9/1/07 - 10/1/07 | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

Sunday

OWASP WebGoat Version 5.0 released

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.

WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:

Cross Site Scripting
Access Control
Thread Safety
Hidden Form Field Manipulation
Parameter Manipulation
Weak Session Cookies
Blind SQL Injection
Numeric SQL Injection
String SQL Injection
Web Services
Fail Open Authentication
Dangers of HTML Comments
... and many more!

Download WebGoat 5.0 now

Performance Measurement for Information Security

I still have to finish the security book lying on my desk but I wanted to give a sneak peak of the next book in line: Security Metrics: Replacing Fear, Uncertainty, and Doubt

Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise.

Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management.

In related news, this draft just got released: NIST Special Publication 800-55 Revision 1 - Performance Measurement Guide for Information Security (Draft)

This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. This guide indicates the effectiveness of security controls applied to information systems and supporting information security programs.

Bonus: The Four Dirty Questions of Measuring Information Security (Intel.com)

BONUS (12/10/2007): A Guide to Security Metrics - This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

SCADA: Hacking critical infrastructures

Supervisory Control and Data Acquisition (SCADA) and industrial control systems, are often based on proprietary networks and hardware. They used to be isolated from the internet and considered immune to cyberattacks but this has changed.

Last week, a video (globeandmail.com) circulated on a lot of sites, demonstrating a theoretical attack on an electrical turbine.

In Belgium, there was one computer network that went down during the Y2K timeframe. It was the SCADA network for incident control in our nuclear powerplant in Doel and Tihange. In the US, it took a hacker 2 weeks to penetrate and more or less 'own' a nuclear powerplant network. Don't forget that the Slammer worm crashed the Ohio nuke plant network.

Eurosafe treats security problems around and with the nuclear industry. But is is solely focused on environmental and mechanical aspects of security.

Here are some more SCADA security resources, check out the presentation for more insecurity examples:

White Paper Best Practices for Securing SCADA Networks and Systems in the Electric Power Industry (Symantec)
Presentation SCADA (in)security (HITB Conference)
NIST 800-82 Second Public Draft - Guide to Industrial Control Systems (ICS) Security

Hacker toolkits sold on eBay

Exploiting software, phishing and spamming aren't the only lucrative options for Blackhats. Selling hacker software among themselves or to script kiddies is also a commercial activity.

You don't need to know the underground websites or IRC channels were they are sold. Just go to eBay! (Google Cache)

This shows us the development of trade networks that supports e-crime on the internet. High level hacking tools, including trojan loaders and Web site hacking utilities, are being made available to almost any internet user.

Some statistics about the underground economy behind it, can be found in the Symantec Internet Security Threat Report (page 13).

How to run Solaris 10 under VMware

I needed to experiment with some security features of Solaris. Since Solaris 10 runs on x86, I decided to download it and run it on a virtual machine. No need for expensive SPARC servers.

Download VMware server 1.0.4 (free)
Download Solaris 10 8/07 (free)
Create a virtual machine:

Do a typical install and select the solaris 10 profile
Configure your network connection with "Use bridged networking"
Configure your disk capacity to 8 GB Disk Size
Your virtual machine is ready

Doing the Solaris installation

Change the virtual device CD-ROM Connection from Use physical drive to use ISO image
When required press 1 for Solaris Interactive.
Choose your preferred language.
Now choose Networked Connectivity. Then specify if your virtual network interface card will grab an IP address by DHCP or not.
If you chosen not detail your virtual machine hostname, IP address, subnet mask, IPv6 support and default route.
Enable or not Kerberos, detail your eventual name service system.
If you have chosen DNS as name service system detail your domain name and at least one DNS server IP address.
Choose your Time Zone and Date & Time.
Choose your Root password.
Finally accept your summary settings page.
Say yes to both Reboot automatically after software installation and Eject additional CDs/DVDs automatically after software installation.

Now start the software packages installation.

Leave CD/DVD as Media.
Accept the License Agreement and choose Custom Install.
Select your Software Localizations region only if you want Solaris 10 in your national language. English will be installed by default.
Select Products to install as you need.
Select None as Additional Product to install.
Now you need to select how many Solaris software packages install. I suggest choosing End User Group
On Disk Selection just hit Next
On Partition Customization hit Next as well.
On Customize Partitions you’ll see a single Solaris partition If you are unsure on how to partition your virtual hard disk just hit Next.
If you hit Next on the previous screen a default File System Lay Out will appear. Just hit Next.

Now the packages installation will start. This will take some time so get some coffee.
At the end of the Solaris Installer, let the OS restart.

Voila..... you are set to go. I must say, being an ex-linux (Redhat) wizard, Solaris 10 wasn't that much different in graphical setup. And now the fun can start.

Saturday

Internet Explorer opens up your harddrive

This isn't the first time browser can disclose the content from your harddisk.
The author of The Hacker Webzine asked himself, how to find a 0-day within one hour? Well, take the vulnerability from one browser and port it to another one. In June, researcher Hong (re)discovered that by visiting a website you could get Firefox to automatically include files from the harddisk through a focus stealing bug. He then took this to IE:

This is how it works: normally due security restrictions Javascript is not allowed to set focus or/and to give a value on a file upload field. Because if you did that and it was allowed we could upload any file from a PC. So browser vendors implemented security restrictions on the file field in a form. This way it should only be possible for the computer owner to select a file in order to upload it. With this exploit we show that it is possible to steal focus from the user and bypass the browsers security restrictions. (Full article)

How to avoid Cross Site Request Forgery (for Google)

With iGoogle and other Google services all being linked to your Google account, combined with all the recent XSS vulnerabilities, makes a recipe for disaster. So what can you do about it?

Well, we all know not to trust mobile code (Javascript, Actionscript, etc....) and we are using Firefox with Flashblock and Adblock.

But that might not be enough to stop Cross-site request forgery (CSRF) ? Errata Security has a nice solution: Run two separate instances of Firefox, one logged in , and one logged out of Google using Firefox profiles. This allows you to have GMail or other services up on a separate windows on your desktop, but without the danger of XSS bugs crossing over and hijacking the GMail session. Full explanation here.

Well, it's another way then running a Browser Appliance using VMware Player, which is also a possibility. The Browser Appliance can be used for surfing and a normal browser can be used for logging into Google at the same time.

UPDATE: In case of Google services, you can partitition you Google identity. (anti-virus rants)

Friday

WarGames: 8 Ways a Competitor Can Sabotage Your Site

Let's begin with some words of Wisdom. Sun Tsu: It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.

Competition on the web is fierce and getting more ruthless by the day. Some webmasters have resorted to using dirty tricks, known as “Google bowling,” to sabotage competing websites. Arm yourself with knowledge and protect your site from these techniques that may be used to undermine your site’s reputation.

Who’s That Annoying Spammer?
Getting Your Domain Banned in Social Media:
Spammy Link Buying:
Duplicate Content:
301/302 Hijacking
Denial of service (DOS) attack:
Kicked Out of AdSense
Click Fraud

Full article (Virtualhosting.com)

The article doesn't give any solutions but it is a new insight to attacks. What good is a multilayered DMZ if you get kicked out of the Google index? Feel free to comment!

BackTrack 2 with Metasploit 3 as a Virtual Appliance

Cool, new toys have arrived. Some remarks from my side. Try to avoid using NATTING on the VMinterface since aggressive network scanning/probing can lead to source port starvation. Always use bridging.

The Ethical Hacker Network (EH-Net) proudly releases the only Official Version of BackTrack 2 that not only adds Metasploit 3 to the toolset but is also packaged as a VMware Virtual Appliance. Here are just a few of the features added by the projects lead developer, Mati Aharoni, specifically for the EH-Net Community:

Metasploit updated to latest svn, all dependencies upgraded
Added fabs patches for msfgui
Aircrack-ng updated to 1.0 svn, all dependencies upgraded
Tcpdump patched (security fix)
Firefox updated to latest
Firefox links, favorites and home page
A few more lib fixes for old nasties in BT2 final

Download Locations for the EH-Net/BT2 VM:

File size = 860 MB. Additional mirrors coming. Feel free to spread these files. PM me directly if you can provide a mirror, torrent server, or any other method of spreading the wealth.

http://www.ethicalhacker.info/dl/ehnet_bt2_vm.7z

http://s160498894.onlinehome.us/dl/ehnet_bt2_vm.7z

Thursday

A Blog about netizenship, freedom of information, surveillance tendencies in Germany

There is a new Blog "Bitkanone" to communicate the German political discussion revolving around netizenship, freedom of information, surveillance tendencies etc, to a non-German/non-German-speaking audience.

Once upon a time, there were many countries on this globe, and in these countries were leaders, who got to make decisions, and citizens, who were (in theory) free to accept these decisions or oppose against them. Mostly, the citizens chose to accept them, sometimes grudgingly, because opposing meant work and hassle.

However, sometimes the citizens resolved to oppose, if they thought that the decisions made by the leaders were plain wrong and stupid and getting more so all the time.

So the citizens put in the work to oppose, they formed small groups and then larger groups, to pool resources and encouragement. And at some point, these citizens learned that there were other people in other countries who struggled against the same stupid decisions in their respective countries. And they began to become interested to see what those other people were doing - partly to see whether anything could be learned from them, partly to feel less isolated. It was realized that this process should go both ways: learn from the like-minded people in other countries and provide ways of learning about the local work to them in exchange.

In this spirit, this blog aims to provide information about the goings on at the German electronic frontier - in a language that is accessible to most people. The posts will be contributed by a somewhat loose blogger collective. Their subject will be the German political discussions that revolve around information access and hacking. Some of them will just be translations of German content, some of them comments and news bits, some of them will illuminate the background of peculiarities in the German political discourse. It is as much an experiment as an information outlet, so we're curious what will come of the Bitkanone.

PCI DSS compliance deadline approaching

PCI DSS was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues.

In a separate study of 60 recent PCI audits at 50 major companies, security vendor VeriSign found that some 53 percent of organizations failed at least one of PCI's 230 requirements. That's an improvement over last year's study, in which 73 percent of companies failed the audit, VeriSign says.

If they don't make it by Sept. 30, it will be the third time the stragglers will have missed a PCI compliance deadline. The credit card companies had originally mandated compliance by June 2005. The deadline was stretched to 2006, and then the deadline for the revised PCI 1.1 was extended to Sept. 30 of this year.

So what's taking so long? Experts differ on which is the largest obstacle, but three elements consistently come up in all of the conversations: access management, application security, and encryption.

Full article (DarkReading)

The article mentions that in some cases, getting into compliance is more expensive then paying the fines. This doesn't improve overall credit card security, which remains at risk despite three years of PCI deadlines. Also, getting compliant proves that you were within some standards at a given moment of time. But security is not a label, it's a process. So how does it improve security? Mark Curphey had a presentation about another possible criteria: OWASP Evaluation and Certification Criteria Draft.

Metaploit gets shellcode for the iPhone

HD Moore added shellcode for the iPhone to Metasploit. Now it will only take a serious bug and an exploit to make this really a mobile threat. Especially if you read his next comment:

Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.

Got a mobile device security policy in place? ;-)

Kaspersky is going for whitelisting

In "Another take on the Anti-virus detection problem", we discussed the possibility of whitelisting as a solution in next generation products. Kaspersky is going to take a swing at it.

Antivirus company Kaspersky will concentrate on whitelisting in version 8.0 of its enterprise security software, according to David Em, senior technology consultant for Kaspersky.
The company already uses some digital certificates to authenticate applications -- it plans to move more in this direction. (ZDnet.co.uk)

It's a different approach from the one Sophos is taking. But it is good to see companies are working on new technology to counter the evolution of malware.

Bonus (27/9/2007): A study by Panda Security revealed that more than 18% of computers are infected by malware, even if they have an antivirus. (always take vendor studies with a grain of salt)

Wednesday

50% of Belgian Wifi networks are unprotected

According to a survey (ZDnet.be) from BIPT (Belgian Institute for Post and Telecommunication), half of the Belgian consumer wifi networks are unprotected. Actually, I don't think this is a bad figure. I know that some years ago it was about 33%. I didn't say it was a good figure either since it still needs a lot of improvement. The article doesn't state if WEP is considered as good protection or not since it would only take one minute to crack it.

Overview of Firefox security oriented extensions for pentesting

FireCAT is a Firefox Framework Map collection of the most useful security oriented extensions.

FireCAT 1.2 reaches 60 extensions. Thanks to all fellas who give us a helping hand to collect and maintain this framework.

Download FireCAT at security-database.com.

German researchers are challenging new anti-hacker law

Someone daring enough to challenge the FUD around the new anti-hacker legislation. Hopefully it will break the controversy around the subject. Go guys!!

A German security firm, fed up with the ambiguity and confusion surrounding the country's controversial new anti-hacker law, says tomorrow it will challenge the law head-on -- by reinstating a hacking tool it had removed from its Website last month for fear of prosecution.

Jan Münther, CTO for n.runs, says he thinks n.run's challenge may be the first true test to the law, although the Chaos Computer Club hacker group has considered reporting itself to the authorities. And a German IT news site recently reported the German Federal Office for Security in Information Technology (BSI) to authorities for publishing a password-cracking tool, he says.

Full article (DarkReading)

Previous articles:

Tuesday

INSECURE Magazine Issue 13 released

DOWNLOAD ISSUE 13 HERE

Interview with Janne Uusilehto, Head of Nokia Product Security
Social engineering social networking services: a LinkedIn example
The case for automated log management in meeting HIPAA compliance
Risk decision making: whose call is it?
Interview with Zulfikar Ramzan, Senior Principal Researcher with the Advanced Threat Research team at Symantec
Securing VoIP networks: fraud
PCI DSS compliance: a difficult but necessary journey
A security focus on China outsourcing
A multi layered approach to prevent data leakage
Safeguard your organization with proper password management
Interview with Ulf Mattsson, Protegrity CTO
DEFCON 15
File format fuzzing
IS2ME: Information Security to Medium

GoogHOle: 4 interesting Google disclosures

From hackademix.net, we bring you 4 Google disclosures in only 3 days time:

Google Search Appliance XSS discovered by MustLive, affecting almost 200,000 paying customers of the outsourced search engine and their users: this Google dork shown 196,000 results at the time of disclosure, now dropped to 188,000.
a Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy elusion and URI handler weakness exploitation to steal your private pictures, straight from your local hard disk, just visiting a malicious web page.
a Google Polls XSS which, thanks to the (too) smart “widget reuse” allowing Google services to integrate the same functionality across multiple services, can be used to attack Search, Blogspot, Groups and, the most dramatic exploitation scenario, GMail:
- This POC steals your Google contacts
- This POC steals your GMail incoming messages, routing them to beford’s mail address
an Urchin Login XSS disclosed by GNUCITIZEN’s Adrian Pastor, which could compromise local Google Analytics installations.

Podcast: AudioParasitics Episode 16

The next episode is out:

Episode 16 - The W32/Virut family of parasitic infectors is discussed, along with the general resurgence in parasitic malware.

Use a forcefield to protect your browser

Check Point Software Technologies released the public beta of ZoneAlarm ForceField, a browser virtualization security tool that promises anti-phishing and spyware blocking capabilities.

The software is available as a free download during the beta testing period. But the final product will cost 29.95$ once it ships in 2008.

Microsoft's Internet Explorer already runs in protected mode but Forcefield expands on the concept and also adds protection for IE on XP or Firefox.

Let's not forget that Google bought Greenborder: a browser virtualization software service and probably will release their own anti-malware protection in the near future.

Monday

Whitepaper: Innovative defense strategies for securing SCADA and control systems

This White Paper takes a look at the fundamental issues with the current practice of securing SCADA and control systems, discusses the concept of security zones of vulnerabilities, and briefly introduces several new and unique cyber defense solutions that can be deployed at each security zone.

OVER THE past few years, most companies with critical infrastructure controlled by SCADA, DCS, and other process control systems have taken the approach to group all of their real-time systems in an environment called the PCN or process control network, and try to keep that environment as separate and isolated as possible from the IT and corporate networks.

While this concept is a move in the right direction, treating the PCN environment like a black box and trying to manage one firewall or cyber defense solution at the border with IT is not adequate to protect from changing external and internal threats. The sensitive nature of the PLC and DCS devices controlling the critical infrastructure assets requires a higher level of network segmentation and advanced defense solutions not currently recommended or available through most security firms and IT vendors.

Read the white paper (pdf)

ttp://www.controlglobal.com/whitepapers/2006/034.html

Sunday

EuroSOX : The European Version of SOX

Well, most of you must have heard of the Sarbanes-Oxley act. If you didn't, you should because it's going to be implemented in Europe as well (kind of). I found this article EuroSOX - The European Version of SOX over at the AIIM Knowledge Center Blog

In April 2006 the final adoption of the 8th Directive was passed and now implementation into local law can go ahead.
It consists of in total 3 separate directives which are :

4th Directive 78/660/EEC ,
7th directive 83/349/EEC and
8th directive 84/253/EEC

which together are to safeguard shareholder’s investments, establish Corporate Governance, increase disclosure requirements and also establish separate audit committees.

The directives closely follow the US regulations, as these affects only publicly traded companies. It will still take up to 2 years before every countrys' regulations has been updated to reflect these directives in local law. By then every company has to be fully compliant, and if you are doing business in Europe or are traded at any of the many different European stock exchanges, then this is something that you need to look at and be aware of.

Evolution of Anti-virus

After all the stories about the end of anti-virus technologies, I have been on the lookout for hints of next generation features. I stumbled upon this article:

Panda's idea for the near future is adding a new layer of security that it calls collective intelligence. He calls it the "web 2.0 version of security": instead of keeping each user's computer separate, it's scanned from the "cloud". This approach, he says, allows much bigger signature files and can detect targeted attacks because all computers are visible in real time.

But even this approach won't last forever. Salvatore Stolfo, a professor of computer science at Columbia University, says the attackers "have the upper hand. They have all the time in the world, and they have great motivation to spend their time and energy to avoid detection."

Antivirus has a future, he says, but it may be in name only. "Basic implementation and strategy will change." Like the fraud detection in use by banks and credit card companies, "eventually, systems implanted in machines will learn your own personal behaviour and protect by detecting abnormalities". One has to hope so. Otherwise, the future looks bleak. (Source: Guardian)

If you know of other technology, leave a comment.

Security in the age of compliance

Three papers from Anton Chuvakin in his "... in the age of compliance series" :

Saturday

A peek at the Virus Bulleting 2007 Conference

It's the first time I heard about the Virus Bulletin Conference:

Over its 17-year history, the VB conference has become a major highlight of the anti-malware calendar, with many of its regular attendees citing it as the anti-malware event of the year. The VB conference provides a focus for the anti-malware industry, representing an opportunity for experts in the anti-malware arena to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.

McAfee Avertlabs is giving some insight on the conference:

The first day adjourned with many interesting presentations ranging from use of automaton in the world of Malware (for the purposes of good and evil), growing use of malware in virtual worlds (MMORPG and Second Life), to low-level malware techniques (rootkits and patching).

More information can be found here:

Reconstruct TFTP sessions using TFTPgrab

Wireshark, TCPFlow and other tools can reconstruct files from network captures but not TFTP because it uses UDP. Someone just made a tool to do this:

Today I was very surprised to receive an email from Gregory Fleischer, who directed me to his new tool TFTPgrab. He saw my ShmooCon talk earlier this year, heard my plea, and built a TFTP file transfer reconstruction tool! I downloaded and compiled it on FreeBSD 6.2 without incident, and here is I how I tested it. (Source: Taosecurity)

DRM breaks Canadian Privacy laws and acts like Big Brother

A research report from the Canadian privacy watchdog Cippic reveals that DRM techniques are violating the Canadian privacy laws. Cippic is a part from the university from Ottawa. They investigated the network traffic from 16 different applications including the following: iTunes, Zudeo, Office Visio, Napster en Half-Life 2. The researches installed a PC with XP to a Linux machine with Ethereal and a Squid proxy to make their analysis.

The report reveals that DRM systems who demand a permanent internet connection to validate the license are sending data to Akamai, Omniture and DoubleClick. Most of the companies involved don't mention this datatransfer in any of their privacy statements. When the researches tried to get feedback from the companies, most of them didn't respond.

Friday

Big Update on virtualization security

Let's have a look at the latest security trends in Virtualization including presentations from the VMworld Conference.

First of all, virtualization software isn't without it's vulnerabilities.

An advisory from VMware lists a total of 20 different vulnerabilities affecting all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE and VMware Player. (Zero Day)

IBM ISS compiled all the previous vulnerabilities and put them in a table:

VMware Vulns by Year	Total Vulns	High Risk Vulns	Remote Vulns	Vulns in First Party Code	Vulns in 3rd Party Code
Vulns in 1999	1	1	0	1	0
Vulns in 2000	1	1	0	1	0
Vulns in 2001	2	0	0	2	0
Vulns in 2002	1	1	1	1	0
Vulns in 2003	9	5	5	5	4
Vulns in 2004	4	2	0	2	2
Vulns in 2005	10	5	5	4	6
Vulns in 2006	38	13	27	10	38
Vulns in 2007	34	18	19	22	12
TOTALS	100	46	57	48	62

How do I interpret these trends?

It is clear that with the increase in popularity, relevance and deployment of virtualization starting in 2006, vulnerability discovery energies have increasingly focused on finding ways to exploit virtualization technologies.
Combine the vulnerabilities in virtualization software, vulnerabilities in operating systems and applications that still exist independent of the virtualization software, the new impact of virtual rootkits and break-out attacks with the fact that in a virtual environment all your exploitation risks are now consolidated into one physical target where exploiting one system could potentially allow access and control of multiple systems on that server (or the server itself). In total, this adds up to a more complex and risky security environment.
Virtualization does not equal security!

One positive point it that some Trojans don't like virtual environments. A lot of security researchers use virtual machines to analyse malware quickly. So some malware will stop if it detects a virtual environment, to irritate the researchers. But with more and more environments running in Virtual environments, this might change.

If you haven't heard about VMworld, it's time to check the online Virtual VMworld. You read that right - a Virtual VMworld - what a terminology ;-)

http://www.vmworld.com/vmworld/home.jspa

Some examples:

BC10 VMware HA Guidelines and Best Practices VMware View Session
BC23 Bulletproof VirtualCenter VMware View Session
BC29 Disaster Recovery Solution Architecture for VMware VMware View Session
BC31 New Trends in Disaster Recovery for VMware VMware View Session
DV14 VDI - Considerations and Best Practices VMware View Session
IO11 100% Virtual - Debunking the Myths and Realities BlueLock View Session
TA29 Scaling Your Virtual Infrastructure - Getting Started VMware View Session
TA57 Security Architecture Design and Hardening VI3 VMware View Session
TA61 VMware Infrastructure 3 - Best Practices for Performance VMware View Session

One of the new things to come is ESX 3i. It's a VMware’ ESX server “embedded” in memory to a server. Here the Service Console has been stripped away leaving the ESX vmkernel to a bare 32MB size.
This new flavour of ESX speaks to the underlying hardware’s management agent. This release of ESX will need less patch management and offers less possiblity to open security loopholes according to VMware.

PDF Datasheet
PowerPoint Presentation
WebEx Webcast

This was not discussed on VMworld but let's show you Blue Lane's VirtualShield for VMWare environments. VirtualShield is the first commercial product that specifically tackles problems in VM environments.

VirtualShield is designed to protect guest VM's running under a VMWare ESX environment in the following manner:

Protects virtualized servers regardless of physical location or patch-level;
Provides up-to-date protection with no configuration changes and no agent installation on each virtual machine;
Eliminates remote threats without blocking legitimate application requests or requiring server reboots; and
Delivers appropriate protection for specific applications without requiring any manual tuning.

There is even more Virtualization security coming our way. At Blue Hat v6, scheduled for September 27-28 in Redmond, external security researchers and internal Microsoft software engineers are expected to extend the debate over the risks of virtualization. Here is the Blue Hat v6 preliminary agenda. So keep tuned for further updates.

Bonus: A paper by Google that studied some aspects for multiple vendors in the virtualization world: http://taviso.decsystem.org/virtsec.pdf (Thanks Swa)

Thursday

0day: PDF exploiting windows

Well, after 0-day exploit: Quicktime owns Firefox and after 0 day: Exploiting by using Windows Media Files , pdp from Gnucitizen is closing the season with a zeroday adobe pdf exploit. Details are not disclosed until Adobe releases a patch. But seen his track record, we can better believe him.

Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.

UPDATE (22/09/2007): You can watch this the Proof of Concept on this Youtube movie.

Spend less on IT security, says Gartner

In a keynote speech, he said that retailers typically spend 1.5% of revenue trying to prevent crime, then still lose a further 1.5% through shoplifting and staff theft, costing 3% in total.

But Gartner's research suggests that the average organisation spends 5% of its IT budget on security, even with disaster recovery and business continuity work excluded, and IT managers are tired of requests for more. Security has dropped from first (in 2005) to sixth (in 2007) in the firm's annual survey of chief information officers' technical concerns.

Full article (Computerweekly)

Deloitte: People are still weakest security link

In the EMEA region, 71 percent of financial services institutions have experienced repeated external breaches over the past 12 months, compared to 65 percent of financial services institutions worldwide. The major causes of external breaches were customers compromised by viruses and worms, and email attacks through spam, phishing and pharming.

However, a high percentage of security breaches were caused by employees. Thirty-one percent of EMEA financial institutions experienced repeated internal IT security breaches over the past year while, globally, the figure is 30 percent. Employee IT security breaches were caused by misconduct, intentional action, errors or omissions.

Full article (Zdnet)

Report: Arbor’s Worldwide Infrastructure Security Report

Arbor Networks, a leading provider of network security and operational performance for global business networks, released its third-annual Worldwide Infrastructure Security Report today in cooperation with the network security and operations communities. For the first time, botnets surpassed distributed denial of service attacks as the top threat identified by service providers.

Key findings from the report include:

Bots Overtake DDoS as Chief Security Concern
DDoS Attacks Going Pro
Attacks Outpace ISP Network Growth
VoIP is Vulnerable
Rise of Managed Security Services

Wednesday

Firefox 2.0.0.7 security fix released

Firefox 2.0.0.7 was released to solve the Quicktime media format exploit.

The auto upgrade feature should have warned you. Otherwise, upgrade now.

Maxtor disks also include a virus

This seems like a scoop from Security.nl (Dutch)... After the Medion laptop being sold with an ancient boot sector virus, we have another case. Maxtor is now selling external disks , the Maxtor 3200 Personal Storage, with the AutoRun.ah virus. The virus is present as files in the root of the filesystem and seems to have infected the disk during assembly.

It's not as harmless as the bootsector virus on the Medion laptops that has no payload. The autorun.ah virus can steal passwords from online games and can delete the mp3 on your disk. So be warned. Always scan all media before using it.

StormWorm attacks Security Firms and Projects

In the context of antispam or anti-scam (phishing) fighting: "you ain't making a difference until you start getting DDoS-ed." is a painful true statement.

There's no need to warn the anti-spam researchers at the Spamhaus Project about the Storm worm authors' ability to launch massive denial-of-service attacks. They've been fending them off for several months. And they've lived -- or at least stayed online -- to tell the tale.

"It's been a pretty constant battle to stay online," Vincent Hanna, an investigator for the non-profit Spamhaus Project, told InformationWeek. "It's an arms race. They try something. We block it. They try something else. We block it. It goes on and on. Sometimes it's fine and sometimes we spend hours a day on this." (Information Week)

Read about the StormWorm's DDoS attitude:

Some highlights:

infect as many end users with high speed Internet access as possible
ensure the longest possible lifecycle for the malware campaign
take advantage of fast-flux networks to make it harder to shut down the entire botnet
stage four - strike back at any security researcher or vendor playing around with Storm Worm's fast-flux network or somehow messing up with the malicious economies of scale on a worldwide basis.

Tuesday

How good can AV scanners detect old viruses?

We have the perfect opportunity. Last week, it was widely reported that Medion was selling Vista laptops with an old bootsector virus 'Angelina'. I saw a presentation "
Antivirus (In)Security" during CCCamp claiming that old viruses don't tend to get detected anymore. Let's see about that.

A test from Andreas Marx:

The following scanners were able to detect and successfully remove the "Stoned.Angelina" critter on Windows XP and Vista:
G Data (AVK) Total Care 2008
BitDefender Internet Security 2008 (v10)
Kaspersky Internet Security 7.0
The following tools were able to detect and report the infection, but unable to handle it:
BullGuard Internet Security 7.0 (updated information from BullGuard, here).
McAfee Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Avira AntiVir Personal Premium (v7) -- BUT the scan of the system areas (master boot record) is disabled by default, so it has to be enabled or AntiVir wouldn't report anything, as it's not scanning this sector.
Two of the tools were able to successfully report and clean the virus on Windows XP, but they shred the system area on disinfecting a Windows Vista based system after the infection was found — this means that Vista wouldn’t start anymore after a "successful" cleaning and it has to be repaired (e.g. by booting from the installation DVD and selecting the option to repair the system, see the Bullguard website link above for details):
Symantec Norton 360
Panda Internet Security 2008 (v12) -- BUT you need to start the tool with administrator rights or disable User Account Control (UAC) or Panda wouldn't be able to scan for the virus on disk and report the system is clean, even if it's indeed infected.
This leaves one tool -- Microsoft OneCare 1.6 -- which is completely unable to scan for boot viruses on disk (tested on Windows XP and Vista), so the user wouldn't get a notification that his system is infected. As nothing is found, nothing can be removed, of course.

Hmmmm, not so good.

Previous posts:

Flayer, the Google Fuzzer released

Not only Mozilla has released it's Fuzzer, Google’s security team now released their fuzz testing tool called Flayer. It was used internally to find multiple vulnerabilities in Internet-critical software products.

The fuzzer has already been used to find errors in real software like the discovery of security holes in several open-source products, including OpenSSH, OpenSSL, LibTIFF and libPNG.

ISSA Event on "Social Engineering" (Reminder)

Don't forget the ISSA Event on "Social Engineering" is next Thursday (20th September).

BotHunterTM Tool for Free

I might give this BotHunter a try next weekend:

BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection.

When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

0 day: Exploiting by using Windows Media Files

Media Player meta files all have the same structure, XML. Digging deeper into the XML, pdp from Gnucitizen found several tags which can be abused for malicious purposes.

In simple words, HTMLView will display a page of our choice within the standalone Windows Media Player. I repeat, the page will be opened within the Media Player surroundings, not a standalone browser. This in particular is very interesting behavior, which I experimented with for a bit.
I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in less restrictive Internet Explorer environment even if your default browser is Firefox, Opera or anything else you have in place.
Let me translate this for you. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be.

Not good. I guess using the default Media player (Browser, Emailclient, ....) was never a good idea anyway. Personally, I prefer VLC as player, Firefox as browser and Eudora as emailclient. Like in real life: diversity is essential for survival. Just my opinion.

Monday

Symantec Internet Security Threat Report Sept 2007

Symantec Internet Security Threat Report Sept 2007 is out.

Symantec tracks and assesses underground economy servers across the Internet using proprietary online fraud monitoring tools. For the first time in this issue of the Internet Security Threat Report¸ Symantec is assessing the types of goods that are most frequently offered for sale on underground economy servers.

Some of the highlights are:

botnet infected PC's life a day longer then in 2006
most Zombie computers are located in Beijing
China hosts 29% of all bots
bugs: IE 39 vs Firefox 34 vs Safari 25 vs Opera 7
Home users are still the victim of 95% of all targeted attacks
4% of malicious activity came from a Fortune 100 computer

Read the full 134-page report

Old quicktime vulnerability also bites IE in the butt

Five days ago, I posted about Quicktime owning Firefox. Pdp mentioned it was cross platform and it seems it is also cross browser, at least for Internet Explorer.

Security researcher Aviv Raff has found a way to use the one-year-old (and still unpatched) QuickTime vulnerability to automate XAS (cross application scripting) attacks against users of Microsoft’s Internet Explorer.
To demonstrate the attack scenario, Raff embedded a rigged QuickTime file on Google’s BlogSpot to force a Skype shutdown if an IE user is tricked into visiting that Web page.
Any limited Web environment that allows embedded QuickTime files can be used to host an attack against IE, Raff said. (Zero Day)

There was a patch released for this one but it didn't close the hole completely. So far, no new patch, no feedback from Apple.

Sunday

China strikes back

After allegations from the German government, the French government, the UK & USA and lately from New Zealand and Australia that government and military networks have been attacked out of China, it's now China claiming to have suffered ‘massive’ losses of state secrets through the Internet”.

In a Reuters news article, the Vice Minister of Information Industry Lou Qinjian states that China’s computer networks were riddled with security holes and that the United States and other hostile powers where exploiting those for “political infiltration”.

Taosecurity provides us an article from Professor Spafford with Who is Hacking Whom?:

It remains to be seen why so many stories are popping up now. It’s possible that there has been a recent surge in activity, or perhaps some recent change has made it more visible to various parties involved. However, that kind of behavior is normally kept under wraps. That several stories are leaking out, with similar elements, suggests that there may be some kind of political positioning also going on — the stories are being released to create leverage in some other situation.

Cynically, we can conclude that once some deal is concluded everyone will go back to quietly spying on each other and the stories will disappear for a while, only to surface again at some later time when it serves anoher political purpose. And once again, people will act surprised. If government and industry were really concerned, we’d see a huge surge in spending on defenses and research, and a big push to educate a cadre of cyber defenders.

I think this will be the last post in this cyberwarfare series for now. It's becoming a contest "who is the least protected".

(Cartoon from ddanchev)

Video: Searching for Evil

An excellent video on malware, phishing and spam, called “Searching for Evil” by Professor Ross Anderson.

Adblock

From the abstract:

Computer security has recently imported a lot of ideas from economics, psychology and ... all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Why you shouldn't blindly trust certificates

Gromozon , one of the most notorious pieces of spyware out there, is digitally signed by Thawte (part of Verisign). (Sunbelt Blog)

So don't blindly trust anything that is signed. It also puts a dent in the idea to do whitelisting only to fight malware.
The lesson from this article is that digital signatures ONLY verify that the code is coming from a verified source- a source only verified by the issuer of the certificate. It is up to the end user to decide whether or not this source is trusted.

Softskills: How to give good presentations

Giving a good presentation is important in bringing your message to the audience.

Since I saw the presentation from Mark Curphey on the last OWASP meeting, I have re-analyzing the way I give presentations myself.
Let's start with a movie that highlights some of the common mistakes: Death by Powerpoint.

Guilty as charged. I make some of these classic mistakes. Take a look at some of the presentation tips from Presentationzen.com. Also have a look at his "What is good Powerpoint Design".

I have been 'practicing' all weekend. Maybe I'll post an example online. I hope you can avoid 'Death by Powerpoint' yourself after this! ;-)

Bonus: Spring into Technical Writing: For Engineers and Scientists (Amazon.com)