched: The iPhone and its security impact

Click here for the first installment of the rejuvenated series, as reporter Dan Kaplan talks with Dave Marcus, security research and communications manager at McAfee Avert Labs, about the iPhone and what impact it might have on IT security. http://podcasts.scmagazine.com.


Damn Vulnerable Linux Strychnine+e605 released

Damn Vulnerable Linux Strychnine+e605 completes the IT security perspectives. This release includes all necessary tools, binary vulnerabilities and web vulnerabilities - All with sources. An additional knowledge base and external material such as from the honeynet project make DVL Strychnine+e605 to a most vulnerable operating system for training purposes.

DVL Strychine e605 Direct Download ( SecurityDistro )

Download the distribution and run it in a virtual machine. Do not install this at your harddisk. Start the virtual machine.

The directory structure is ordered by application security ("appsec"), software protection ("crackmes"), and web security ("websec"). Instructions are located within each lesson directory. Solutions are only within the directory if the lesson has a good solution by a community member.

If you ever need to get root use "sudo su" without password.

Video overview of SANS/GIAC Training

From Stephen R. Moore:

A great overview for anyone thinking about taking SANS training and/or taking a GIAC certification.

Video found here.

... taken from the latest (IN)SECURE magazine.

German Blackhat speaker denied access to USA

Thomas Dullien is a German reverse engineering expert, also known as “Halvar Flake”. The CEO and head of research at Sabre Security after a 9 hour flight and a 4 hour interview was put back on a plane to Germany. His denial appeared to be linked to his use of the visa waiver program to present Black Hat training as a private citizen instead of as a representative of a company.

"I was interviewed about who exactly I am, why I am coming to the U.S., what the nature of my contract with Black Hat is, and why my trainings class is not performed by an American citizen," he wrote in his blog. "After 4 hours, it became clear that a decision had been reached that I was to be denied entry to the U.S., on the ground that since I am a private person conducting the trainings for Black Hat, I was essentially a Black Hat employee and would require an H-1B visa to perform two days of trainings in the U.S."

He has given classes to DoD, DoE, DHS and other government agencies that come to mind. He has also attended and presented at Blackhat during the last seven years.


German law vs Security Tools: The fallout

Well, the German anti-hacker law is making its first victims. The KisMAC project has been discontinued:

There has not been a lot of time for KisMAC lately. However the motivation for this drastic step lies somewhere different. German laws change and are being adapted for "better" protection against something politicians obviously do not understand. It will become illegal to develop, use or even posses KisMAC in this banana republic (backgound: the change of § 202c StGB).
While I cannot do much about that for now, you probably can. Make copies of KisMAC and its source as long as the website is up! Do further development outside of Germany, even better outside the US and EU! If you are a German resident, you will need to fight for your rights.

The site Phoenolit also had to move to outside Germany. Tools are not outbanned black or white. Security professionals can use them but much of the wording of the text is very vague and the people in Germany are not taking risks. Experts warned the politicians about the negative impact but they choose to ignore it. I happened to browse over to the site of CCC.de and saw it displayed an image before entering their site (see below).

It gave me a big smile. I will try to translate it but my German is basic. I take no responsibility for errors.

With the changed law, the German Government changed the internet back into a flower meadow. Since there are no more security problems, we don't need any security tools anymore.
Should you see any security issues on your systems, it's only an illusion. For more information, please contact the department of Justice.

Hacking (cracking!) was already illegal. Outlawing security tools only hurts the security community. GSMs (cellular phones) can be used as remote detonators. Why don't we outlaw them? Because their benefit is greater then the possible misuse. Let's hope that things will change for the better.


Alliance for Enterprise Security Risk Management and ISSA

The Alliance for Enterprise Security Risk Management (AESRM) was formed in February 2005 by ASIS International, ISACA and the Information Systems Security Association (ISSA) to accelerate the adoption of converged approaches for enterprise security risk management.

Read more about the Convergence between ISSA ISACA and ASIS from the presentations given by these associations on September 5, 2006.

Blue Box #63: Cisco and Asterisk VoIP vulnerabilities, the "Athens affair" (Greek wiretapping), iPhones and Duke, IETF and SPIT, SunRocket flares out,

Number 63 is out.

Blue Box #63: Cisco and Asterisk VoIP vulnerabilities, the "Athens affair" (Greek wiretapping), iPhones and Duke, IETF and SPIT, SunRocket flares out, Skype phishing, VoIP security news and more...


Firefox 0-day exploit: Remote Command Exec

Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW! This example shows flaws in Firefox, Netscape, and Mozilla browsers… other browsers are affected by related vulnerabilities.

Check out his Proof of Concept. I tried it, yes it works. No update/patch for this. NoScript won't protect you. You can only UNREGISTER ALL UNNECESSARY URIs. :-(

Open Firefox and type 'about:config' in the location bar. Put 'network.protocol-handler.external' in the filter and put the unused URI to false.

If you need those URIs and don't want to unregister them, you can at least ask for an user confirmation by changing some settings. Put 'network.protocol-handler.warn' in the filter and set them all to true.

Test it by using the proof of concept above.

Bonus: Hey, Mozilla: Quotes Are Not Legal in a URL
Update: NoScript (released yesterday) gives early protection against this exploit for those stuck with stable There is a which fixes this but it's not (officially) released yet.

Rootkit detection tools

McAfee Rootkit Detective 1.0 is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.

McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.

And for *nix: chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. Below is a screenshot of a testrun:

No hidden processes. No hooked services but some hidden registry settings which seemed to be linked to DAEMON Tools. I often make ISO's of installation CD's like Checkpoint so I always have the packages and tools on my laptop with me. I'm less likely to loose/forget my laptop than CD's. I mount the CD's with Daemon Tools and I can access the files easily. One of the tools that makes my life easier.

Computer Forensics: Top 10 mistakes to avoid

What computer forensics is used for:

1. High tech investigation
2. Incident response
3. E-mail recovery and analysis
4. Data collection

According to this presentation, the top ten mistakes to avoid during forensics:

  1. Not having a plan before incident
  2. "Looking around"
  3. Reversing the master and the slave at the acquisition
  4. Not using forensically 'sterile' media
  5. No or inadequate documentation
  6. Not having a good, unbroken chain of custody
  7. Not asking for help or asking too late
  8. Using pirated or unlicensed software to do the examination
  9. Using an examiner that misrepresents their background, training,...
  10. Not reading his book
For details and more explanation of all ten points, have a look at the slides.

Bonus: Computer Forensic Investigations (ASIS)
Bonus: Researchers find vulnerabilities in forensic software (Techworld.com)

CCCamp 2007: Will there be Internet?

We’ve secured sponsorship from various kind companies and individuals. We will deploy a fiber-based backbone around the campsite at 10 Gbps. All around the campsite, Datenklos will be deployed, where you can have your own cable plugged into the network for easy browsing in your tent.

Also, a wireless network will be deployed for 802.11a/b/g access, especially in the lecture halls.

The uplink off the campsite to the outside world will be 1 Gbps.

Please don’t trip over the fibers when strolling around! :-)

I can only say: WAUW! Picture of the 'Datenklo' below. The translation of the word becomes obvious! ;-)

PDF spammers moving to XLS (Excel)

The move from image spam to pdf spam was increasing which means it's effective in bypassing filters. Some people are starting to react to this tactic but they are already making their next move: XLS Spam.

They are using embedded images in PDF to foil pdf2txt plugins which makes analysis all the more difficult. Check for the latest update of your anti-spam product to see if there is an engine update to combat this. The spammers creativity is forcing us to react faster.


Sophos Security Threat Report July 2007

The biggest change we have seen over the last three years is the rise in the web as a significant weapon in the cybercriminals’ armory. Now an indispensable business tool, the web is still a relatively unprotected route to the users’ desktops and laptops. Once infected, these compromised computers can be used to steal confidential data and trade secrets or to spam out millions of emails.

Sophos Security Threat Report July 2007

Free utility to scan for missing security patches

I keep my OS and browser up to date and I run an anti-virusscanner. Since Patch Mania, I check plugins as Adobe and Quicktime as well. But how do I know in an userfriendly way if I got them all? What about all the other packages on my system? Since Windows patches by themselves are not enough anymore, I tried a free tool from Secunia.

Secunia Personal Software Inspector is an extension of the company's web based checker but is much more powerful. It's still in beta. Yesterday, I gave it a try. It's free for home users.

After installation, it wouldn't run. It gave me a dll error. Fault of the beta status? No, I was still at SP1. I skipped SP2 because it limited raw access to the network socket and some other reasons. Since I use live cd's like BackTrack anyway these day, I upgraded to SP2. But this also meant I needed to re-apply all patches since SP2. This was a major pain in the b*tt. So I decide to use autopatcher.

How many times did you have to leave your computer, after a format, to download the updates you had before it? How many times did you have to go do something else, leaving your friend's computer download the load of updates with their poor little dial-up modem? How many times have you wished for the updates to be portable from one computer to another and not require but a few mouse clicks to install?

The benefits are one download file, I can reuse for other PC's and one big upgrade operation limiting the number of reboots. It has also enhancement options to improve security and performance. For example, you can remove $IPC shares en remote registry access etc etc........ Give it a try. It made me life easier.

After the whole upgrade process, Secunia SPI worked like a charm. It uses Windows Online Update to check for the windows patches (under the hood) and checks all other packages against a Secunia database through a SSL connection. So you need access to the internet (Windows Update and the Secunia website) to run it. What was my score?

36 unsecure software out of 200 packages installed.

Oh my? I do upgrade most software but it also seemed to find and report previous installed versions. Probably leftover dll's who are still present but not used. So these 36 insecure packages need to be viewed with a grain of salt. If these old files can be misused/removed, is for another experimentation evening.

For some software packages, they provide a direct link to the related upgrade software (page) which is quite nice. This software is being licensed to other companies so this functionality might popup in other products.

Bonus: two anti-malware websites: StopBadware.org and Spyware Warrior

(INSECURE) Magazine Issue 12

(INSECURE) Magazine, has released issue # 12. The magazine is free and no registration is required. Have fun reading!


  • Enterprise grade remote access
  • Review: Centennial Software DeviceWall 4.6
  • Solving the keylogger conundrum
  • Interview with Jeremiah Grossman, CTO of WhiteHat Security
  • The role of log management in operationalizing PCI compliance
  • Windows security: how to act against common attack vectors
  • Taking ownership of the Trusted Platform Module chip on Intel Macs
  • Compliance, IT security and a clear conscience
  • Key management for enterprise data encryption
  • The menace within
  • A closer look at the Cisco CCNP Video Mentor
  • Network Access Control

Reverse engineering malware for beginners

Didier Stevens has an interesting article: Real Simple Reversing of a piece of malware.

The malware he analyses is written in the AutoIt scripting language and compiled to an EXE. The AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut) which provides a great opportunity to analyse it. Check out the article above for details.


Dutch Trendreport 2007 - Cyber crime in trends and figures

Zero days, spam, phishing and botnets. To many people, these are not familiar terms. However, these are everyday phenomena, which affect many organisations and individual home users. These terms are directly related to a development that has concerned me – and many others with me – for a long time: the growth of cyber crime. Cyber crime is on the increase in all sectors of society.

This is the reason for the statement in the Dutch government policy agreement, which came about in February 2007, that this increase should be resolutely combated. In addition to the blessings of the Internet - we have also formulated ambitious goals for the provision of online services - there are downsides to the openness and opportunities of the worldwide web.

The report from Govcert.nl

AudioParasitics Episode 11

In episode 11 (Part 1 of 2) , we are joined by Ahmed Sallam, the driving force behind McAfee's new Rootkit Detective tool. We discuss the long history of rootkit-like techniques, the current crop of stealth malware and rootkits, and we dive into the particulars of the new, stand-alone, Rootkit Detective utility.

As security professionals, we are consumed with the doing of our jobs. Protecting networks, securing hosts, decompiling malware…. You name it, we all do it. Sometimes what we do not have time for is taking a close look at the issues and trends that drive our industry. AudioParasitics was created with this goal in mind…. to dissect the issues, drivers and trends of security. One day we may discuss disclosure, another day zero-day trends, yet another it might be new rootkit functionality. No matter. Rest assured that AudioParasitics will be there to beat that issue into submission with its two opinionated hosts and a variety of the security industry’s finest minds. If you are looking for lists of malware and threats, look elsewhere. If you are looking for news on the latest malware in the wild…… sorry, wrong podcast.

If you are, however, looking for highly-caffeinated commentary and heated arguments on the tenets and pillars of the security industry… well then, we got your back.

AudioParasitics – Take the red pill.


CCC Camp 2007 Events version 0.24

Well, we are starting to get an overview of the events on CCCamp 2007. I have marked some of the interesting ones:

There will probably be more to come in the next two weeks.

Bonus: Strolling through a hacker camp's villages (Heise Security)

Bonus: KMZ placemark file to use with Google Earth (watch the satellites pictures of the event location). Mental note: bring tinfoil hat to blind the satellites ;-)

Toorcon conference videos online

Toorcon was organized last May and you can now view the video's online at Google video. To refresh your memory, some of the presentations were:

GPS navigation can infect your PC

I have decided to go for a TomTom Navigation system for my car, in this case the Go 720 TMC model. It should be released in the coming week.
I wouldn't necessarily think a hardware device like this or even an mp3 player as a source of infection but it can!
This was news in January. TomTom told people you could remove the malware with a virusscanner. Only a small number of TomTom Go 910 produced between september and november 2006 were affected.
We are talking about two small files on the harddisk of the 910, the Perlovga.a virus and the Small.qp Trojan downloader. The files are named 'copy.exe' en 'host.exe' in the root of the disk. No mention of a little 'we are sorry phrase' in their article..

Old news? Actually no. There is still old stock being sold during these summer months containing some of these TomTom 910's according to Waarschuwingdienst.nl.
So patch your systems and have an updated virusscanner still applies like always.


19th Annual FIRST Conference presentations online

Presentations given at the FIRST.ORG Seville conference are now available for download from the FIRST Conference Website. Some of the very interesting are:

There are more presentations then listed above. The whole list can be found here.

Blue Box #62: CAPTCHA for SPIT, covert channels, SIP Identity, is VoIP safe?, Fiji, Google, VoIP security news

Blue Box number 62 got released. Enjoy the show here. (podcast). Don't forget. If you are a CISSP, you can get CPE credits for listening to the show.

Show Content:


Botnet Update: FastFlux DNS, Clickfraud, book samples and Zunker twin

First a little present. You can download Alternative Botnet C&Cs - a free chapter from Botnets: The Killer Web App. A small treat from one of the authors.

Click fraud is the new spam. According to a study, botnets are boosting click fraud rates on ads:

Traffic from botnets doubled from the first quarter to the second quarter, the report says. The FBI estimates that more than 1 million PCs in the U.S. have been compromised by botnets and are being used to conduct fraud.

As you can see, the botnet count increased dramatically in the beginning of this year. And it's getting harder to shut them down. Botnets are now using fast-flux networks to prevent us from finding them and shutting them down. The honeynet project has a release a paper on these fast-flux networks.

One of the most active threats we face today on the Internet is cyber-crime. Increasingly capable criminals are constantly developing more sophisticated means of profiting from online criminal activity. This paper demonstrates a growing, sophisticated technique called fast-flux service networks which we are seeing increasingly used in the wild. Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.

What can be done about these fast-flux networks? According to the paper, ISPs and users should probe suspicious nodes and use intrusion detection systems, block TCP port 80 and UDP port 53, block access to the mother ship and other controller machines when detected, "blackhole" DNS and BGP route-injection and monitor DNS.

Here is an excellent example of Fastflux: Base64 FastFlux Citibank Phish (with Three Registrars!)

In Battle of the Botnets we showed you Zunker. You could see how userfriendly the interface of a botnet could be. It's organized by country, and you can see how many bots you have, reports from each one, how much spam has been sent, what software has been used by the bots to send the spam (gmail, IM, forums, etc...).
Zunker is not alone anymore. On this article from Symantec you see a similar interface to the previous one. So their evolution is going very fast. It's up to us to keep up.

4 Pentesttools: Sandcat, FTester, Selenium and Cuba

Some tools I stumbled upon. I will toy around with them next weekend.

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

Selenium is a test tool for web applications. Selenium tests run directly in a browser, just as real users do. And they run in Internet Explorer, Mozilla and Firefox on Windows, Linux, and Macintosh. No other test tool covers such a wide array of platforms.

Cuba is a free database scanning tool that performs its work by looking into the database configuration for evidence of a vulnerability. In turn, it allows the project manager or the security engineer to identify possible weak spots that could be exploited by a malicious user

How to install nessus on backtrack

Nessus is not included by default on the Backtrack because of licensing issues. If you did a harddisk install, you can install Nessus for yourself:

1)Download the nessus RPM from its site.
2)use the rpm2tgz tool to convert the RPM file to the tgz.
3)Run installpkg
4)Run following commands:
cp -R /opt/nessus/lib/* /lib/
PATH=$PATH:/opt/nessus/sbin (add nessus to your path)
/opt/nessus/sbin/nessusd -D (start the nessus server)
5)Download the nessus client and install it using the rpm2tgz tool.
6)Run NessusClient and start scanning :)

This applies for backtrack version 2. If you want to install nessus on Backtrack 3, see this newer post.

If you want other securitydistro tricks, you can read this previous post.


Information Security Management Top Ten

The ISM Community Top Ten is an awareness document that describes a series of key issues that organizations should immediately understand.

This Top Ten list describes key concepts that should be part of any effective information security program. Organizations can quickly compare their current information security program against this Top Ten list and determine if and whether they need to improve. This document does not attempt to address every issue, nor does it provide a blueprint for addressing corporate information security as a whole. It does, however, provide a collective list of the ten things we believe companies should be doing. The list also provides high-level guidance from many of the most experienced CSO’s and security experts in the industry with “tips and tricks from the field”. It is written from real world experience: it is not a thinly disguised product marketing paper and does not gloss over these important issues.

1. Obtain and Maintain Executive Sponsorship and Commitment
2. Encourage Company-Wide Support and Participation
3. Use, Adopt and Align to Industry Standards
4. Make it Easy for People to do the Right Thing
5. Document, Publish and Refine your Processes
6. Recognize that Training and Awareness is Key
7. Manage Risk, not Security
8. Manage with Facts and Numbers
9. Avoid the Compliance Trap
10. Leverage Corporate Business Initiatives

Harry Potter Pirate forgets camera serial number

The latest Harry Potter book was leaked onto the internet before the official release. But what the culprit who photographed the pages forgot, was that the serial number of his camera was embedded within the files. Of course, if he didn't registered with Canon, it will be somewhat more difficult to find. According to the suppliers, with the serial number alone, you can only find out the year and month of the manufacturing. Maybe they can do a scan of flickr to find pictures posted with the same serial number? ;-)

Source: Security.nl

Flaw in the Vista Windows Firewall

During the latest Patch cycle from Microsoft, they patched a 'flaw' in Vista:

Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)

Its severity rating was marked as moderate. This security update addresses the vulnerability by modifying the Windows Vista firewall default behavior to block unsolicited traffic communicating over the Teredo interface. Now, what is the Teredo interface?

Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs).

Although the flaw is marked as a information disclosure risk, Windows Vista users should apply the available patch as soon as possible.

"Due to an implementation issue, the Windows Firewall does not apply firewall rules correctly on the Teredo Interface. This allows a level of remote access to TCP and UDP ports and services that exceeds what Microsoft expected and what an administrator would expect. By design, Windows Firewall is supposed to block all access to ports on the Teredo interface, except for cases where access-though-Teredo is specifically requested (through the "Edge Traversal" flag in the firewall rule being set). However, due to a logic bug, it does not apply this restriction. Instead, any port that is accessible on the local network is also accessible from any host on the Internet over the Teredo interface, even if the firewall rule specifies "remote address=local subnet"," revealed Jim Hoagland and Ollie Whitehouse, security experts with Symantec.

So basically you can bypass the firewall by sending unsolicited packets through the Teredo interface and gain access to the network interface in this way. If you can guess the Vista Teredo host's address, you can establish a connection to port 5357 (unless there is a network device filtering this).
You can also use this to scan and detect hosts running Vista host firewalls.

CCCamp 2007 Workshops?! Where?! When?!

At the Camp there is no central workshop room/tent with a schedule at the door. But of course many people will organize workshops all over the Camp. If you are one of them and interested in other people knowing what you are up to use the template for workshops in the wiki. It is similar to the one for villages but a bot - the neinomat - crawls the wiki for these templates and generates a list of workshops from them. Have a look at the HyperHeroes to see how it works.

There will be no central workshop tent with mike and video projector but as the hardware geeks need some tools there will be a Hardware Lab at the Hackcenter. If your workshop includes some soldering or similar that will be the place to do it.


Funny video: All Online Data Lost After Internet Crash

eBanking, online booking, chatting, blogging etc... the internet is a part of our lives. How would our lives look like if the Internet was 'gone'?

It does make me wonder what the impact would be if a superbotnet army would attack some of the critical nodes on the internet? Is there a global crisisplan? I know that the US-CERT visited Estonia after the cyberattacks.
Are the US-CERT, ENISA and NATO talking to each other? Let's hope it's only a doomsday scenario. Funny video though.

Free ePO Vulnerability Scanner

Just wanted to give a quick heads-up that the eEye R&D team has put together a free Class C scanner (available here: http://www.eeye.com/html/downloads/other/ePOScanner.html) for the latest vulnerabilities found within McAfee ePO, CMA, and ProtectionPilot. These are some pretty serious vulnerabilities with a very large impact in networks where ePO/CMA/PP are installed, therefore warranting the free scanner.


F-Secure Re:Solution

Mikko Hypponen discusses the various aspects of Crimeware.


McAfee SiteAdvisor Phishing Quiz

Can you tell a fake Web site from a real one? Do you always know which e-mails are legitimate?

Take the McAfee SiteAdvisor phishing quiz and find out!

I thought I would get a 10/10 but I missed 2 apparently.

Rating: Safety Guru

I missed the bank of America and Chase websites. I don't know those sites but if I read the text on the website more carefully, I might have spotted the spelling mistakes. What is your score? Or even better, what is the score of your manager? (see Spear Phishing)

Leave it in the comments! ;-)

Crypto-Gram July released

In this issue:

DVL Strychnine+e605 Trailer

Damn Vulnerable Linux Strychnine+e605 completes the IT security perspectives. This release includes all necessary tools, binary vulnerabilities and web vulnerabilities - All with sources. An additional knowledge base and external material such as from the honeynet project make DVL Strychnine+e605 to a most vulnerable operating system for training purposes. Watch the trailer to learn more about the new release!

Five reasons restricting security tools is not like gun control

If you're not aware, in late May the German government passed a law making the possession of "computer programs whose aim is to commit a crime" illegal -- a crime punishable with up to a year of jail time. Thereby treating computer programs in just the same way as guns.

Here is an article giving 5 reasons restricting hacking is not like gun control.

I have criticized this german anti-hacker law before but I read some comments that a professional security consultant is not committing a crime in performing a pen test or other security test under contract. If this exception on the law is a valid one, I cannot tell for sure. I will probably find out during CCCamp next month. Feedback is always welcome.

Privacy 2.0: Is Google still not evil?

A follow up on "What is the price of our Privacy?"

Especially the comments to these articles are sometimes very interesting. Some of the answers to "If you are not doing anything wrong, then you have no nothing to hide" I liked were:
  • If I'm not doing anything wrong, then you have no cause to watch me.
  • Because the government gets to define what's wrong, and they keep changing the definition.
  • Because you might do something wrong with my information.
  • Who watches the watchers?
  • Absolute power corrupts absolutely.
Well, datamining is not bad as long the process is transparent. It can benefit technology and our society as long as certain lines are not crossed. Google has been criticized a lot these last months for their retention policy. They have claimed that this was only according to the European Dataretention Policy. But the E.U. Data Directive doesn't require to keep this information. This Wired article investigates the claims:

There is no United States or E.U. law that requires Google to keep detailed logs of what individuals search for and click on at Google's search engine. It's simply dishonest to continually imply otherwise in order to hide the real political and monetary reasons that Google chooses to hang onto this data.

The article touches upon an interesting detail: If they lived up to their "Don't be evil" mantra, they could give us some options like "Keep my data for 18 months" to "Clean out my data weekly. I'm not interested in personalization.".
Very good suggestions. Give us the option to control the data about us. Those who want "enhanced" searches can still have it. It's the default setting anyway.

Bonus: Google Knows All, Or Close Enough To Raise Concerns (CNNMoney.com)
Bonus: Google Odyssey 2012 - "I’m sorry Dave, I’m afraid I can’t do that" (marketingpilgrim.com)


One out of 5 belgian surfers uses Firefox

An interesting article from Zdnet.be. With a 21% market share, Belgian has an average compared to other European countries. Firefox is used most often in Slovenia with a 47,9 percentage. Read the article for more details (notice: it's in dutch).

I think this is a good evolution . It doesn't matter if Firefox or Internet Explorer is the most performant and secure browser. Diversity is just good. It not only gives us a choice, a vulnerability in one product doesn't expose us all at once. I would have liked to see a third one gaining in market share. Maybe I'm just dreaming.

Browser Statistics Month by Month

2007 IE7 IE6 IE5 Fx Moz S O
June 19.7% 37.3% 1.5% 34.0% 1.4% 1.3% 1.8%
May 19.2% 38.1% 1.5% 33.7% 1.3% 1.4% 1.7%
April 19.1% 38.4% 1.7% 32.9% 1.3% 1.5% 1.6%
March 18.0% 38.7% 2.0% 31.8% 1.3% 1.6% 1.6%
February 16.4% 39.8% 2.5% 31.2% 1.4% 1.7% 1.5%
January 13.3% 42.3% 3.0% 31.0% 1.5% 1.7% 1.5%

So Firefox is still gaining in share. I have used it since version 0.6 and I still prefer it as my main browser together with some of my favorite extensions:
Firefox 2

If you don't like firefox, try Opera or Safari. Diversity is good for our security.

Back to the game

I took a few days off to recharge my batteries but I'm back to go at it with 200%. I went somewhere where you could eat an excellent "fruit de mers" fresh out of the ocean. ;-)


Patch Mania UPDATE: Oracle joins the rest

On the heels of the Updates from Apple, Cisco, Adobe, Symantec and McAfee, Oracle is doing own release this July 17th. They are possibly preparing for a release of 46 patches. Oh my.

Oracle Database Executive Summary

This Critical Patch Update contains 20 new security fixes for the Oracle Database including 1 new security fix for Application Express. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. None of these fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed.

Oracle Application Server Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Application Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. 2 new fixes are applicable to client-only installations, i.e. installations that do not have Oracle Application Server installed.

Here is the full anouncement.

Microsoft launches Malware Protection Portal and a Removal Kit

Microsoft launches Version 1 of the Microsoft Malware Protection Center Portal. The features (amongst other) are:

- Access to the MS malware encyclopedia.
- Download the MS antivirus and/or antispyware signatures.
- Threat and Potentially Unwanted Software Telemetry.
- Microsoft Security Intelligence Report.
- Tools and Resources.

An example of one of the tools is the Malware Removal Starter Kit ". It uses the Windows Preinstallation Environment in combination with free anti-malware programs ... the kit provides you with a low-cost, effective strategy and tool recommendations that you can use to remediate malware attacks."

The company also published an extensive article on TechNet that discusses the kit along with a list of tools that you'll need, including the Windows Automated Installation Kit (AIK) which comes with Windows PE.


Webseminar: Cross-Site Request Forgery

For those interested in learning about Cross-Site Request Forgery (CSRF), WhiteHat is hosting a webinar on July 24, 2007 at 11:00 AM PDT. This is about the basics, in and outs, and solutions in straight forward terms. If you want to attend registration is free. Description is below:

Cross-Site Request Forgery (CSRF). Session Riding. Client-Side Trojans. Confused Deputy. Web Trojans. Confused? Every year, for the past several years, the exact same Web attack is discovered, analyzed, and subsequently then renamed. Whatever it's called, it all means the same thing: An attacker is forcing an unsuspecting user’s browser to compromise their own banking, eCommerce or other website accounts without the real user’s knowledge.

Attackers have begun to actively exploit CSRF vulnerabilities across the Web. Why now? Because it's incredibly easy and the vast majority of websites are vulnerable to it. How do you stop an attack originating from a “real user,” who appears to be properly logged-in, and making a legitimate request - except that they did not intend to make the request?

Jeremiah Grossman will:
- Define Cross-Site Request Forgery
- Provide live, technical demonstrations
- Offer solutions to this growing problem
- Present strategies for complete website vulnerability management

Patch mania: Updates from Apple, Cisco, Adobe, Symantec and McAfee

A lot of sites reported on Patch Tuesday, July Edition describing the released Microsoft patches. But other vendors are riding on this wave to release their patches as well. I hope you noticed:

  • Adobe also release several patches including one for Flash player. Since a lot of sites use Flash, it's recommended you also pay attention to this one.
  • Cisco also release two critical patches for their Cisco Unified Communications Manager (advisory 1, advisory 2).
  • In the third place, Symantec plugged a heap buffer overflow vulnerability that affects the Symantec Backup Exec for Windows Servers software. Symantec reports that the attacker may also potentially be able to execute arbitrary code on the affected system.
  • Apple is patching at least eight vulnerabilities that could cause code execution attacks on Mac OS X, Windows XP and Windows Vista systems.
  • Last but not least, McAfee fixed four different memory corruption vulnerabilities in the Policy Orchestrator Agent.
So please pay attention to other patches besides Microsoft alone. Try to have a healthy patch management practices.

How to pass your Checkpoint Certification

Yesterday I passed my CCSE 156-315.1 exam with a score of 81%. Here are some pointers. The easiest choice is to follow the official training if you can.
There is the Check Point Security Administration NGX I Rev 1.1 course that will teach you the basics and prepare you for the CCSA NGX exam. And the Check Point Security Administration NGX II Rev 1.1 course that will prepare you for the CCSE NGX exam.

If you don't have the time or budget to follow official training, you can do it yourself. Check out the exam objectives from the links above. Download the documentation from their site and download the software. You will need to register a Usercenter Account in order to do this. Or you can download it preinstalled as a Virtual Appliance. It's better to try the installation yourself, so you can download VMware for free and install SecurePlatform from the Checkpoint CD's.
Try out as much features as possible. Ideally, try to have at least 6 months of experience with the product.

Additionally, the Checkpoint Usergroup Forums, are also a great source of information you can use for your studies or even your professional work. There is also the official Checkpoint Knowledgebase: SecureKnowledge but out of experience I know you won't always find everything in there. So to finish this, I wish you good luck with your certification!


Update on the Internet Explorer 0-day exploit

Well, the 0-day exploit for Internet Explorer could only be exploited through Firefox. So if you didn't have Firefox installed, you weren't vulnerable. So there has been a lot of discussion whether it's a Firefox or IE flaw:

[ UPDATE: July 10, 2007 @ 12:19 PM ] Security researchers are in disagreement over whether this is a vulnerability in IE or Firefox. Larholm and Symantec’s DeepSight researchers insist it’s a bug in the way IE validates certain inputs but Secunia’s research team claims this is a Firefox issue.

Secunia CTO Thomas Kristensen sent me the following via e-mail:

To avoid any possible confusion, I just wanted to let you know that Secunia - as always - have tested and analysed the alleged zero-day in IE that was reported earlier today.

This is in fact NOT an IE issue - it is a Firefox issue.

Since Firefox, a new URI handler was registered on Windows systems to allow websites to force launching Firefox if the “firefoxurl://” URI was called (like ftp://, http://, or similar would
call other applications).

However, the way in which the URI handler was registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when firefoxurl:// is activated. Due to the implementation of the “-chrome” parameter, it became possible to inject code that would be executed within Firefox.

Running JavaScript in “chrome” context within Firefox is essentially the same as executing arbitrary code and allows an attacker to take any actions on the local system with the same privileges as the active user.

Registering a URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application (i.e. how should Windows know that the string “-chrome” could be dangerous for Firefox?).

Windows will only filter certain non-application specific meta characters; anything that is specific for the application called by the URI handler must be handled by the application itself.

Improper usage of URI handlers and parameters supplied via URIs has historically caused problems for many vendors including, Microsoft, Apple, Mozilla, certain Linux projects, Opera, and others.

I’ve pinged Microsoft, Larholm and the folks at Mozilla to try to get to the bottom of this. Will update this post as necessary.

[ UPDATE: July 10, 2007 @ 2:08 PM ] Mozilla security chief Window Snyder comments:

“We are aware of this issue and we are developing a fix. Mozilla is committed to delivering the safest online experience for its users.”

This from the Microsoft Security Response Center:

Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.

Still waiting for word from Larholm…

Larholm’s response, sent to me via e-mail:

Internet Explorer and Firefox are both to blame. Firefox could have registered their URL protocol handler differently, for example with pure DDE, but IE is still to blame for not escaping ” (quote) characters.

The latter can be evidenced by the fact that you can inject arbitrary arguments to a wide range of other URL protocol handler applications, such as irc:// (mIRC), aim:// (AOL Instant Messenger), hcp:// (Windows HelpCenter) and mms:// (Windows Media Player) to name just a few.

This is a generic flaw in Internet Explorer that has been left unpatched since at least 2004.


How to secure your browser (against 0-day exploits)

Well, there is a number of things you can do to protect your browser. Even if you are already running the excellent NoScript pluging for Firefox.

This document from CERT/CC explains what additional steps you can take to secure you browser. The highlights for Firefox are:

  • Setup as default browser
  • Only accept cookies from originating site.
  • The use of a master password.
  • Deactivate java support.
  • Deactivate all javascript specific settings.
  • Give a warning for all sites attempting to install a plugin.
  • Don't open automatically but download all mediafiles.
  • Removal of all private information.
And to top it off, here is a brand new Internet Explorer 0day Exploit.

There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols.

I'm not saying that Firefox is foolproof but personally I still prefer Firefox. It may be worth noticing that NoScript users have been protected against attacks of this kind since June, the 22th.
And of course, in worst case, backup your critical data on a regular basis.

8 ways to beat a security audit

You policies are in place and your environment is locked up. But there can still be security flaws in there. That is why you have auditors to help you find them. They are not the bad guys. They are here to help you. Really!
Here is an interesting article from Dark Reading: Eight ways to beat a security audit:


SecurityDistro Tutorials

Some interesting tutorials to use with Backtrack or Labrat:

Symantec's State of Spam July 2007

As image spam continues its decline, the July State of Spam Report
highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.

Other spam trends noted for the month of June were:

  • Father’s Day spam that peddled the usual "Dad" items such as golf clubs, cards and cigars

  • Directory harvest attacks (DHA) that took a more simplified approach to gathering legitimate email addresses

  • An attack offering free money to start a business merely by calling a phone number
  • Emails with subject lines regarding current affairs, as well as and bodies peddling medical spam

Marketplace for 0-day vulnerabilities

This news has been popping up here and there. The Swiss Securityfirm WabiSabiLabi is a marketplace for zeroday vulnerabilities. The founders want to provide security researchers a fair price for their hard work. Often when a vulnerability is published, you can have more chance to get sued than to get rewarded. Also by providing a 'legal' alternative, they want to avoid some researchers being tempted to go to criminals on the black market.
I still think this is somewhat in the grey area. But of course, if companies would reward the people that help them secure their products, maybe it wouldn't come to this. That doesn't mean I think this is the way to solve it. The site is already offering some vulnerabilities for a few thousand dollars. How can you protect your company against a 0-day?

The CEO of Immunity (makers of Canvas), Justine Aitel, gave a presentation on “The IPO of 0day”.
In the last slide of her presentation, you see Vista is recovering from a remote kernel 0day (no exploit is perfect!). So there are remote exploits for Vista out there. But why don't we know about them?
The reason Windows Vista appears to have such a good security track record is that a vulnerability in Vista is not something you would give up.

Some 0-day statistics as of June 16 2007:

  • Average 0day lifetime: 348 days
  • Shortest life: 99 days
  • Longest life: 1080 (3 years)

The moment a vulnerability is published, it's been in there since the beginning!!! Not just from the moment they are published. So how can you protect yourself?

Assume your product has a 0-day and try to proof yourself wrong. Try to have an independent party provide a security assessment. Be it a product you are buying or one your are developing yourself.
Find out which services of your organization are exposed to the public. Have a life assessment by asking for pentesters who are skilled enough to find 0-day and write exploits themselves. These are not the people who perform only automated vulnerability scanners.

Running automated tools are very inadequate in finding ALL application vulnerabilities or should I say that it's near impossible. According to a spring presentation during New York’s OWASP meeting, all application tools together can find 45% with little overlap between the tools.

And last but not least, in case it happens anyway, don't forget to have incident response procedures and test them!

Mythbusters vs Biometrics

MythBusters is a U.S. popular science television program on the Discovery Channel starring special effects experts Adam Savage and Jamie Hyneman, who use their skills and expertise to test the validity of various rumors and urban legends in popular culture.

Some of the Myths I have seen were:

  • Can a standard CD-ROM drive shatter a CD?
  • Can a cell phone really cause a plane to crash?
This time, they are going to tackle fingerprint scanners:




FOSDEM2007 Security videos

I noticed there was a security track for FOSDEM 2007. Sadly, I couldn't make it. What is FOSDEM?

The seventh Free and Open source Software Developers' European Meeting is a 2 days event, organized by volunteers, to promote the widespread use of Free and Open Source software. Taking place in the beautiful city of Brussels (Belgium), FOSDEM meetings are recognized as "The best Free and Open Source events in Europe."

Security Track

BUT the videos are online (here is a Belgian mirror: Belnet). Enjoy.


Analysis of a phishing attack on Argenta, a Belgian Bank

Phishing is a social engineering attack on the endusers. Especially bank customers are targeted a lot. I found a blog investigating a phishing attempt on Argenta, a Belgian bank. Here is the full analysis (in Dutch from Knudde.be)
I tried Babelfish but the translation was horrible. You can try it for a good laugh. So here is a translation from myself. I take no responsibility for the correctness of the translation. ;-)

Argenta for example has a notification for the moment on their website warning about "Argenta Finance Bank". Unfortunately it stops with the display of this warning.

So, let's Rock and Roll

From the real Argenta Site:

Argenta wil haar cliënteel waarschuwen voor de activiteiten van Argenta Finance Bank
die beweert vanuit de Rodestraat te Antwerpen bankdiensten aan te bieden.
Deze organisatie opereert illegaal en zonder vereiste vergunningen en maakt
onrechtmatig gebruik van de merknaam Argenta. Er bestaat geen enkele band tussen
Argenta Spaarbank N.V. en deze organisatie en wij raden dan ook aan op geen enkel
aanbod van deze organisatie in te gaan.

"Argenta Finance Bank" == http://www.onlineargenta.com/
The site is not bad looking but neither is it professional.

The first noticable element is the mention of "Western Union" on their first page.

Maybe you should read this:


Information gathering

Ok, what's not right in this picture:


The site opens a frame and alle the linkscontain a URL beginning with "xyueyhwhhayya000001jskanyuw.50webs.com".

So the site is hosted at 50webs.com
Very strange for a bank but it's only indirect evidence.


The domein is registred by:
jerry thombson (annabel.march3@googlemail.com)
8 Arizona St. ,
Bisbee, 85603

There is already an inconsistency between the name and the emailaddress, and probably isn't even the real person who registered the domain.

The domain is also very recent. Creation date: 20 May 2007 11:02:42

Also very strance. since Argenta exists for a much longer period. In any case, it's obvious that something fishy is going on.

Contact data

The foto's of the people on the website have strange names. Some pictures contain names while the displayed name is different.

The address seems to be in Antwerp but the phonenumbers are from Brussels. Another inconsistency.

Argenta doesn't have an office on the mentioned address. Probably there is nothing to find there but I didn't check.

OK, numbertracing 101: +32-2-747-0975, +32-2-747-0974, +32-2-791-9303
3 numbers in 2 different series, and no info about it from the local telco provider.

A simple trick teaches us that the "normal" phonenumbers are hosted with Realroot", a Belgian firm who is, let's say, not very selective with their business partners.


Drakenhoflaan 54
B-2100 Deurne
Tel. +32 3 747 00 00
Fax. +32 3 747 99 99

The trace of the Faxnumber leads me through "Colt Telecom" to "J2 Global Ireland ltd".

j2 Global Ireland Ltd
Woodford Business Park, Unit-3
Santry, Dublin 9

Both are "transfer" firms where you can rent local numbers to forward to other numbers. Both enterprises have no information about the customer behind these numbers.

Login page

The login page from the site goes somewhere totally different: ebancargentanet.cogia.net.
The page is hosted by 100WebSpace.com, which is a free webhosting service. (Very strange for a bank.)

During the "so called login" and the registration nothing visable happens. But you can be sure that the login information is stored. The connection isn't encrypted either

Apperently there is a MySQL DB behind it which suggest the following error:

Warning: mysql_pconnect(): Too many connections in
/home/www/ebancargentanet.cogia.net/argenta/adodb/drivers/adodb-mysql.inc.php on line 354

Too many connections

The error and the URL teaches us something in addition: "ebancargentanet"

"ebanc" -> e-bank. Which language do the "culprits" speak.
"argentanet" -> Argenta.net also exists.

Probably an old version of argenta.net pointing to the loginpage from cogia.net.

111 State and Broadway
Lovington, IL 61937

Record created on 04-Nov-1998.
Database last updated on 6-Jun-2007 10:40:31 EDT.

Hmmm, recent activity.

http://ebancargentanet.cogia.net/argenta/ is an open directory.

The players


-Realroot for the telephonenumbers (+32 3 747 00 00)
-J2 Global for the faxnumber (+35 3 1 656 4909)
-50webs.com, for the mainwebsite (abuse@50webs.com)
-cogia.net (100WebSpace.com), for the login page (http://www.100webspace.com/about_us/report_abuse.html)

So it's trivial to get the website offline which is the case at this moment.

Very nice. This also satisfies my curiosity about Belgian companies being under attack. At last some examples. If you notice Belgian phishing attempts yourself, please report them to E-cops (FCCU).

Newsflash (06/10/2007): Russian maffia cracks three Belgian Banks