OWASP WebGoat Version 5.0 released

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.

WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:

• Cross Site Scripting
  
• Access Control
• Thread Safety
• Hidden Form Field Manipulation
• Parameter Manipulation
• Weak Session Cookies
• Blind SQL Injection
• Numeric SQL Injection
• String SQL Injection
• Web Services
• Fail Open Authentication
• Dangers of HTML Comments
• ... and many more!

Download WebGoat 5.0 now

Performance Measurement for Information Security

I still have to finish the security book lying on my desk but I wanted to give a sneak peak of the next book in line: Security Metrics: Replacing Fear, Uncertainty, and Doubt

Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise.

Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management.

In related news, this draft just got released: NIST Special Publication 800-55 Revision 1 - Performance Measurement Guide for Information Security (Draft)

This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. This guide indicates the effectiveness of security controls applied to information systems and supporting information security programs.

Bonus: The Four Dirty Questions of Measuring Information Security (Intel.com)

BONUS (12/10/2007): A Guide to Security Metrics - This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

SCADA: Hacking critical infrastructures

Supervisory Control and Data Acquisition (SCADA) and industrial control systems, are often based on proprietary networks and hardware. They used to be isolated from the internet and considered immune to cyberattacks but this has changed.



Last week, a video (globeandmail.com) circulated on a lot of sites, demonstrating a theoretical attack on an electrical turbine.

In Belgium, there was one computer network that went down during the Y2K timeframe. It was the SCADA network for incident control in our nuclear powerplant in Doel and Tihange. In the US, it took a hacker 2 weeks to penetrate and more or less 'own' a nuclear powerplant network. Don't forget that the Slammer worm crashed the Ohio nuke plant network.

Eurosafe treats security problems around and with the nuclear industry. But is is solely focused on environmental and mechanical aspects of security.

Here are some more SCADA security resources, check out the presentation for more insecurity examples:

• White Paper Best Practices for Securing SCADA Networks and Systems in the Electric Power Industry (Symantec)
• Presentation SCADA (in)security (HITB Conference)
• NIST 800-82 Second Public Draft - Guide to Industrial Control Systems (ICS) Security

Hacker toolkits sold on eBay

Exploiting software, phishing and spamming aren't the only lucrative options for Blackhats. Selling hacker software among themselves or to script kiddies is also a commercial activity.

You don't need to know the underground websites or IRC channels were they are sold. Just go to eBay! (Google Cache)

This shows us the development of trade networks that supports e-crime on the internet. High level hacking tools, including trojan loaders and Web site hacking utilities, are being made available to almost any internet user.

Some statistics about the underground economy behind it, can be found in the Symantec Internet Security Threat Report (page 13).

How to run Solaris 10 under VMware

I needed to experiment with some security features of Solaris. Since Solaris 10 runs on x86, I decided to download it and run it on a virtual machine. No need for expensive SPARC servers.

• Download VMware server 1.0.4 (free)
  
• Download Solaris 10 8/07 (free)
• Create a virtual machine:

1. Do a typical install and select the solaris 10 profile
2. Configure your network connection with "Use bridged networking"
3. Configure your disk capacity to 8 GB Disk Size
4. Your virtual machine is ready

• Doing the Solaris installation
  

1. Change the virtual device CD-ROM Connection from Use physical drive to use ISO image
2. When required press 1 for Solaris Interactive.
3. Choose your preferred language.
4. Now choose Networked Connectivity. Then specify if your virtual network interface card will grab an IP address by DHCP or not.
5. If you chosen not detail your virtual machine hostname, IP address, subnet mask, IPv6 support and default route.
6. Enable or not Kerberos, detail your eventual name service system.
7. If you have chosen DNS as name service system detail your domain name and at least one DNS server IP address.
8. Choose your Time Zone and Date & Time.
9. Choose your Root password.
10. Finally accept your summary settings page.
11. Say yes to both Reboot automatically after software installation and Eject additional CDs/DVDs automatically after software installation.

• Now start the software packages installation.

1. Leave CD/DVD as Media.
2. Accept the License Agreement and choose Custom Install.
3. Select your Software Localizations region only if you want Solaris 10 in your national language. English will be installed by default.
4. Select Products to install as you need.
   
5. Select None as Additional Product to install.
6. Now you need to select how many Solaris software packages install. I suggest choosing End User Group
7. On Disk Selection just hit Next
   
8. On Partition Customization hit Next as well.
9. On Customize Partitions you’ll see a single Solaris partition If you are unsure on how to partition your virtual hard disk just hit Next.
10. If you hit Next on the previous screen a default File System Lay Out will appear. Just hit Next.

Now the packages installation will start. This will take some time so get some coffee.
At the end of the Solaris Installer, let the OS restart.

Voila..... you are set to go. I must say, being an ex-linux (Redhat) wizard, Solaris 10 wasn't that much different in graphical setup. And now the fun can start.

Internet Explorer opens up your harddrive

This isn't the first time browser can disclose the content from your harddisk.
The author of The Hacker Webzine asked himself, how to find a 0-day within one hour? Well, take the vulnerability from one browser and port it to another one. In June, researcher Hong (re)discovered that by visiting a website you could get Firefox to automatically include files from the harddisk through a focus stealing bug. He then took this to IE:



This is how it works: normally due security restrictions Javascript is not allowed to set focus or/and to give a value on a file upload field. Because if you did that and it was allowed we could upload any file from a PC. So browser vendors implemented security restrictions on the file field in a form. This way it should only be possible for the computer owner to select a file in order to upload it. With this exploit we show that it is possible to steal focus from the user and bypass the browsers security restrictions. (Full article)

How to avoid Cross Site Request Forgery (for Google)

With iGoogle and other Google services all being linked to your Google account, combined with all the recent XSS vulnerabilities, makes a recipe for disaster. So what can you do about it?



Well, we all know not to trust mobile code (Javascript, Actionscript, etc....) and we are using Firefox with Flashblock and Adblock.

But that might not be enough to stop Cross-site request forgery (CSRF) ? Errata Security has a nice solution: Run two separate instances of Firefox, one logged in , and one logged out of Google using Firefox profiles. This allows you to have GMail or other services up on a separate windows on your desktop, but without the danger of XSS bugs crossing over and hijacking the GMail session. Full explanation here.

Well, it's another way then running a Browser Appliance using VMware Player, which is also a possibility. The Browser Appliance can be used for surfing and a normal browser can be used for logging into Google at the same time.

UPDATE: In case of Google services, you can partitition you Google identity. (anti-virus rants)

WarGames: 8 Ways a Competitor Can Sabotage Your Site

Let's begin with some words of Wisdom. Sun Tsu: It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.

Competition on the web is fierce and getting more ruthless by the day. Some webmasters have resorted to using dirty tricks, known as “Google bowling,” to sabotage competing websites. Arm yourself with knowledge and protect your site from these techniques that may be used to undermine your site’s reputation.

1. Who’s That Annoying Spammer?
2. Getting Your Domain Banned in Social Media:
3. Spammy Link Buying:
4. Duplicate Content:
5. 301/302 Hijacking
6. Denial of service (DOS) attack:
7. Kicked Out of AdSense
8. Click Fraud

Full article (Virtualhosting.com)

The article doesn't give any solutions but it is a new insight to attacks. What good is a multilayered DMZ if you get kicked out of the Google index? Feel free to comment!

BackTrack 2 with Metasploit 3 as a Virtual Appliance

Cool, new toys have arrived. Some remarks from my side. Try to avoid using NATTING on the VMinterface since aggressive network scanning/probing can lead to source port starvation. Always use bridging.



The Ethical Hacker Network (EH-Net) proudly releases the only Official Version of BackTrack 2 that not only adds Metasploit 3 to the toolset but is also packaged as a VMware Virtual Appliance. Here are just a few of the features added by the projects lead developer, Mati Aharoni, specifically for the EH-Net Community:

• Metasploit updated to latest svn, all dependencies upgraded
• Added fabs patches for msfgui
• Aircrack-ng updated to 1.0 svn, all dependencies upgraded
• Tcpdump patched (security fix)
• Firefox updated to latest
• Firefox links, favorites and home page
• A few more lib fixes for old nasties in BT2 final

Download Locations for the EH-Net/BT2 VM:

File size = 860 MB. Additional mirrors coming. Feel free to spread these files. PM me directly if you can provide a mirror, torrent server, or any other method of spreading the wealth.

http://www.ethicalhacker.info/dl/ehnet_bt2_vm.7z

http://s160498894.onlinehome.us/dl/ehnet_bt2_vm.7z

A Blog about netizenship, freedom of information, surveillance tendencies in Germany

There is a new Blog "Bitkanone" to communicate the German political discussion revolving around netizenship, freedom of information, surveillance tendencies etc, to a non-German/non-German-speaking audience.

Once upon a time, there were many countries on this globe, and in these countries were leaders, who got to make decisions, and citizens, who were (in theory) free to accept these decisions or oppose against them. Mostly, the citizens chose to accept them, sometimes grudgingly, because opposing meant work and hassle.

However, sometimes the citizens resolved to oppose, if they thought that the decisions made by the leaders were plain wrong and stupid and getting more so all the time.

So the citizens put in the work to oppose, they formed small groups and then larger groups, to pool resources and encouragement. And at some point, these citizens learned that there were other people in other countries who struggled against the same stupid decisions in their respective countries. And they began to become interested to see what those other people were doing - partly to see whether anything could be learned from them, partly to feel less isolated. It was realized that this process should go both ways: learn from the like-minded people in other countries and provide ways of learning about the local work to them in exchange.

In this spirit, this blog aims to provide information about the goings on at the German electronic frontier - in a language that is accessible to most people. The posts will be contributed by a somewhat loose blogger collective. Their subject will be the German political discussions that revolve around information access and hacking. Some of them will just be translations of German content, some of them comments and news bits, some of them will illuminate the background of peculiarities in the German political discourse. It is as much an experiment as an information outlet, so we're curious what will come of the Bitkanone.

PCI DSS compliance deadline approaching

PCI DSS was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues.

In a separate study of 60 recent PCI audits at 50 major companies, security vendor VeriSign found that some 53 percent of organizations failed at least one of PCI's 230 requirements. That's an improvement over last year's study, in which 73 percent of companies failed the audit, VeriSign says.

If they don't make it by Sept. 30, it will be the third time the stragglers will have missed a PCI compliance deadline. The credit card companies had originally mandated compliance by June 2005. The deadline was stretched to 2006, and then the deadline for the revised PCI 1.1 was extended to Sept. 30 of this year.

So what's taking so long? Experts differ on which is the largest obstacle, but three elements consistently come up in all of the conversations: access management, application security, and encryption.

Full article (DarkReading)

The article mentions that in some cases, getting into compliance is more expensive then paying the fines. This doesn't improve overall credit card security, which remains at risk despite three years of PCI deadlines. Also, getting compliant proves that you were within some standards at a given moment of time. But security is not a label, it's a process. So how does it improve security? Mark Curphey had a presentation about another possible criteria: OWASP Evaluation and Certification Criteria Draft.

Metaploit gets shellcode for the iPhone

HD Moore added shellcode for the iPhone to Metasploit. Now it will only take a serious bug and an exploit to make this really a mobile threat. Especially if you read his next comment:

Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.

Got a mobile device security policy in place? ;-)

Kaspersky is going for whitelisting

In "Another take on the Anti-virus detection problem", we discussed the possibility of whitelisting as a solution in next generation products. Kaspersky is going to take a swing at it.

Antivirus company Kaspersky will concentrate on whitelisting in version 8.0 of its enterprise security software, according to David Em, senior technology consultant for Kaspersky.
The company already uses some digital certificates to authenticate applications -- it plans to move more in this direction. (ZDnet.co.uk)

It's a different approach from the one Sophos is taking. But it is good to see companies are working on new technology to counter the evolution of malware.

Bonus (27/9/2007): A study by Panda Security revealed that more than 18% of computers are infected by malware, even if they have an antivirus. (always take vendor studies with a grain of salt)

50% of Belgian Wifi networks are unprotected

According to a survey (ZDnet.be) from BIPT (Belgian Institute for Post and Telecommunication), half of the Belgian consumer wifi networks are unprotected. Actually, I don't think this is a bad figure. I know that some years ago it was about 33%. I didn't say it was a good figure either since it still needs a lot of improvement. The article doesn't state if WEP is considered as good protection or not since it would only take one minute to crack it.

Overview of Firefox security oriented extensions for pentesting

FireCAT is a Firefox Framework Map collection of the most useful security oriented extensions.

FireCAT 1.2 reaches 60 extensions. Thanks to all fellas who give us a helping hand to collect and maintain this framework.

Download FireCAT at security-database.com.

German researchers are challenging new anti-hacker law

Someone daring enough to challenge the FUD around the new anti-hacker legislation. Hopefully it will break the controversy around the subject. Go guys!!

A German security firm, fed up with the ambiguity and confusion surrounding the country's controversial new anti-hacker law, says tomorrow it will challenge the law head-on -- by reinstating a hacking tool it had removed from its Website last month for fear of prosecution.

Jan Münther, CTO for n.runs, says he thinks n.run's challenge may be the first true test to the law, although the Chaos Computer Club hacker group has considered reporting itself to the authorities. And a German IT news site recently reported the German Federal Office for Security in Information Technology (BSI) to authorities for publishing a password-cracking tool, he says.

Full article (DarkReading)

Previous articles:

• German law vs Security Tools: An Update
• German law vs Security Tools: The fallout
• Five reasons restricting security tools is not like gun control
• New thoughts on german anti-hacker law
• New German "anti-hacker" law

INSECURE Magazine Issue 13 released

DOWNLOAD ISSUE 13 HERE

• Interview with Janne Uusilehto, Head of Nokia Product Security
• Social engineering social networking services: a LinkedIn example
• The case for automated log management in meeting HIPAA compliance
• Risk decision making: whose call is it?
• Interview with Zulfikar Ramzan, Senior Principal Researcher with the Advanced Threat Research team at Symantec
• Securing VoIP networks: fraud
• PCI DSS compliance: a difficult but necessary journey
• A security focus on China outsourcing
• A multi layered approach to prevent data leakage
• Safeguard your organization with proper password management
• Interview with Ulf Mattsson, Protegrity CTO
• DEFCON 15
• File format fuzzing
• IS2ME: Information Security to Medium

GoogHOle: 4 interesting Google disclosures

From hackademix.net, we bring you 4 Google disclosures in only 3 days time:

1. Google Search Appliance XSS discovered by MustLive, affecting almost 200,000 paying customers of the outsourced search engine and their users: this Google dork shown 196,000 results at the time of disclosure, now dropped to 188,000.
2. a Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy elusion and URI handler weakness exploitation to steal your private pictures, straight from your local hard disk, just visiting a malicious web page.
3. a Google Polls XSS which, thanks to the (too) smart “widget reuse” allowing Google services to integrate the same functionality across multiple services, can be used to attack Search, Blogspot, Groups and, the most dramatic exploitation scenario, GMail:
   • This POC steals your Google contacts
   • This POC steals your GMail incoming messages, routing them to beford’s mail address
4. an Urchin Login XSS disclosed by GNUCITIZEN’s Adrian Pastor, which could compromise local Google Analytics installations.
   

Podcast: AudioParasitics Episode 16

The next episode is out:

Episode 16 - The W32/Virut family of parasitic infectors is discussed, along with the general resurgence in parasitic malware.

Use a forcefield to protect your browser

Check Point Software Technologies released the public beta of ZoneAlarm ForceField, a browser virtualization security tool that promises anti-phishing and spyware blocking capabilities.

The software is available as a free download during the beta testing period. But the final product will cost 29.95$ once it ships in 2008.

Microsoft's Internet Explorer already runs in protected mode but Forcefield expands on the concept and also adds protection for IE on XP or Firefox.

Let's not forget that Google bought Greenborder: a browser virtualization software service and probably will release their own anti-malware protection in the near future.

Whitepaper: Innovative defense strategies for securing SCADA and control systems

This White Paper takes a look at the fundamental issues with the current practice of securing SCADA and control systems, discusses the concept of security zones of vulnerabilities, and briefly introduces several new and unique cyber defense solutions that can be deployed at each security zone.

OVER THE past few years, most companies with critical infrastructure controlled by SCADA, DCS, and other process control systems have taken the approach to group all of their real-time systems in an environment called the PCN or process control network, and try to keep that environment as separate and isolated as possible from the IT and corporate networks.

While this concept is a move in the right direction, treating the PCN environment like a black box and trying to manage one firewall or cyber defense solution at the border with IT is not adequate to protect from changing external and internal threats. The sensitive nature of the PLC and DCS devices controlling the critical infrastructure assets requires a higher level of network segmentation and advanced defense solutions not currently recommended or available through most security firms and IT vendors.

Read the white paper (pdf)

ttp://www.controlglobal.com/whitepapers/2006/034.html

EuroSOX : The European Version of SOX

Well, most of you must have heard of the Sarbanes-Oxley act. If you didn't, you should because it's going to be implemented in Europe as well (kind of). I found this article EuroSOX - The European Version of SOX over at the AIIM Knowledge Center Blog

In April 2006 the final adoption of the 8th Directive was passed and now implementation into local law can go ahead.
It consists of in total 3 separate directives which are :

• 4th Directive 78/660/EEC ,
• 7th directive 83/349/EEC and
• 8th directive 84/253/EEC

which together are to safeguard shareholder’s investments, establish Corporate Governance, increase disclosure requirements and also establish separate audit committees.

The directives closely follow the US regulations, as these affects only publicly traded companies. It will still take up to 2 years before every countrys' regulations has been updated to reflect these directives in local law. By then every company has to be fully compliant, and if you are doing business in Europe or are traded at any of the many different European stock exchanges, then this is something that you need to look at and be aware of.

Evolution of Anti-virus

After all the stories about the end of anti-virus technologies, I have been on the lookout for hints of next generation features. I stumbled upon this article:

Panda's idea for the near future is adding a new layer of security that it calls collective intelligence. He calls it the "web 2.0 version of security": instead of keeping each user's computer separate, it's scanned from the "cloud". This approach, he says, allows much bigger signature files and can detect targeted attacks because all computers are visible in real time.

But even this approach won't last forever. Salvatore Stolfo, a professor of computer science at Columbia University, says the attackers "have the upper hand. They have all the time in the world, and they have great motivation to spend their time and energy to avoid detection."

Antivirus has a future, he says, but it may be in name only. "Basic implementation and strategy will change." Like the fraud detection in use by banks and credit card companies, "eventually, systems implanted in machines will learn your own personal behaviour and protect by detecting abnormalities". One has to hope so. Otherwise, the future looks bleak. (Source: Guardian)

If you know of other technology, leave a comment.

Security in the age of compliance

Three papers from Anton Chuvakin in his "... in the age of compliance series" :

• "Log management in the age of compliance"
• "Incident management in the age of compliance"
• "Intrusion detection in the age of compliance"

A peek at the Virus Bulleting 2007 Conference

It's the first time I heard about the Virus Bulletin Conference:

Over its 17-year history, the VB conference has become a major highlight of the anti-malware calendar, with many of its regular attendees citing it as the anti-malware event of the year. The VB conference provides a focus for the anti-malware industry, representing an opportunity for experts in the anti-malware arena to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.

McAfee Avertlabs is giving some insight on the conference:

The first day adjourned with many interesting presentations ranging from use of automaton in the world of Malware (for the purposes of good and evil), growing use of malware in virtual worlds (MMORPG and Second Life), to low-level malware techniques (rootkits and patching).

More information can be found here:

• Live from VB2007
• Live from VB2007 - part 2

Reconstruct TFTP sessions using TFTPgrab

Wireshark, TCPFlow and other tools can reconstruct files from network captures but not TFTP because it uses UDP. Someone just made a tool to do this:

Today I was very surprised to receive an email from Gregory Fleischer, who directed me to his new tool TFTPgrab. He saw my ShmooCon talk earlier this year, heard my plea, and built a TFTP file transfer reconstruction tool! I downloaded and compiled it on FreeBSD 6.2 without incident, and here is I how I tested it. (Source: Taosecurity)

DRM breaks Canadian Privacy laws and acts like Big Brother

A research report from the Canadian privacy watchdog Cippic reveals that DRM techniques are violating the Canadian privacy laws. Cippic is a part from the university from Ottawa. They investigated the network traffic from 16 different applications including the following: iTunes, Zudeo, Office Visio, Napster en Half-Life 2. The researches installed a PC with XP to a Linux machine with Ethereal and a Squid proxy to make their analysis.

The report reveals that DRM systems who demand a permanent internet connection to validate the license are sending data to Akamai, Omniture and DoubleClick. Most of the companies involved don't mention this datatransfer in any of their privacy statements. When the researches tried to get feedback from the companies, most of them didn't respond.

Big Update on virtualization security

Let's have a look at the latest security trends in Virtualization including presentations from the VMworld Conference.


First of all, virtualization software isn't without it's vulnerabilities.

An advisory from VMware lists a total of 20 different vulnerabilities affecting all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE and VMware Player. (Zero Day)

IBM ISS compiled all the previous vulnerabilities and put them in a table:

VMware Vulns by Year	Total Vulns	High Risk Vulns	Remote Vulns	Vulns in First Party Code	Vulns in 3rd Party Code
Vulns in 1999	1	1	0	1	0
Vulns in 2000	1	1	0	1	0
Vulns in 2001	2	0	0	2	0
Vulns in 2002	1	1	1	1	0
Vulns in 2003	9	5	5	5	4
Vulns in 2004	4	2	0	2	2
Vulns in 2005	10	5	5	4	6
Vulns in 2006	38	13	27	10	38
Vulns in 2007	34	18	19	22	12
TOTALS	100	46	57	48	62

How do I interpret these trends?

• It is clear that with the increase in popularity, relevance and deployment of virtualization starting in 2006, vulnerability discovery energies have increasingly focused on finding ways to exploit virtualization technologies.
• Combine the vulnerabilities in virtualization software, vulnerabilities in operating systems and applications that still exist independent of the virtualization software, the new impact of virtual rootkits and break-out attacks with the fact that in a virtual environment all your exploitation risks are now consolidated into one physical target where exploiting one system could potentially allow access and control of multiple systems on that server (or the server itself). In total, this adds up to a more complex and risky security environment.
• Virtualization does not equal security!

One positive point it that some Trojans don't like virtual environments. A lot of security researchers use virtual machines to analyse malware quickly. So some malware will stop if it detects a virtual environment, to irritate the researchers. But with more and more environments running in Virtual environments, this might change.

If you haven't heard about VMworld, it's time to check the online Virtual VMworld. You read that right - a Virtual VMworld - what a terminology ;-)

http://www.vmworld.com/vmworld/home.jspa

Some examples:

• BC10 VMware HA Guidelines and Best Practices VMware View Session
• BC23 Bulletproof VirtualCenter VMware View Session
• BC29 Disaster Recovery Solution Architecture for VMware VMware View Session
• BC31 New Trends in Disaster Recovery for VMware VMware View Session
• DV14 VDI - Considerations and Best Practices VMware View Session
• IO11 100% Virtual - Debunking the Myths and Realities BlueLock View Session
• TA29 Scaling Your Virtual Infrastructure - Getting Started VMware View Session
• TA57 Security Architecture Design and Hardening VI3 VMware View Session
• TA61 VMware Infrastructure 3 - Best Practices for Performance VMware View Session

One of the new things to come is ESX 3i. It's a VMware’ ESX server “embedded” in memory to a server. Here the Service Console has been stripped away leaving the ESX vmkernel to a bare 32MB size.
This new flavour of ESX speaks to the underlying hardware’s management agent. This release of ESX will need less patch management and offers less possiblity to open security loopholes according to VMware.

PDF Datasheet
PowerPoint Presentation
WebEx Webcast

This was not discussed on VMworld but let's show you Blue Lane's VirtualShield for VMWare environments. VirtualShield is the first commercial product that specifically tackles problems in VM environments.

VirtualShield is designed to protect guest VM's running under a VMWare ESX environment in the following manner:

• Protects virtualized servers regardless of physical location or patch-level;
• Provides up-to-date protection with no configuration changes and no agent installation on each virtual machine;
• Eliminates remote threats without blocking legitimate application requests or requiring server reboots; and
• Delivers appropriate protection for specific applications without requiring any manual tuning.

There is even more Virtualization security coming our way. At Blue Hat v6, scheduled for September 27-28 in Redmond, external security researchers and internal Microsoft software engineers are expected to extend the debate over the risks of virtualization. Here is the Blue Hat v6 preliminary agenda. So keep tuned for further updates.

Bonus: A paper by Google that studied some aspects for multiple vendors in the virtualization world: http://taviso.decsystem.org/virtsec.pdf (Thanks Swa)

0day: PDF exploiting windows

Well, after 0-day exploit: Quicktime owns Firefox and after 0 day: Exploiting by using Windows Media Files , pdp from Gnucitizen is closing the season with a zeroday adobe pdf exploit. Details are not disclosed until Adobe releases a patch. But seen his track record, we can better believe him.


Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.

UPDATE (22/09/2007): You can watch this the Proof of Concept on this Youtube movie.

Spend less on IT security, says Gartner

In a keynote speech, he said that retailers typically spend 1.5% of revenue trying to prevent crime, then still lose a further 1.5% through shoplifting and staff theft, costing 3% in total.

But Gartner's research suggests that the average organisation spends 5% of its IT budget on security, even with disaster recovery and business continuity work excluded, and IT managers are tired of requests for more. Security has dropped from first (in 2005) to sixth (in 2007) in the firm's annual survey of chief information officers' technical concerns.

Full article (Computerweekly)

Deloitte: People are still weakest security link

In the EMEA region, 71 percent of financial services institutions have experienced repeated external breaches over the past 12 months, compared to 65 percent of financial services institutions worldwide. The major causes of external breaches were customers compromised by viruses and worms, and email attacks through spam, phishing and pharming.

However, a high percentage of security breaches were caused by employees. Thirty-one percent of EMEA financial institutions experienced repeated internal IT security breaches over the past year while, globally, the figure is 30 percent. Employee IT security breaches were caused by misconduct, intentional action, errors or omissions.

Full article (Zdnet)

Report: Arbor’s Worldwide Infrastructure Security Report

Arbor Networks, a leading provider of network security and operational performance for global business networks, released its third-annual Worldwide Infrastructure Security Report today in cooperation with the network security and operations communities. For the first time, botnets surpassed distributed denial of service attacks as the top threat identified by service providers.

Key findings from the report include:

• Bots Overtake DDoS as Chief Security Concern
• DDoS Attacks Going Pro
• Attacks Outpace ISP Network Growth
• VoIP is Vulnerable
• Rise of Managed Security Services

Firefox 2.0.0.7 security fix released

Firefox 2.0.0.7 was released to solve the Quicktime media format exploit.

The auto upgrade feature should have warned you. Otherwise, upgrade now.

Maxtor disks also include a virus

This seems like a scoop from Security.nl (Dutch)... After the Medion laptop being sold with an ancient boot sector virus, we have another case. Maxtor is now selling external disks , the Maxtor 3200 Personal Storage, with the AutoRun.ah virus. The virus is present as files in the root of the filesystem and seems to have infected the disk during assembly.


It's not as harmless as the bootsector virus on the Medion laptops that has no payload. The autorun.ah virus can steal passwords from online games and can delete the mp3 on your disk. So be warned. Always scan all media before using it.

StormWorm attacks Security Firms and Projects

In the context of antispam or anti-scam (phishing) fighting: "you ain't making a difference until you start getting DDoS-ed." is a painful true statement.

There's no need to warn the anti-spam researchers at the Spamhaus Project about the Storm worm authors' ability to launch massive denial-of-service attacks. They've been fending them off for several months. And they've lived -- or at least stayed online -- to tell the tale.

"It's been a pretty constant battle to stay online," Vincent Hanna, an investigator for the non-profit Spamhaus Project, told InformationWeek. "It's an arms race. They try something. We block it. They try something else. We block it. It goes on and on. Sometimes it's fine and sometimes we spend hours a day on this." (Information Week)


Read about the StormWorm's DDoS attitude:

• Storm Worm's DDoS attitude part one (DDanchev)
  
• Storm Worm's DDoS attitude part two (DDanchev)

Some highlights:

1. infect as many end users with high speed Internet access as possible
2. ensure the longest possible lifecycle for the malware campaign
3. take advantage of fast-flux networks to make it harder to shut down the entire botnet
4. stage four - strike back at any security researcher or vendor playing around with Storm Worm's fast-flux network or somehow messing up with the malicious economies of scale on a worldwide basis.

How good can AV scanners detect old viruses?

We have the perfect opportunity. Last week, it was widely reported that Medion was selling Vista laptops with an old bootsector virus 'Angelina'. I saw a presentation "
Antivirus (In)Security" during CCCamp claiming that old viruses don't tend to get detected anymore. Let's see about that.

A test from Andreas Marx:

The following scanners were able to detect and successfully remove the "Stoned.Angelina" critter on Windows XP and Vista:

• G Data (AVK) Total Care 2008
• BitDefender Internet Security 2008 (v10)
• Kaspersky Internet Security 7.0

The following tools were able to detect and report the infection, but unable to handle it:

• BullGuard Internet Security 7.0 (updated information from BullGuard, here).
• McAfee Internet Security 2007
• Trend Micro PC-cillin Internet Security 2007
• Avira AntiVir Personal Premium (v7) -- BUT the scan of the system areas (master boot record) is disabled by default, so it has to be enabled or AntiVir wouldn't report anything, as it's not scanning this sector.

Two of the tools were able to successfully report and clean the virus on Windows XP, but they shred the system area on disinfecting a Windows Vista based system after the infection was found — this means that Vista wouldn’t start anymore after a "successful" cleaning and it has to be repaired (e.g. by booting from the installation DVD and selecting the option to repair the system, see the Bullguard website link above for details):

• Symantec Norton 360
• Panda Internet Security 2008 (v12) -- BUT you need to start the tool with administrator rights or disable User Account Control (UAC) or Panda wouldn't be able to scan for the virus on disk and report the system is clean, even if it's indeed infected.

This leaves one tool -- Microsoft OneCare 1.6 -- which is completely unable to scan for boot viruses on disk (tested on Windows XP and Vista), so the user wouldn't get a notification that his system is infected. As nothing is found, nothing can be removed, of course.

Hmmmm, not so good.

Previous posts:

• Another take on the Anti-virus detection problem
• New anti-virus reviews and be careful with the interpretation
• Is Anti-virus ineffective nowadays?
  
• Another source of infection: Game patches
• More vendors join the list of insecure security products

Flayer, the Google Fuzzer released

Not only Mozilla has released it's Fuzzer, Google’s security team now released their fuzz testing tool called Flayer. It was used internally to find multiple vulnerabilities in Internet-critical software products.

The fuzzer has already been used to find errors in real software like the discovery of security holes in several open-source products, including OpenSSH, OpenSSL, LibTIFF and libPNG.

ISSA Event on "Social Engineering" (Reminder)

Don't forget the ISSA Event on "Social Engineering" is next Thursday (20th September).

BotHunterTM Tool for Free

I might give this BotHunter a try next weekend:



BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection.

When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

0 day: Exploiting by using Windows Media Files

Media Player meta files all have the same structure, XML. Digging deeper into the XML, pdp from Gnucitizen found several tags which can be abused for malicious purposes.

In simple words, HTMLView will display a page of our choice within the standalone Windows Media Player. I repeat, the page will be opened within the Media Player surroundings, not a standalone browser. This in particular is very interesting behavior, which I experimented with for a bit.
I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in less restrictive Internet Explorer environment even if your default browser is Firefox, Opera or anything else you have in place.
Let me translate this for you. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be.

Not good. I guess using the default Media player (Browser, Emailclient, ....) was never a good idea anyway. Personally, I prefer VLC as player, Firefox as browser and Eudora as emailclient. Like in real life: diversity is essential for survival. Just my opinion.

Symantec Internet Security Threat Report Sept 2007

Symantec Internet Security Threat Report Sept 2007 is out.

Symantec tracks and assesses underground economy servers across the Internet using proprietary online fraud monitoring tools. For the first time in this issue of the Internet Security Threat Report¸ Symantec is assessing the types of goods that are most frequently offered for sale on underground economy servers.

Some of the highlights are:

• botnet infected PC's life a day longer then in 2006
• most Zombie computers are located in Beijing
• China hosts 29% of all bots
• bugs: IE 39 vs Firefox 34 vs Safari 25 vs Opera 7
• Home users are still the victim of 95% of all targeted attacks
• 4% of malicious activity came from a Fortune 100 computer
  

Read the full 134-page report

Old quicktime vulnerability also bites IE in the butt

Five days ago, I posted about Quicktime owning Firefox. Pdp mentioned it was cross platform and it seems it is also cross browser, at least for Internet Explorer.

Security researcher Aviv Raff has found a way to use the one-year-old (and still unpatched) QuickTime vulnerability to automate XAS (cross application scripting) attacks against users of Microsoft’s Internet Explorer.
To demonstrate the attack scenario, Raff embedded a rigged QuickTime file on Google’s BlogSpot to force a Skype shutdown if an IE user is tricked into visiting that Web page.
Any limited Web environment that allows embedded QuickTime files can be used to host an attack against IE, Raff said. (Zero Day)

There was a patch released for this one but it didn't close the hole completely. So far, no new patch, no feedback from Apple.

China strikes back

After allegations from the German government, the French government, the UK & USA and lately from New Zealand and Australia that government and military networks have been attacked out of China, it's now China claiming to have suffered ‘massive’ losses of state secrets through the Internet”.

In a Reuters news article, the Vice Minister of Information Industry Lou Qinjian states that China’s computer networks were riddled with security holes and that the United States and other hostile powers where exploiting those for “political infiltration”.

Taosecurity provides us an article from Professor Spafford with Who is Hacking Whom?:

It remains to be seen why so many stories are popping up now. It’s possible that there has been a recent surge in activity, or perhaps some recent change has made it more visible to various parties involved. However, that kind of behavior is normally kept under wraps. That several stories are leaking out, with similar elements, suggests that there may be some kind of political positioning also going on — the stories are being released to create leverage in some other situation.

Cynically, we can conclude that once some deal is concluded everyone will go back to quietly spying on each other and the stories will disappear for a while, only to surface again at some later time when it serves anoher political purpose. And once again, people will act surprised. If government and industry were really concerned, we’d see a huge surge in spending on defenses and research, and a big push to educate a cadre of cyber defenders.

I think this will be the last post in this cyberwarfare series for now. It's becoming a contest "who is the least protected".

(Cartoon from ddanchev)

Video: Searching for Evil

An excellent video on malware, phishing and spam, called “Searching for Evil” by Professor Ross Anderson.

Adblock

From the abstract:

Computer security has recently imported a lot of ideas from economics, psychology and ... all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Why you shouldn't blindly trust certificates

Gromozon , one of the most notorious pieces of spyware out there, is digitally signed by Thawte (part of Verisign). (Sunbelt Blog)

So don't blindly trust anything that is signed. It also puts a dent in the idea to do whitelisting only to fight malware.
The lesson from this article is that digital signatures ONLY verify that the code is coming from a verified source- a source only verified by the issuer of the certificate. It is up to the end user to decide whether or not this source is trusted.

Softskills: How to give good presentations

Giving a good presentation is important in bringing your message to the audience.

Since I saw the presentation from Mark Curphey on the last OWASP meeting, I have re-analyzing the way I give presentations myself.
Let's start with a movie that highlights some of the common mistakes: Death by Powerpoint.

Guilty as charged. I make some of these classic mistakes. Take a look at some of the presentation tips from Presentationzen.com. Also have a look at his "What is good Powerpoint Design".

I have been 'practicing' all weekend. Maybe I'll post an example online. I hope you can avoid 'Death by Powerpoint' yourself after this! ;-)

Bonus: Spring into Technical Writing: For Engineers and Scientists (Amazon.com)

Some CCCamp 2007 videos available

The videos of the presentations are not yet on the CCC website.
But there are a lot of Youtube movies about the Camp itself.

• CCC 2007 - Closing Camp Event 1/2
• CCC 2007 - Closing Camp Event 2/2
• Chaos Communication Camp in TV Show
  
• CC2007: Some Impressions
• CC2007: More impressions
• Quadcopters at Chaos Communication Camp 2007
  
• C2007: Quadrocopter (2)
• CC2007: Potato gun reloaded ;-)
• CC2007: Hot air balloon launch
• Virtual Airhockey @ Chaos Communication Camp
• Chaos Communication Camp 2007 - Art & Beauty Saturday Night
• Project LEA Chaos Communication Camp 2007
• CCC 2007 - More Dance
• Potato vs SCO
• CCC 2007 - OpenBSD Bikini Contest : Celebration
• RC Wheelchair at CCC Camp
• CCC 2007 - Take Off
• C-Base at CCC 2007
• CCCamp 2007 - Drums and Fire
• Disco Grove @ CCC Camp 2007
• Lights at ccc 2007
• CCC 2007 - Panorama from Hill next to Shelter Bar
• Hammer vs. SCO

World Wide War 3.0

A very long and detailed article about Cyberwarfare, China and NCPH, Russian mafia, Armies for hire : World Wide War 3.0 (The-diplomat.com)

China’s military strategists have recognised that asymmetrical warfare – picking key targets to disrupt and demoralise a militarily superior opponent – is the best way to counter the force of the US. Cyber warfare has appeared prominently in People’s Liberation Army (PLA) literature as a key plank in this strategy.

A 2003 report by Lieutenant Colonel (Ret) Timothy L Thomas from the US Foreign Military Studies Office revealed that the PLA’s 1.5 million reserve force included “a shock brigade of network warriors, information protection troops, an information corps, electronic police and a united network People’s War organ.”

Around this time a series of systematic attacks were launched from Guangdong province against US government agencies and contractors, compromising hundreds of unclassified networks. The attacks lasted for at least two years and were investigated by the FBI under the code name Titan Rain.

Next in our cyberwarfare row is Canada, but that is for the next post.

Foodstore Aldi selling laptops with free virus

From the category "old viruses never die", we bring you laptops with free virus at Aldi. Just when you thought boot sector viruses were extinct:

Confirming posts in various forums there is indeed a part of the production of Medion MD 96290 Laptops, that were sold at the Food Discounter Aldi in Germany last week, that are infected with the Boot Virus Stoned.Angelina. In a document on their danish website (in danish) Medion describes the incident and provides instructions how to remove the virus.

To make it clear, the name of the virus has got absolutely nothing to do with any famous Hollywood Star! Stoned.Angelina is a Boot Virus that infects the bootsector of floppies and the MBR of hard drives, it doesn’t actually have a payload and was first discovered early in 1994. That was a time when the descriptions of the few viruses known where still in a printed Virus Encyclopaedia…

How it could happen to get the Laptops that have Microsoft Vista preinstalled infected with this ancient boot virus remains a bit of a mystery. The only way to infect a hard disk with a boot virus is by actually booting from an infected floppy. Nothing I’d expect to be done nowadays when installing Vista… (McAfee Avertlabs)

Google hacking against Botnets

Google hacking is one way to look for vulnerabilities but I never thought of it as a way to attack "bad sites" like C&C control servers (MPacks, Zunkers and WebAttackers....). Nice one from Dancho Danchev:

If wannabe botnet masters really wanted to hide their activities online, they would have blocked Google's crawlers from indexing their default malware kit installations, and changed the default installation settings to random directory and filename, wouldn't they? Apparently, a default deny:all rule for anyone but the botnet masters doesn't exist as a principle among botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down.

Unethical penetration testing of malicious hosts to assess the damages by the malware campaign in question wouldn't result in the malware authors striking back with legal complaints, instead, they'll forward some DDoS bandwidth back at the investigating IPs, a consequence I'm sure researchers reading here have experienced before. On the other hand, the RBN themselves are getting more malicious with every new campaign, just consider for instance that Russian Business Network's IPs were behind the Massive Embedded Web Attack in Italy that took place in June, 2007, and the most recent Bank of India breach as well.

Defcon 15 videos online

Defcon 15 videos are now online. A few examples:

• DefCon 15 - T101 - Making of the DEFCON 15 Badges
• DefCon 15 - T539 - Internet Wars 2007
• DefCon 15 - T238 - Webserver Botnets
• DefCon 15 - T312 - The Executable Image Exploit
• DefCon 15 - T239 - The Commercial Malware Industry
• DefCon 15 - T206 - Virtual World, Real Hacking
• DefCon 15 - T201 - Church Of WiFi's Wireless Extravaganza

And much much more... 125 videos total... Here is the Full DefCon 15 Session Listing in PDF format. (Courtesy of Carsten)

0-day exploit: Quicktime owns Firefox

Pdp has done it again: He took a low Quicktime vulnerability and turned it into a serious one: Quicktime pwns Firefox.

It seams that QuickTime media formats can hack into Firefox. The result of this vulnerability can lead to full compromise of the browser and maybe even the underlaying operating system. Don’t try this at home.

Before we move on, I have to say a few things. Last year I disclosed two highly critical QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack.

In practice I can do anything with the browser, like installing browser backdoors, and the operating system if the victim is running with administrative privileges. However, just for the sake of this demonstration, I simply open calc.exe. Keep in mind that the exploit is cross-platformed.

For the full explanation and live demo: check Quicktime pwns Firefox.

Paper: XSIO "Cross Site Image Overlaying"

Ok, I know XSS, CSRF etc..... but I never hear about XSIO.

A new paper on a vulnerability called XSIO. XSIO stands for "Cross Site Image Overlaying" and is basically the same as XSS except there is no scripting involved, but instead an image is referenced and positioned using CSS over an important part of a website. (SANS ISC)

Thanks Swa!

Also, check out the OWASP Top Ten 2007 if you never have.

Australia also targeted in hacking spree

I asked who could be next in the cyberintelligence hacking spree. It might be Australia but the details are vague:

CHINA has allegedly tried to hack into highly classified government computer networks in Australia and New Zealand as part of a broader international operation to glean military secrets from Western nations.

The Howard Government yesterday would neither confirm nor deny that its agencies, including the Defence Department, had been subject to cyber attack from China, but government sources acknowledge that thwarting such assaults is a continuous challenge.

"It's a serious problem, it's ongoing and it's real," one senior government source said. (Source: News.com.au)

Articles stating that China is involved doesn't automatically means that the Chinese government is involved. Be carefull with the interpretation, Accused China says it's also a cyber-victim

"We have proof that there is involvement with China. But I am prudent. When I say China, this does not mean the Chinese government. We don't have any indication, now, that it was done by the Chinese People's Liberation Army."

China has consistently denied the nation's army was involved in international computer espionage.

"Saying that the Chinese military has made cyber-attacks on the networks of foreign governments is groundless and irresponsible, and is a result of ulterior motives," Jiang said last week.

Podcast: AudioParasitics Episode 15: Microsoft Patch Tuesday Special Edition

A new episode is out:

Episode 15 - Microsoft Patch Tuesday Special Edition - Dave and Jim are joined by Craig Schmugar to discuss the most interesting and critical releases for September 2007. MS07-051 and MS07-054 are highlighted in this episode.

Don't forget you can get CPE points for listening!

BONUS: September microsoft patch overview (SANS ISC)

Mandatory keyloggers in cybercafes: all in the name of fighting terrorism

What is the price of our Privacy? In the name of fighting terrorism, they are installing keyloggers in Mumbai’s cyber cafes. India’s Cops Get Orwellian:

A few days ago, Mumbai’s police revealed their plans to install keystroke loggers in Mumbai’s cyber cafes, besides imposing licensing requirements on them.

This is done ostensibly to fight terrorism, and here are the implications for you and me. Whenever we surf from a Mumbai cyber café, everything we type will automatically be captured on record. Our email passwords, every message we type, the sites we visit, the pictures we download: everything will be stored in police records, rendering us, effectively, naked in their eyes.

If we buy stuff online, our credit card details will also get saved. Will these end up getting sold in a black market somewhere? Not unlikely. Much as we like to think of governments as benevolent entities that exist to serve us, in reality they comprise individuals with the same human weaknesses as the rest of us, responding to incentives just as we do. The Mumbai police, like all police in India, consists of underpaid people given excessive powers over others, with little accountability. So how do you expect them to behave?

"Power tends to corrupt, and absolute power corrupts absolutely." (Lord Acton) The clue is, Mumbai doesn't have the resources to analyze all the keylogging information for terrorist activity. So why do it at all?

Have a look at this presentation: Terrorists and the Internet. A Justification for Stricter Laws?

In related news: Were those camera's for fighting crime and terrorism? Wi-Fi CCTV cracks down on rogue parking.

Presentations from Belgian OWASP Day (updated)

For those who missed the Belgian OWASP event, the first presentations are online.
I will link to the rest as they get published:

• For my next trick… hacking Web2.0: PDF, SWF, PPT
  
• Automated Web Foo or FUD?: PDF, SWF, PPT

Courtesy from gnucitizen.org.

Update (11/09/2007): Two more presentations are online

• OWASP Evaluation and Certification Criteria Draft (Mark Curphey)
• OWASP Pantera Unleashed (Simon Roses Femerling)

New Zealand Government next in hacking row

We had the German government systems, besides the UK & USA computer systems, and soon afterwards the government of France issued a press release stating to have been hacked (by other governments). Now it's the turn of the New Zealand Government:

Government computer systems have been hacked into by foreign governments, the chief of New Zealand's intelligence agency says.

Government departments Web sites have been attacked, information has been stolen and hard-to-detect software has been installed that could be used to take control of computer systems, Security Intelligence Service director Warren Tucker is quoted as saying in The Dominion Post on Tuesday.

He would not discuss what country was responsible but referred to comments by Canada's security service about Chinese spying activities.

Sensitive information had been stolen and attempts had been made to gain access to classified information. (asiapacificnews.net)

It's becoming quite a long story. It makes us wonder, who will be next?

Skype worm on the loose

Beware, Skype users are under attack from a new worm that spreads through the peer-to-peer Internet phone application's chat feature:

• Skype worm (SANS ISC)
• IM worm squirming through Skype (Zero Day)
• Seeing bubbles? Might be the Skype worm...(F-Secure)
• Skype Warns Users of P-to-P Worm (PCWorld)

How to break Rainbowtables

So everybody knows about Rainbow tables and Ophcrack to break hashed passwords. So are all encrypted passwords breakable? Of course not. Matasano has a really great piece explaining the issues:

Here’s what you need to know about rainbow tables: no modern password scheme is vulnerable to them.

Rainbow tables are easy to beat. For each password, generate a random number (a nonce). Hash the password with the nonce, and store both the hash and the nonce. The server has enough information to verify passwords (the nonce is stored in the clear). But even with a small random value, say, 16 bits, rainbow tables are infeasible: there are now 65,536 “variants” of each hash, and instead of 300 billion rainbow table entries, you need quadrillions. The nonce in this scheme is called a “salt”. Cool, huh? Yeah, and Unix crypt —- almost the lowest common denominator in security systems —- has had this feature since 1976. If this is news to you, you shouldn’t be designing password systems. Use someone else’s good one.

The problem is that MD5 is fast. So are its modern competitors, like SHA1 and SHA256. Speed is a design goal of a modern secure hash, because hashes are a building block of almost every cryptosystem, and usually get demand-executed on a per-packet or per-message basis.

Speed is exactly what you don’t want in a password hash function.

To see some "good schemes" and the full explanation, check the full article at Matasano.

How the embassy passwords got leaked

Last week, a Security Consultant posted the login credentials for official email addresses belonging to some 100 foreign embassies from countries including Russia, India, Japan and Iran. The credentials were used to conduct official, sometimes confidential business, from sending ambassadors' schedules to transmitting information relating to lost passports.
He also captured information on thousands of users, some of them being fortune 500 companies and Nasdaq and New York noted companies.

Short after, his website derangedsecurity.com got pulled out of the air due to the request of American law enforcement agencies. He didn't even get access to his HTTP files. But the site is back online now. I'm not going to discuss disclosure ethics here but once the devil is out of the box..... some people don't learn.

So how did he do it?

#1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.


Let's rehearse this. Tor is made for anonymity not confidentiality. Your connection is encrypted up to the exit point. This exit point can see (sniff) your entire traffic!!! These governments and companies apparently told their users to use ToR, sending all their traffic through other servers that they know absolutely nothing about. There is no telling if some of these exit nodes are used by foreign intelligence services or criminal organizations. This is about the simplest "hack": let them come to you. There is nothing to exploit, no server to penetrate. As he describes, it would take a script-kiddy and 10 minutes to set this up.

Let me repeat this: it's NOT a problem within Tor. Tor is meant for privacy, not confidentiality!!!! I'm a bit amazed governments and companies are using this as a security measure.

P.S.: A good remark: I have my doubts if those who logged in to an embassy or to the fortune 500 company with TOR are really “legal” users.

Webcast: Today's Cybercrime and the Crimeware Being Used to Support it

This upcoming webcast seems interesting:

Businesses are under constant threat from crimeware as hackers are using highly sophisticated web-based techniques and methods to exploit the vulnerabilities within the Internet.

These web-based threats are being found in common applications that security executives need to monitor and control in order to prevent abuse of their systems.


In this webcast, you will learn about:

• Techniques and crimeware the cybercriminals use in the web scenario: such as search engine cached content delivery; dynamic page encoding, code obfuscation, spyware and malware
  
• PCs and how this filters into e-Commerce
  
• Best practice methods to avoid attacks

10th September 2007 - 16:00 - 16:45

CLICK HERE TO REGISTER

Webcast: China's Wicked Rose and the NCPH Hacking Group

An interesting Webcast: Wicked Rose and the NCPH Hacking Group (Verisign iDefense)

More than 35 zero-day targeted attacks and related exploit codes emerged during the summer of 2006. Wicked Rose is the Chinese hacker responsible for developing the infamous GinWui rootkit used in the earliest attacks. This VeriSign-iDefense exclusive report provides participants with an in-depth view into the means, motives and culture of Wicked Rose's NCPH hacking group, including photos of the individual hackers. This is a story you won't read about anywhere else, revealing the intimate details of some of the most sophisticated targeted attacks to date.

Since we have been discussing Titan Rain and some government intrusions these last days, it might be interesting to have a look at this.

French Goverment gets hacked as well

After the intrustion in German government systems, after the intrusion in UK & USA computer systems, the government of France is next.

Daemon.be has an analysis of a packed Trojan that might be similar to the intrusions discussed here. Again Office documents were used to get inside.

About five hours ago, Agence France Presse has reported that France is the most recent nation to be targeted by what are probably cyber attacks of Chinese origin. The news came from Mr Francis Delon, secretary general of the Secrétariat général de la défense nationale (SGDN). He notes: Chinese origin, not necessarily indicating involvement of the Chinese military.

It consisted of a Word document, transmitted by e-mail to a small set of users. The files didn't appear malicious, and even Virustotal isn't able to make its mind up. (Daemon.be)

There are no details of which computer systems were affected apart from the website of the ministry of Defense.

This leaves us with a conundrum. We can detect this file on the gateway, where it's still embedded in obfuscated form in a Word document, and as such we can't even see it, or we can detect it on the desktop, where we run a high risk of killing valuable applications at the same time by enabling high heuristics.

One solution is offered by those anti virus solutions which write detection rules specifically for application level exploits. This is however hard to do, as files may be interpreted in very different ways on specific platform versions. Vendors try (they're doing a pretty good job at Powerpoint files), but the vulnerability exploited above was a known one in Microsoft Office 2003, and has been known for at least a year. (Daemon.be)

Kudos to M. for pointing me to the article. Also have a look at a previous article: Is Anti-virus ineffective nowadays?

Bonus (08/09/2007): It's not really an intrusion but there was a data breach of sensitive military data in Japan. (PCWorld)

Pfizer Databreach: Third time is NOT a Charm

First, the wife of an employee installed P2P software that leaded to disclosure of the names, Social Security numbers, and in some instances, addresses of approximately 17,000 employees.

The second time, two laptops were stolen containing details of 950 Pfizer contract workers including their names and social security. The contents on the laptops were not encrypted.










Unfortunately, it didn't stop there. A former employee accessed and downloaded copies of confidential information from their computer system without the company's knowledge. This happened last year but was only discovered on the 10th of July.

Not really a good example. Have a look at one of my previous posts: Security: What can go wrong?

Best Web Application Scanner Finds 15.3% of Vulnerabilities

Picked up from SecurityBuddha.com:

http://www.virtualforge.de/whitepapers/web_scanner_benchmark.pdf

Reminds me of the presentation on the OWASP event:

Automated Web FOO or FUD? (David Kierznowski)

We take a look into automated web application testing technologies and their effectiveness against real life applications.

Scanners are nice complementary tools but it can't replace your brain.

Firefox Remote Command Exec back to haunt us

Hoping that Firefox 2.0.0.6 fixed the Remote Command Exec Vulnerability?
Think again.

Billy Rios (Xs-sniper.com) discover a way to exploit it again:


Well, to make a long story short, Nate and I have discovered a way to “…exploit a common handler with a single unexpected URI…” Once again, these URI payloads can be passed by the mailto, nntp, news, and snews URIs, allowing us to pass the payload without any user interaction. So, it seems that although the conditions which allowed for remote command execution in Firefox 2.0.0.5 have been addressed with a security patch, the underlying file type handling issues which are truly the heart of the issue have NOT been addressed.

More details on his site.

You can use NoScript to protect you or Open Firefox and type 'about:config' in the location bar. Put 'network.protocol-handler.external' in the filter and put the unused URI to false. Screenshots here.

NSA Security Configuration Guides

NIST isn't the only resource for security guidelines. Albeit less high level and more product orientated, the NSA has their Security Configuration Guides:

NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products.

The list of different area's:

• Applications
• Database Servers
• Operating Systems
• Routers
• Supporting Documents
• Switches
• VoIP and IP Telephony
• Vulnerability Technical Reports
• Web Servers and Browsers
• Wireless

Some examples out of the list I intend to read:

• Cisco IOS Switch Security Configuration Guide
• Router Security Configuration Guide, Version 1.1c
• Windows Vista Security Guide.msi
• Mac OS X Server Security Configuration For Version 10.4 or Later, Second Edition
• So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities

Upcoming Belhack Meeting Postponed

From the Belhack mailinglist:

Due to unlucky timing (lots of people being abroad and not enough
contributions as a result), I am sorry to postpone the upcoming
BelHack meeting of September 11th to a later date. A big thanks to all
of you who expressed intent to participate, your contributions are
still more than welcome on the next meeting, which is scheduled for
somewhere in the first half of October. Details will follow soon.

Kind regards and sorry for the inconvenience,
Thomas

Too bad. I was looking forward to it. So people, please contribute something. An article, a website, an idea..... you DON'T have to give a presentation. A great discussion over a beer is also welcome.

Website: www.belhack.com
Wiki: wiki.belhack.com
Mailinglist: lists.belhack.com

Review on the OWASP event of today (Sept 2007)

I'm going to start with the feedback from Securitybuddha.com (Mark Curphey)

PDP spoke about hacking web 2.0. Well worth a read on his web site and a unique story telling approach of future fiction scenarios that I think is really clever and quite powerful. Fair warning PDP: I plan to steal this style at some point!

David Kierznowski spoke about the Technika framework. Super cool idea, one to watch.

Simon Roses Fermerling spoke about Pantera. Very neat, pragmatic and extensible as demonstrated by some new privacy checks he has just built.

I need to hook both up with some of the things / ideas we did at Foundstone such as SiteScope. If SiteScope could produce the site coverage for your test cases I suspect there may be some interesting incremental performance.

Unfortunately I had to leave before the MS SDL, CLASP and Touchpoints presentation which would have been very interesting.

Now let me fill in the blanks. Mark Curphey actually gave the first presentation.

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”: OWASP Evaluation and Certification Criteria Draft.

Scheduled to be released next week. I really liked his way of giving the presentation. Only basic visuals in the slides, not too much text. Nothing unreadable from the back. A really great presenter!!! Reminds me of Presentation Zen (which I must read further when I have time). I must work on my soft skills myself.

The talk about "CLASP, SDL and Touchpoints Compared" was given by Bart De Win, a postdoctoral researcher at the Katholieke Universiteit Leuven. The bottom line, there is no BEST methodology. CLASP is more focussed on a Whitehat perspective (Developpers) and SDL is more focussed on a Blackhat perspective (Hackers).

The final talk was about "Threats of e-insecurity in Belgium and the Belgian response" by Luc Beirens of the Federal Computer Crime Unit (FCCU). Basically, we are becoming more and more dependent on the internet infrastructure and we are one of the few West-European countries without a CERT. And the rest of his talk was on more up to date info about the threats and dangers from the bad guys, which most of us already know. Like the whole China vs UK/USA, vs Germany,.... incidents.

I learned a lot from the conference. Some tools I didn't hear about as well as some methodologies. I also had some fun discussions with the other people afterwards. I will link to the presentations when they are posted online.

Fun: 12 More Security Features and Rules Most Likely to Mess Up from Gartner

From the Gartner Security and Risk Management Blog:

12 More Security Features and Rules Most Likely to Mess Up

1. Most likely to be in the pocket of the jacket you leave at the drycleaners:
Hardware token with confidential data

2. Most likely to carry high-value data on personal devices:
People who are least likely to follow policy

3. Most likely to end up available over the general Internet with significant security vulnerabilities:
Custom development applications that "will never be of use to anyone except internal folks on the internal network"

4. Most likely to foster paranoia in employees:
Web filtering products with too-harsh blocking rules and with scary splash screens when blocking

5. Most likely to foster paranoia in employers:
Web usage monitoring logs that indicate significant use of "anonymous browsing" Web sites

6. Most likely to lead to disillusionment:
Assumption that the staff will understand practical implications of security policies and laws

7. Most likely to be deployed only if suddenly cheaper than standard link encryption:
Quantum cryptography

8. Most likely to spiral out of control (and beyond usefulness):
A role-base access control (RBAC) project that attempts to define completely the entitlements of all your users across all your systems

9. Most likely not to be available when you really need it:
Mission-critical information stored on an internal desktop and left to the end user to back up

10. Most likely not to reach everyone in time:
A manual "telephone tree" notification system

11. Most likely to be missing from the business continuity plan:
Business units, branch offices and acquired companies new in the past six months

12. Most likely to be requested by an auditor:
Whatever it is that you haven't done

So true ..............

Privacy videos worth watching

From the Identity and Privacy blog: 3 Privacy video's worth watching.

The first is one of my all-time favourites about ordering a pizza. I use this quite often in my own presentations about identity and privacy. Whenever I’ve played it, people have always reacted positively so it’s definitely worth watching.

The second one features three Middle Eastern-American comedians and has some really funny scenes about their experiences with flying.

The third and final one is about the Adventures of Average Joe. It’s short but sharp.

Privacy in the 21th century was also the subject of the panel of the OWASP event today. More info on that will follow soon.

Podcast: AudioParasitics Episode 14: Sony rootkit in Hidevault

Episode 14 - Hide me Sony one more time! - Jim and Dave discuss the latest developments with Sony, HideVault, and the potential repercussions (malware, rootkits, exploits OH MY!).

Check also my Blogentry Commercial software that installs rootkits before listening.

FBI Wiretapping: Just point and click

From wired.com (thanx Dv8or025):

The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act.

The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation's telecom infrastructure than observers suspected.

Full story (wired)

I hope they secured this system. Every backdoor or tap into any system, makes you more vulnerable. Remember the story of the rootkit into a large cellular service provider in Greece?

The Athens Affair (IEE Spectrum):

The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the country's largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded.

While this is the first major infiltration to involve cellphones, the scheme did not depend on the wireless nature of the network. Basically, the hackers broke into a telephone network and subverted its built-in wiretapping features for their own purposes. That could have been done with any phone account, not just cellular ones. Nevertheless, there are some elements of the Vodafone Greece system that were unique and crucial to the way the crime was pulled off.

Full Story (IEE Spectrum)

Symantec state of Spam September 2007

The September State of Spam Report is out and includes several interesting highlights and trends seen in August. Some highlights in this report include an update on the state of PDF spam, different variations that have been observed in e-card spam tactics, including fake YouTube sites, as well as insight into some new and novel tactics that were observed by Symantec during August.

Where did PDF spam go? Highlighted in a previous post as an emerging trend, PDF and other attachment spam reached a high in early August but closed out the month with record lows. First seen in June of 2007 with PDF files, attachment spam grew to encompass PDF, XLS and RAR files. By Early August, this spam type was seen in 20 percent of all spam, but by late August, accounted for less than one percent. Symantec will continue to monitor this trend closely for any changes.

Read the report for details.

BONUS: Someone from GFI sent me a link to their whitepaper about the different sorts of attachment spam.

Video: Hak5 Episode 3×02 Release

In this episode Wess mods the Linksys WRT54G wireless router and adds Power-over-Ethernet functionality. Darren checks out Anywhere.FM which pretty much lives up to its name. And our pal Mubix joins us via Skype for a paranoia inducing look at anonymous enumeration tools online.

Event: Hack.lu 2007 approaching fast

I have been so busy I didn't realise that in 6 weeks it's already Hack.lu 2007. Early registration closes at 15 september!!!

The registration price for the conference is 200,- EUR for the all three days (100,- EUR if you are a student). The price is valid before the 15th of September. The price is not including the accommodation but we have a preferential rate at the Hotel (check here).


First Day Workshops:

• Forensic analysis of botnets (FCCU)
• VoIP workshop ( sn0rky)
• Writing exploits using Metasploit 3.0 (Saumil Shah)
• Phishing workshop ( antiphishing workinggroup)
• WiFi protected setup workshop ( Philippe Teuwen)

Day two and three Lectures:

Friday 19.10.2007		Saturday 20.10.2007
9:00	Opening Speech Lance Spitzner	9:00	Breaking and Securing Web applications Nitesh Dhanjani
9:50	Is IT virtualisation a security panacea Frank Ackermann	9:50	Cracking Windows Access Control Andrey Kolishchak
10:40	Refreshment Break	10:40	Refreshment Break
11:00	Botspy - Efficient observation of botnets Claus Overbeck	11:00	Zombie 2.0 Diego Tiscornia, Fernando Russ
11:50	E-Passports: The good , the bad and the ugly Zubair Khan	11:50	Penetrating modern applications Riley Hassel
12:40	Lunch Break	12:40	Lunch Break
13:30	Lightning talks	13:30	Lightning talks
14:00	Automated Malware Behaviour Analysis Gerard Wagener	14:00	Hijacking Virtual Machine Execution for Fun and Profit Nguyen Anh Quynh
14:50	Exploiting SAP Internals Mariano Nunez di Croce	14:50	Cost of Malware and Spam - Willingness-to-pay for IT security Oliver Schmid
15:40	Refreshment Break	15:40	Refreshment Break
16:00	Rootkits Eric Lacombe	16:00	Authentication and Intrusion Prevention for Multi Link Wireless Networks Raphael Frank
16:50	Wifi fuzzing, remote kernel exploitation Frank Veysset, Laurent Butti, Julien Tinnes	16:50	[[]]
17:40	Injecting RDS-TMC trafic Daniele Bianco, Andrea Barisani (tbc)	17:40	Closing of the conference

This is not the final agenda so visit the site from time to time for updates.

Are CAPTCHAs broken for good?

The emergence of CAPTCHA based authentication was a logical move in the fight against automated brute forcing of login details, registrations, spamming and sploging in the form of comments and splogs registration. And consequently, spammers, phishers and malware authors started figuring out how to automatically achieve their objectives, by either breaking or adapting to a certain CAPTCHA, and even more pragmatic - outsourcing the request to a third-party.

What can web sites do to prevent that sort of malicious behaviour? Strong CAPTCHAs should be in place by default, but taking another perspective, the way I discussed how click fraud could be easily detected by advertising networks syndicating IPs of already known to be malware infected hosts, in this very same fashion we could have CAPTCHA system that would check to see if, for instance, default proxy ports are opened at the host trying to register, and whether or not they're part of a botnet. With data like this now a commodity, a prioritization process to closely monitor mass registrations from these IPs is a pragmatic early warning system.

The irony regarding CAPTCHAs are how less popular sites compared to the Web 2.0 darlings often have a more sophisticted CAPTCHA compared to the most widely used web sites.

Full story, screenshots and explanation at Dancho Danchev.

I saw that spammer are now using 3D images to circumvent OCR plugins from our scanning software. Maybe we can use this technique against them! ;-)

ISSA Event on "Social Engineering" (updated)

Information about the next ISSA event is online. UPDATE (5/9/2007) The details have appeared:

"Welcome to the The Weakest Link!"

Contrary to what this title suggests, ISSA will NOT be hosting this famous television quiz show. So there is no need to be afraid of being sent away due to a lack of knowledge concerning trivia. However, there are some similarities with the topic of this event, Social Engineering. Eg., things you don't know about, might hurt you badly. And the Weakest Link in Information Security is very often located " Between Keyboard And Chair". A 50000 EUR security device may protect your information assets as perfectly as possible, but if an employee provides his login credentials in exchange for a candybar, you might have to walk "The Walk of Shame" anyway... This ISSA event will be more interactive as usual. But you'll go home better informed and less vulnerable, as usual.

Hope to welcome you all on this very interesting event!

This evening event will be held on

Thursday, September 20th, 2007

Place :

Getronics Executive Briefing Center, Leopold Tower, Rue de Genèvestraat 10, 1140 Brussels (Evere)

Agenda :

1800h : Welcome with drinks and sandwiches (PLEASE FOLLOW ACCESS PROCEDURE MENTIONED BELOW!!! NO ACCESS AFTER 1900HRS!!!)
1830h : Part 1 - Presentation

1. Social engineering- definition
2. Historical overview
1. What's the motive behind social engineering
2. The human element
3. Known exploits.
4. Approaches to protecting your company against social engineering

1930h : short break
1945h : Part 2 - Workshop – Steal the flag

The target - "Secrus Traders Inc." (A fictional company) financial results

o Group A - will represents the social engineering attackers
o Group B - will represent the security department of a "Secrus Traders Inc"

Members of Group A will need to define a timely driven attack scenario against "Secrus Traders Inc." corporation in an attempt to steal the next quarterly financial results.

Members of Group B will need to define timely driven measures to try to increase the awareness of the organization, managing management, employees, and public.

End of part 2 - Presentation of Group A and Group B strategies, comments from the participants.

2045h : closing drink

PRACTICAL INFO AND REGISTRATION INSTRUCTIONS

PS: Don't forget it's OWASP Day (6-Sep-2007) this Thursday.

Last German Hackergroup THC leaves the country

From THC.org:

The German fraction of THC stops all activities that have been labeled illegal under new German anti hacker law. The law forbids German citizens to research, discuss or disclose security problems. THC is an independent non-commercial security research organization with over 10 years of experience.

For the past 10 years THC has been exposing fishy security in commercial products, informed the customer and pushed the companies towards stronger and better security, says a THC founder who does not want to be named.

Another German THC members was quoted as saying "[...] we were similar to what the ADAC is for cars: We made sure that what was labeled secure was indeed secure!"

When asked what kind of law the government should have passed a THC member responded that "there is no law that makes companies responsible for broken or insecure software. Anything can be labeled virus-safe or secure when in fact there is no security in the product whatsoever."

THC is the last of many research groups leaving Germany.

With no independent security research group left in Germany, its citizens are exposed to fraud, hoax security products and identity theft.

If you are living outside Germany and want to take over the development of the THC tools please contact us at members at thc dot org.

THC is now hosted on two servers: http://freeworld.thc.org is for international http://germany.thc.org is for German members who devote their time twiddling their thumbs.

Actually, this is old new. There was already a message on their website that they were offshoring their website and tools on August 2nd. Maybe this new message is more drastic. But I liked their comment that there was no laws against bad and insecure software. So who are the 'bad' guys anyway? ;-)

I also remember a blog entry on Taosecurity 'Hacker Is Not a Dirty Word' where legal team attempted to attack the credibility of Jon Tan/Karl Kasper as a forensic investigator because he is a "hacker."

After USA & Germany, is the UK the next victim of Chinese Hackers?

First article:

Chinese hackers have been attacking key British government computer networks, a media report said today, amid allegations the Pentagon and German ministries have also been hit.

Chinese attackers have launched online assaults against the network at Britain's Parliament and the Foreign Office, The Guardian newspaper reported today, citing unnamed government officials.

It said some of the hackers were believed to be from the Chinese military, without citing sources.

The report marks the third time in two weeks that China's military has been accused of hacking into foreign governments' computers. (Source: smh.com.au)

Second article:

Economic espionage connected to China has increased dramatically in the last decade. A German official estimated that two-thirds of the economic espionage cases currently being investigated by the country's law enforcement are linked to China, according to Der Spiegel. In the U.S., the FBI has estimated that a third of all economic espionage cases are linked to the Chinese and have boosted the number of agents assigned to combat Chinese espionage to 350, from 150 in 2001, according to USA Today.

Yet, tracking the attacks back to China is not a simple matter.

Attackers regularly use multiple servers and botnets to hide the true origins of their activities. For example, current data shows that nearly half of all spam comes from servers based in the North America, but that does not mean that the U.S. is spamming other countries, said Matt Sergeant, senior antispam technologist for e-mail security firm MessageLabs.

"Certainly, there is a lot of what we call -- in the spam world -- bulletproof hosting in China," Sergeant said. "But saying that the source of the attacks coming from those servers is in China is not straightforward. Using that naive viewpoint, most of spam is coming from the U.S. (Source: Securityfocus

It's like the cyberattack on Estonia (allegedly) by Russia. The internet gives plausibly deniability (for now). But with botnets and open proxies, who knows for sure? I admit, there are strong indications to point that way. It's not like the US Army isn't probing China. To be continued.

UPDATE (05/09/2007): I guess great minds think alike. Taosecurity has also an blog entry on it: United Kingdom v China but he mentions an attack on European Parliament’s computer network about three years ago.

What worries Mr Preatoni are the attacks that go undetected. “We think that governments have the most sophisticated cyber defences on the planet,” he said. “This is the wrong assumption. In my work with governments, I see they face the same problems as the business world in securing their networks. There’s a lack of expertise. The machines aren’t properly administered. There are budget cuts. They face the same problems as the corporate world. They are hit by the same vulnerabilities.”

So how do you stop a targeted attack. Comments are welcome.

Botnets are targeting eBay accounts

At least, if we have to believe officials at Aladdin Knowledge Systems. A bruteforce attack with botnets. Time to have your password strength tested!

Elzam said the eBay-focused botnet is unique in its sophistication and complexity.

"It uses so many techniques," he said. It starts by inserting an invisible frame that opens a page that's also obscured from the victim, he said. That page then runs some Ajax and XML script that starts to troll sites, one after another, looking for known vulnerabilities. It downloads some code elements that in turn download other code elements. After four or five stages, it then launches, connects to another server and downloads user name/password name combinations that it uses to attempt to gain access to valid eBay accounts. (eWeek)

What they are up to with the accounts is not sure but this blog post gives a pretty good example.

"I woke up this morning to a nightmare," wrote a Texas-based book collector identified on his blog only as Sam Houston. "Someone in England hacked into my personal eBay data and changed it to reflect a completely fraudulent identity with an English mailing address. That person than proceeded to send out at least 25 e-mails to individuals in the U.K. who are trying to sell Sony laptop computers on the site. He offered them more than they are asking for the laptops and wanted them mailed to him as soon as possible."

In this case, a Trojan infected his PC and stole his credentials. It's not directly related but gives an example what blackhats can do with identity theft. He also mentioned that the attacker has also compromised his Paypal account and tried to pay for the 25 notebooks using funds from the checking account linked to PayPal. No comment from eBay so far.

Microsoft Legal tells Autopatcher to stop (updated x2)

A sad day. For four years, autopatcher provided users a way to download and install all patches at once. It also allowed to do a great number of tweaks to system performance AND security. To me it was one of the greatest tools that ever existed.

But now Microsoft Legal has told autopatcher to stop. They claim they want to prevent malicious code to be added and that it has nothing to do with WGA. Sound very fishy to me. Microsoft added that Windows Update for pre-Vista versions of Windows can now be accessed using Firefox. Hmmm..... let's test it with my Firefox 2.0.0.6 (I temporarily deactivated NoScript for the test):

Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

If you prefer to use a different web browser, you can obtain updates from the Microsoft Download Center or you can stay up to date with the latest critical and security updates by using Automatic Updates. To turn on Automatic Updates:

1. Click Start, and then click Control Panel.
2. Depending on which Control Panel view you use, Classic or Category, do one of the following:
   • Click System, and then click the Automatic Updates tab.
   • Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
3. Click the option that you want. Make sure Automatic Updates is not turned off.

*cough* Firefox support indeed. Isn't it time to release XP SP3? Not every country has unlimited bandwidth transfer limits for broadband. At least I discovered that security updates are available on ISO-9660 DVD5 image files from the Microsoft Download Center. But it doesn't include the (security) tweaks and functionality that autopatcher has. A sad day indeed.

Update (31/08/2007): Microsoft Stomps on Free Patch Utility (eweek.com)

An unnamed source at Microsoft prior to the AutoPatcher shutdown told a Neowin member who asked about the implications of distributing hotfixes that WGA is "first and foremost an educational tool."

*cough* WGA shutdowns mistakenly disables features from Vista, anyone? Educational indeed. I am more and more convinced to switch back to Linux (Gentoo or Ubuntu) after four years then to buy Vista. I am not too comfortable with the thought someone on the other side of the world can disable half of my OS with the flip of a switch. It's all about control (and profit?).
I just like to be in control of my own personal computer.

Also read the Vista advanced phone home features

UPDATE (04/09/2007): AutoPatcher looks to return from the dead (computerworld.com)

Another take on the Anti-virus detection problem

As a followup on Is Anti-virus ineffective nowadays? (UPDATED). I read the proposal from Joanna Rutkowska.

With digital signatures we can "detect" any kind of executable modifications, starting form the simplest and ending with those most complex, metamorphic EPO infectors as presented e.g. by Z0mbie. All we need to do (or more precisely the OS needs to do) is to verify the signature of an executable before executing it.

I hear all the counter arguments: that many programs out there are still not digitally signed, that users are too stupid to decide which certificates to trust, that sometimes the bad guys might be able to obtain a legitimate certificate, etc...

But all those minor problems can be solved and probably will eventually be solved in the coming years. Moreover, solving all those problems will probably cost much less then all the research on file infectors cost over the last 20 year. But that also means no money for the A/V vendors.

A response from anti-virus rants:

first things first - this is essentially a whitelist technique (with the added bonus that the cryptographic component allows the proof of whitelist membership to be shipped with the file instead of requiring a lookup in a very big list) with all associated fundamental problems... think the problem of signing all good programs is small and will probably be solved? maybe for suitably large values of small... if you're going to focus on identifying good files instead of bad ones you have to keep in mind that the good files outnumber the bad by orders of magnitude and grows at an even faster rate... conceptually signing all good programs is simple, but in practice it's very, very hard...

I agree that blacklisting is not the solution anymore but whitelisting may prove as challenging. But Microsoft is already using Code signing. What could be the problem? Remember when Verisign was tricked into issuing two Class 3 code-signing digital certificates to someone fraudulently claiming to work for Microsoft? It's just an example but I agree with the comment on anti-virus rants that it's offloads the whole issue onto the signatory.

BONUS (04/09/2007): Did We Waste Billions Building File Anti-Virus Scanners? (McAfee Avertlabs)

New anti-virus reviews and be careful with the interpretation

The August report from AV-comparatives was released. But be careful when reading or using these statistics:

We are rather tired of repeating that VirusTotal was not designed as a tool to perform AV comparative analyses, but as a tool that checks suspicious samples with several AV programs and helps AV labs by forwarding them the malware they failed to detect. Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology, the most obvious being:

- VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc.

- In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.

There is also the independant AV-Test.org Testlab with their august reviews:

               Detection    AV database size

1. AVK 2007    99,88%      22,4 MB
2. WebWasher   99,86%      22,0 MB
3. BitDefender 99,51%      12,3 MB
4. AntiVir     99,29%      19,4 MB
5. Kaspersky   98,86%      14,3 MB
6. F-Secure    97,93%      15,3 MB
7. Avast!      96,99%      11,0 MB
8. AVG         96,81%      32,7 MB
9. Symantec    96,75%      40,2 MB
10. Microsoft  96,42%      22,5 MB
11. Ikarus     95,92%      11,9 MB
12. Sophos     94,63%      13,7 MB
13. Nod32      94,26%      8,7 MB
14. Fortinet   94,20%      51,9 MB
15. McAfee     93,71%      18,2 MB
16. Dr Web     92,48%      8,9 MB
17. Rising     90,43%      29,7 MB
18. Panda      90,15%      34,6 MB
19. TrendMicro 88,85%      67,2 MB
20. VBA32      88,59%      33,8 MB
21. F-Prot     87,03%      20,9 MB
22. Norman     86,05%      24,7 MB
23. Command    82,57%      15,2 MB
24. VirusBuster80,49%      19,2 MB
25. QuickHeal  79,02%      22,9 MB
26. ClamAV     78,66%      11,8 MB
27. eTrust-VET 78,25%      13,8 MB
28. Ewido      74,91%      11,9 MB
29. eSafe      73,61%      91,4 MB

Please be advised that AVK uses the engines of Kaspersky AND Avast, and Webwasher is also a gatewayproduct with strong (and strict) heuristics. It's always advised to use a product with strict heuristics on the gateway level (and possibly using two engines) and use another vendor for the desktop anti-virus scanning. It is also to be noted that Microsoft has come from 80% compared to previous results.

Still, you have to be careful when Interpreting anti-malware reviews. Depending on the methodology and sample set, you can get very different results. To make your head spin even more, here are some statistics from samples captured by honeypots (Shadowserver). If you want to do your own comparative tests, the AVIEN Malware Defense Guide discusses some do's and don'ts.

Is Anti-virus ineffective nowadays? (UPDATED)

I have seen a lot of stories and blogs this year shouting: "Anti-virus is dead". Quite sensational. The topic reappeared on the SANS ISC website yesterday: To AV or not to AV, is that the question?

Over the last few years we have seen malware go from the “Oh look at me” attempts at “fame” to “how much can I make” approaches. It has now become a business. To succeed in this kind of business you need malware that is delivered and remains undetected. But you also have to keep costs low. Often this results in variations, the same malware over and over again, but wearing different coats, a funny hat or a false moustache. To protect against malware we use our trusty antivirus product, because it will find all those nasties, right?

They arrive more or less at the same conclusion as Dr. Anton Chuvakin made in Let's Play a Fun Game Here ... A Scary Game.

I'm not claiming that AV has becoming less effective. Malware has just evolved at a faster pace and we're failing to keep up.

To state the final quote from the ISC story: "One thing is for certain the malware business model works (storm seems to be doing well) and until we change the approach to managing malware it will continue to. As many of us have learned the hard way, you can't put all your eggs in one basket. By relying on AV alone you may be exposing your machine or your network." (Mark H)

I'm wondering when we will see this next generation of anti-malware detection engines. Here is a VERY interesting articly from daemon.be why good detection has become a problem.


BONUS (04/09/2007): Welcome to 2007: the year of professional organized malware development

Increasingly, we are drifting away from the chaotic distribution of new malware (malicious software). The distribution of new malware has become highly organized and will continue to be so. The “Detect and Forget” times of Antivirus programs belong to the past. This is relevant, at least, for most of recent new malware.

DRM done wrong: The stamp of incompetence

From Heise.de:

A user registers with Stampit and then can buy a type of virtual stamp in the form of smart PDFs. When the stamp is printed from the user's computer system the PDF contacts the Post Office server to check if it is still valid. It does this without the user registering - it is just the stamp itself "phoning home". In this transaction, the unique identifier of the stamp is cancelled on the server so that no further printings of that stamp can be made.

A pity if the paper jams then, or if the printer turned out to be out of toner. heise Security has heard from readers so frustrated with this problem that they have ended up creating special printer definitions in their systems that will print the stamp to a normal pdf so that it can then be printed again - and again. They do this not because they want to cheat the Post Office, but because problems so often arise when printing they want the security of being able to try again.

The full article also gives examples on how it's done right. Never forget user satisfaction when implementing DRM.

150 Free Security And Network Monitoring Tools

Net Tools 5.0.70 is the swiss army knife of security and network monitoring utilities for your local area network or the internet. System administrators will love the application’s network scanning, security, file, system, network diagnostics, and extra features included.

Fun: The Ultimately Secure Deep Packer Inspection and Application Security System

The Ultimately Secure DEEP PACKET INSPECTION AND APPLICATION SECURITY SYSTEM
Featuring signature-less anomaly detection and blocking technology with application awareness and layer-7 state tracking!!!

Full specifications and whitepaper available on Ranum.com

Bookreview: AVIEN Malware Defense Guide

Almost two weeks ago, I gave a booktip about “AVIEN Malware Defense Guide”.

Now it's time to give a small review. In its 540 pages they cover the following topics:

1. “Customer Power and AV Wannabes”
2. “Stalkers on Your Desktop”
3. “A Tangled Web”
   
4. “Big Bad Botnets”
5. “Creme de la Cybercrime”
6. “Defense-in-depth”
7. “Perilous Outsourcery”
8. “Education in Education”
9. “DIY Malware Analysis”
10. “Antimalware Evaluation and Testing”
11. “AVIEN and AVIEWS: the future”

Here is a detailed table of contents from Syngress if you want more details.

The first 150 pages where a bit boring but only because they explain some basics terms and concepts. This is useful for readers who are new to the subject. But even I did learn some new things. Like, I never realised that the first ransomware already existed in 1989. Also the story about the NCPH and Wild Rose was very entertaining.
The book was full of useful resources and checklists and also focussed on defense in depth. You really notice that is written by knowledgeable people who work in the field. This book can help engineers as well as managers to learn more about malware and defend their enterprise. I give it a 5/5 score.

Now on to the next book:

Cross Site Scripting Attacks: Xss Exploits and Defense

I'll post a review in two weeks.

Why? Because it is company policy!

Having a (security) policy is very important. But never loose out of sight, why it was made and what it is meant to protect. Don't just accept it because it has always been like this. I read the following story with great amusement:

The Monkey Cage

Start with a cage containing five monkeys. Inside the cage, hang a banana on a string and place a set of stairs underneath it. Before long, a monkey will go to the stairs and start to climb towards the banana. As soon as he touches the stairs, spray all of the other monkeys with cold water. After awhile, another monkey makes the attempt with the same result - all the other monkeys are sprayed with cold water. Pretty soon, when another monkey tries to climb the stairs, the other monkeys will prevent it.

Now, put away the cold water. Remove one monkey from the cage and replace that monkey with a new one. The new monkey sees the banana and wants to climb the stairs. To his surprise and horror, all the other monkeys attack him. After another attempt and another attack, he knows that if he tries to climb the stairs, he will be assaulted.

Next, remove another one of the original monkeys and replace it with a new one. The newcomer goes to the stairs and is attacked. the previous newcomer takes part in the punishment with enthusiasm! Likewise, replace a third original monkey with a new one, then a fourth, then the fifth.

Everytime the newest monkey takes to the stairs, he is attacked. Most of the monkeys that are beating him have no idea why they are not permitted to climb the stairs or why or why they are participating in the beating of the newest monkey. After replacing all of the original monkeys, none of the remaining monkeys have ever been sprayed with cold water. Nevertheless, no monkey ever again approaches the stairs to try for the banana.

Why not?

Because as far as they know, that’s the way it’s always been done around here.

And that, my friends, is how company policy begins.

Funny story. The threat landscape always evolves, so should you (or your policy).

Germany Plans To Email Trojans

As a followup on Should police hack? The action comes in response to a court denying prosecutors' requests to break into suspects' computers over the Internet. The German chancellor supports the measure despite considerable outcry from political opponents and rights group

BERLIN - German officials on Friday defended a proposal to use "Trojan horse" software to secretly monitor potential terror suspects' hard drives, amid fierce debate over whether the measures violate civil liberties.

Interior Minister Wolfgang Schaeuble wants to include the measure in a broader security law being considered by conservative Chancellor Angela Merkel's coalition government.

Max Stadler, a security expert with the opposition Free Democrats, insists such practices would weaken citizens' trust in government.

"It is an invasion into the private sphere," Stadler told ZDF television. (Mercurynews)

During CCCamp 2007: Day Three, there was a presentation on this subject: "Online Search: A Necessary Investigation Instrument". The video is not yet online but you can download the pdf. I think that this 'infection' might compromise some principles of a forensic copy and violates basic privacy rights. And what about anti-virus software?


A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.

It just seems that they have no good understanding about computer security and are making one mistake after another.

Security videos on the DVL website: Lots and lots of them

Not only does the DVL website hosts Damn Vulnerable Linux: a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures.

It also hosts a lot of security videos like:

• OWASP John Steven Building a Scalable Software Security Practice
• OWASP Gunner Peterson Integrating Identity Services into Web Apps
• OWASP Rogan Dawes Advanced Features of Web Scarab
• OWASP Daniel Cutbert Evolution Web App Pen Test
• How to deploy UltraVNC with encryption and Windows authentication
• Deconstructing The Xbox Security System
• Advanced Topics in Programming Languages Series: Python Design Patterns (Part 1)
• Interactive Web Apps with AJAX

And a lot more.................

How did the Gentoo webserver get compromised?

Last month, one of the Gentoo hosting servers got compromised:

Admins with the Gentoo Project say they have disconnected major parts of its website a week after discovering it could be vulnerable to a command injection attack that allows bad guys to remotely execute code on the machine. (TheRegister)

Wondering how they did it? A picture tells more than a thousand words.