24C3 Review day 3 (29-12-2007)

• 11:30: What can we do to counter the spies

I started my morning with this talk, not because I'm that big fan of James Bond but because the other ones were in German. Call me lazy. It actually was a very good talk. Annie Machon had no slides whatsoever but has a strong and emotional story. This proves that slides are only accessories.
I never heard of her and her partner before. She used to work for MI5 (United Kingdom's counter-intelligence and security agency) and discovered several "irregularities" before deciding to blow the whistle. Since there are no slides, you can only download the video (100MB). After hearing the talk, I had two questions? Is it all true? And if most of it is true, are we really headed towards 1984?

• 21:30: Wikileaks (global defense of sources and press freedoms, circa now)

To stay within the same domain, I'm jumping ahead to a small talk that was not in one of the main rooms. I saw one of the flyers hanging around and since day 3 didn't have many interesting topics for me, I decided to explore this one.
Wikileaks is a kind of anti-censorship wikipedia. I won't discuss much about it, the site explains it all itself. Some people might have read on the internet that the operational manual of Guantanamo bay got leaked onto the internet (at least the 2003 version). Apparently, this was done through wikileaks.

• 18:30: Relay attacks on card payments

And finally, the most interesting talk for me. Have smartcards made our transactions more secure? Actually, if someone uses your card and PIN code, it's your burden of proof to show it wasn't your fault. The communication between the terminals to the bank may be secure, but the communication between the card and terminal might not be secure. The PIN code is not encrypted. So take a fake terminal, accomplice with wifi or bluetooth connection on a real terminal, and voila!!! So is this UK system fullproof as the banks claim? Brilliant presentation. Have a look at the Watchdog BBC episode below or the full 24C3 talk video (100MB). Note, this does not apply to all smartcard implementations and might differ in other countries. This makes you wonder.

Chip and PIN Fraud

More to follow. In Part 4, I will include some more comments on the entire event and some interesting facts. Stay tuned.

24C3 Review day 2 (28-12-2007)

• 12:45: Dataretention and PNR

Ricardo Cristof Remmert-Fontes and Erik Josefsson from EFF Europe gave a talk about the dataretention laws in Europe. Do the measures actually makes sense? Was there an analysis of the economic impact? The presentation and video is online and look for yourself.

• 14:00: Quantum cryptography and possible attacks

Quantum cryptography is a very complex subject. Any attempt at eavesdropping from a third party is guarantied to be detected by the laws of physics. The basic principle may sound simple but if you get up to the details, better freshen up on your physics.

• 16:00: Why Silicon-Based Security is still that hard: Deconstructing Xbox 360 Security

Even hardware based security can be circumvented given enough time and creativity. Michael Steil and Felix Domke show us how they hacked the Xbox360 to boot linux. However, they released their information to Microsoft first and they have released updates to fix it. The mystery guest (masked) from last year CCCongress appeared briefly on stage. He gave the first hint that the Xbox could be cracked. He still didn't reveal his identity.

• 20:30: Toying with barcodes

This presentation from FX was actually the best presentation of today. Barcodes are widely used. From shipping boxes, entrance tickets, supermarket goods to airport luggage. We saw buffer overflow in barcode scanners to XSS scripting. Barcode scanners are actually programmed with......yes.... barcodes!!! ;-)

• 21:45: Port scanning improved

The last talk for me today port scanning improved. The whole concept was based on kernel based port scanning. It improved scanning but also decreased its accuracy somewhat.

More to follow tomorrow.

24C3: Recorded videos from the congress are already available

For those who missed some of the live streams, a lot of records are already online. Check the mirrors.

24C3 Review day 1 (27-12-2007)

Actually, we arrived the evening before the first day. The wiki suggested getting tickets early to avoid the morning queues. Apparently, we were not alone. After freezing to the bone, we got our entrance tickets.

After having breakfast, we went to see the opening speech. First they showed us a short version of the CCCamp2007 Documentery ("The movie") planned on day 3. You can still catch in with the live streaming on Saturday. The graphic design of the intro slides were really well done without making the classic mistakes. A pro.

After the speech, we went on a scouting mission. First stop: the hackcenter.

But as I said yesterday, people were hogging a lot of space, even if there were empty seats.
Very social. :-(

Thanks for the guys who gave me a seat after walking and searching around for 10 minutes with an empty battery (wifi can suck the life out of it).

In a sideroom of the hackcenter, there was a room where they were experimenting with a lot of light devices. Kewl.

There were three presentation rooms of which 'Saal 1' was the biggest one. Quite impressive. It got quite crowded at times.



Next, let's have a look at some of the presentations:

• 12:45: Der Bundestrojaner

We talked about this topic before. Should police be able to use Trojans to gather evidence? Sounds like a bad idea. It did a year ago and it still does. They went ahead anyway and have two job applications for viruswriters. *sigh* I liked the term "governware" in addition to the term malware (virusses, trojans, etc...). Note the human sized Trojan horse. Sweet.

• 17:15: AES side channel attacks:

I was looking forward to this one but it got rescheduled. Will be continued.

• 20:30: Crouching Powerpoint, Hidden Trojan:

This presentation was given by Maarten VanHoorenbeeck. He had a talk about specific targeted attacks on the internet. Quite interesting!! A topic that was in the news a lot this year. No death by powerpoint, he knew his stuff. Only the first slide could have been better. (Sorry Maarten) ;-)

• 23:00: DNS Rebinding and other interesting packets:

This looked a lot alike to this presentation at the CCCamp in August. Defeating the 'same origin policy' to use the browser as an attack platform (to scan and connect to intranets). Kiss those firewalls goodbye.
Even if it was not much new, Dan is a fun guy to watch. This time, he demo actually worked!!! Pwned.

That was about it for Day 1. More to follow.

HeX 1.0.2: a network monitoring livecd

After DEFT, we present you yet another livecd. The latest release of HeX is version 1.0.2 dubbed "The Christmas Release". HeX is build with Forensics and Security Monitoring in mind. So if you are a network security analyst, this is the livecd for you. It's based on FreeBSD.

Download URLs:

• Download ISO
• Usage Manual
• Verification(md5)
• Verification(sha256)

For US users (US mirror):

• Download ISO
• Usage Manual
• Verification(md5)
• Verification(sha256)
  

Nikto 2.01 released

From CIRT.net:

Description

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto version 2 contains many enhancements over the first version.

Some of the major new features include:

# Fingerprinting web servers via favicon.ico files
# 404 checking for each file type
# Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
# Scan tuning to include or exclude entire classes of vulnerability checks
# Expanded scan database can have multiple positive or negative triggers, to allow AND/OR/NOT for flexible checks
# Uses LibWhisker 2, which has its own long list of enhancements
# A "single" scan mode that allows you to craft an HTTP request by hand
# Updated and greatly enhanced documentation
# Authorization guessing handles any directory, not just the root directory
# New HTML report
# Basic template engine so that HTML reports can be easily customized
# An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
# ... and countless tweaks/bugfixes/optimizations ...

.01 release

# Anti IDS encoding now works, thanks to Francisco Amato
# Virtual hosts work properly when set via CLI, thanks Jon Hart
# Host header is restored after testing for IIS IP leak
# Plugindir & templatedir are properly set if if EXECDIR is set defined in config.txt, thanks Shiraishi.M and Will Andrews
for pointing this out The count of items now accurately reflects the number of items, not just number of vulns found, thanks Frank Breedijk
# Unset the auth header after guessing it, thanks Paul Woroshow
# Save a few more items in the KB
# SKIPIDS (in config.txt) can be used to completely ignore tests loaded from db_tests, suggested by Christian Folini
# Enhanced rm_active_content to try to exclude the file/QUERYSTRING from the original
request

Merry Xmas: What did I miss in the last week?

I hope everyone had a merry Christmas. Should you have gotten an enticing Christmas card, I hope you didn't open it. Viruswritters are using the holiday period to expand their botnets. In this case Nuwar (aka StormWorm) is the culprit in the screenshot below. On the 25th in a brief test by heise Security, only the scan engines of Kaspersky, F-Secure, Microsoft OneCare and Norton identified this worm. Recipients of E-mails with attached files or links to Web sites should observe caution and not execute the files.

The domain from the email, merrychristmasdude.com (please don't surf to it), has a bunch of nameservers and a lot of IPs associated with it (Fast Flux).

An infected host will drop the file: C:\WINDOWS\disnisa.exe and store the peerlist in: C:\WINDOWS\disnisa.config

A pair of randomly chosen ports - one TCP and one UDP - will be opened. It will lower the firewall and add a registry entry to make sure that firewall permission is permanent.

Shortly after the 25th, the Storm Worm gang changed their tactics from Christmas to focus on a New Year message. At the moment, there are no exploits on the site, but it tries to download a copy of Happy2008.exe to the user. Which is something you don't want.

On the 26th we started seeing a new domain: happycards2008.com. The filename has morphed as well, to happy-2008.exe.An additional new domain newyearcards2008.com is being used. Filename right now seams to be happynewyear2008.exe. Holisticinfosec Blog has a more detailed analysis and also RBNexploit has an analysis on the new StormWorm wave.

We have some holiday reading for you: 4 new papers from the SANS Information Security Reading Room:

• WiFi with BackTrack
• VoIP Security Vulnerabilities
• Log Analyzer for Dummies
• Corporate Espionage 101

Next in line is a nice blog article about Rock Phish:

The enigmatic company, which the security community has dubbed ”Rock Phish,” has rapidly grown into a giant of the Internet underground by perfecting a common form of Internet crime known as ”phishing.” The thieves capture people’s personal computers, then use them to send phony e-mail that tricks other users into revealing private financial information.”Rock is the standard. They’re the Microsoft,” said Jose Nazario, a researcher at security company Arbor Networks. ”Everyone else is a bit player.”

More Google Search poisoning is being done to deliver trojans in the form of fake codecs and hosting them on Blogspot (Sunbeltblog).

However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service.

Live from 24C3: the 24th Chaos Computer Congress

I survived Xmas and arrived safely at Berlin. Live is an overstatement, since I wanted to blog about the first day of the 24th Chaos Computer Congress yesterday but wasn't able to. The wireless is very unstable but there are LAN connections in the Hackcenter at A-Level. Unfortunately, a lot of people take a seat and occupy that space, even if they leave for talks. This means the Hackcenter is almost always full, leaving other people without power and internet. So guys, if you leave, please give up your seats to people who need to charge their batteries and want to check their mails (or blogs).

For those who could not make it to Berlin, you can follow the talks from the live streams:

room 1:

mms://streaming-internet.fem.tu-ilmenau.de/saal1 (IPv4)
mms://streaming-internet2.fem.tu-ilmenau.de/saal1 (IPv4)
mms://streaming.ipv6.tu-ilmenau.de/saal1 (IPv6)

room 2:

mms://streaming-internet.fem.tu-ilmenau.de/saal2 (IPv4)
mms://streaming-internet2.fem.tu-ilmenau.de/saal2 (IPv4)
mms://streaming.ipv6.tu-ilmenau.de/saal2 (IPv6)

room 3:

mms://streaming-internet.fem.tu-ilmenau.de/saal3 (IPv4)
mms://streaming-internet2.fem.tu-ilmenau.de/saal3 (IPv4)
mms://streaming.ipv6.tu-ilmenau.de/saal3 (IPv6)

Depending on the client you use and your bandwidth, you can chose between a ~500kbit/s and ~1Mbit/s stream.

You can find the schedules of the talks in the Farhplan.

More updates will follow.

Why you should buy PresentationZen

What does a book about presentations have to do with information security? We all have to give presentations at some point in our careers. There is nothing as bad as making the classic mistakes (Death by powerpoint) and loosing the attention of your audience. It will be classified as yet another presentation where the core message got lost. I have to admit, I was also terrible at presentations. Step by Step, I have been finding good resources and examples.

One of the books I was planning to buy to learn some solid basics was the upcoming 'presentationzen' book. Named after the Blog of Garr Reynolds, the writer of the book. The blog is also a very good resource on presentation skills. You might wonder, who is Garr Reynolds?

Garr is a former Sumitomo "salaryman" (Osaka), former Apple marketing manager (Cupertino), jazz musician, branding enthusiast, communications specialist, and design evangelist currently working in Japan as professor of management for Kansai Gaidai University. He is director of Design Matters Japan, an Osaka-based international design group, and is a popular speaker and consultant in Japan and abroad. A long time student of the Zen arts and resident of Japan, he currently lives in Osaka, Japan with his wife (a designer) and two Siamese cats (who have no appreciable design skill).

According to his latest blog update, his book was released this week and should be available in the days to come. Since I have been looking forward to his book, I ordered a copy. I will post a book review as soon as I have finished it. Keep tuned.

Magazine: Infosecurity November/December issue

• Dodging the red card
  Fingerprint biometric technology looked like a good way to block hooligans from entering Dutch football stadia, but trials found otherwise... more
• More on biometrics from Infosecurity
• 2008 preview: Take it on board Infosecurity's editorial board discusses the year ending and the year ahead... more

You can read the magazine online.

Bluetooth snarfing from 1.1 miles away

We have covered Bluetooth Snarfing before but this time, it's with a twist.

In the next video, they managed to download the phonebook of a Nokia 6310i from 1.1 miles away. Do you still think you are secure with a bluetooth device with distance as a factor? Hmmm, thinking about this, there are bluetooth keyboards out there. Seems like a nice keylogger to me. ;-)

View This Video on You Tube

Cisco releases first annual security report

A copy of this report can be found at the Cisco Security Center, along with additional, valuable security intelligence. The focus of this report is to highlight the security challenges faced by businesses, government organizations and consumers. Cisco offers some very interesting insights on guarding against these challenges.

This report encompasses information and trends collected between January and September 2007. Like IntelliShield Cyber Risk Reports, this report is organized into seven major risk categories:

• Vulnerability
• Physical
• Legal
• Trust
• Identity
• Human
• Geopolitical

Besides recommendations for each category, there is also their vision on threats for 2008. One of the points that caught my eye, was more malware for mobile devices like the iPhone. I recently gave a presentation on a study I did on the dangers of smartphones. I will post this study in the one of the upcoming weeks.

Tiger Team Pentest on TV (updated)

An upcoming show on CourtTV:

Tuesday, December 25 at 11 and 11:30pm E/P

This vérité action series follows Tiger Team – a group of elite professionals hired to infiltrate major business and corporate interests with the objective of exposing weaknesses in the world’s most sophisticated security systems, defeating criminals at their own game. Tiger Team is comprised of Security Audit Specialists Chris Nickerson, Luke McOmie and Ryan Jones who employ a variety of covert techniques – electronic, psychological and tactical - as they take on a new assignment in each episode.

Let's get out the popkorn.

UPDATE: Here is the trailer.

Tiger Team Trailer for 12/25 CourtTV Show

10 Security Resources you should know

I seldom have time to check them all beside my 200+ RSS feed collection but these are some security resources you might want to check out.

From grumpysecurityguy.com:

• 2600
• Sla.ckers.org
• Full Disclosure Forum
• xssed.com
• Full Disclosure List
• BlackHat Security Conference
• CanSec West
• OWASP
• Security Catalyst
• Google Hacking Database
• CGI Security
• Security Bloggers Network

More explanation here.

Podcast: AudioParasitics Episode 24 Virtual Criminology report

The new podcast is out:

Episode 24 - It's an AudioParasitics free-for-all. Dave and Jim focus on McAfee's recent Virtual Criminology report, but leap into several other topical tangents as well.

These plans are secret

From AFP:

A German hairdresser emptying his rubbish was shocked to find "top secret" plans for a new safe for the country's central bank due to hold millions of euros, the popular daily Bild reported Thursday.

The plans, which detailed "floor thickness, movement detector placements, doors, passageways and barred gates" was inside a plastic bag found in a bin in a Berlin building courtyard, Bild said.

It added that a note on the documents said: "These plans are secret."

They appeared to have been used on a work site that is renovating and enlarging the local headquarters of the German central bank, or Bundesbank, in a western Berlin neighbourhood.

Hmmm, putting secret documents in any trashcan does not count as secure disposal.

MPLS and MPLS VPNs: Basics for Beginners

Multi Protocol Label Switching (MPLS) is a core networking technology that operates essentially in between Layers 2 and 3 of the OSI model; for this reason, MPLS has been referred to as operating at Layer 2.5. MPLS can overlay existing technologies such as ATM (Asynchronous Transfer Mode) or Frame Relay, or it can operate in an entirely IP native environment; this can allow users to take advantage of existing CPE (Customer Premises Equipment) while making a move towards converging all network traffic, such as data, video and voice, at a pace that users can accommodate and afford. MPLS provides its users a number of advantageous features such as traffic engineering, network convergence, failure protection, and the ability to guarantee Quality of Service (QoS) over IP. MPLS Vans take advantage of the inherent characteristics of MPLS to provide secure data networking, typically for business users, in conjunction with other VPN technologies to help increase scalability while keeping costs at a manageable level. This paper should help to provide a basic understanding of MPLS technology, its advantages and limitations, and its application as an IP VPN.

This document is in PDF format. To view it click here.

Nmap major upgrade release 4.50

This is the first stable release since 4.20 (more than a year ago), and the first major release since 4.00 almost two years ago. Dozens of development releases led up to this. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and and nearly 1,500 new version detection signatures. More than 300 other improvements were made as well.

CHANGES:

Nmap has undergone hundreds of important changes since our last major release (4.00 in January 2006) and we recommend that all current users upgrade. The Nmap Changelog describes 320 improvements since 4.00 in more than 1,500 lines. Here are the highlights:

• Zenmap graphical front-end and results viewer

• 2nd Generation OS Detection

• Nmap Scripting Engine

• Performance and accuracy improvements

• Version detection enhancements

• Host discovery (ping scanning) system rewritten

• Bug fixes

• Political correctness

• --reason explains why a port is open/closed/filtered

• Advanced traceroute support

• Public Subversion (SVN) repository

• TCP and IP Options

• Other changes to enjoy in Nmap 4.50:

• Added the --open option, which causes Nmap to show only open ports. Ports in the states “open|closed” and “unfiltered” might be open, so those are shown unless the host has an overwhelming number of them.

• The --scanflags option now also accepts “ECE”, “CWR”, “ALL” and “NONE” as arguments.

• The new --servicedb and --versiondb options let you specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.

• In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from.

• IP Protocol scan (-sO) now sends proper protocol headers for TCP, UDP, ICMP, and IGMP.

• Updated Nmap's data files to contain the latest service port numbers, Ethernet mac address prefix (OUI) assignments, IP address allocation data, IP protocol numbers, and more.

• Updated to recent releases of Nmap dependency libraries Winpcap, Libpcap, Libdnet, and LibPCRE as well as the latest Autoconf support scripts.

• Improved nmap.xsl, which is used to transform Nmap XML output into pretty HTML reports.

• Added the --unprivileged option, which is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow broken.

• The Windows executable installer now gives users the option of applying TCP performance tweaks to the Registry.

• Nmap now allows multiple ignored port states. If a 65K-port scan had, 64K filtered ports, 1K closed ports, and a few dozen open ports, Nmap used to list the dozen open ones among a thousand lines of closed ports. Now Nmap will give reports like “Not shown: 64330 filtered ports, 1000 closed ports” or “All 2051 scanned ports on 192.168.0.69 are closed (1051) or filtered (1000)”, and omit all of those ports from the table. Open ports are never ignored.

• Hundreds of other features, bug fixes, and portability enhancements described at http://insecure.org/nmap/changelog.html. The changelog describes 320 improvements im more than 1,500 lines since version 4.00.

A set of security videos

An interesting series of movies on Youtube from infinityexists.com:

• IEFD ep. 1 - Network Hacking - Arp Poisoning
• IEFD ep. 2 - Wireless Hacking - Cracking WEP
• IEFD ep. 3 - Wireless Hacking - DeAuth
• IEFD ep. 5 - Lock Picking - Bump Key
• IEFD ep. 6 - Phone Phreaking - Beige Box
• IEFD ep. 7 - Phone Phreaking/Network Hacking - Sniffing VOIP
• IEFD Ep. 8 - Lock Picking - DIY Padlock Shims
• IEFD Ep. 9 - Lock Picking - Mult-Disc Combo Locks
• IEFD Ep. 10 - Hacking Basics - MD5
• IEFD Ep. 11 - Website Hacking - Sql Injection Part 1
• IEFD Ep. 11 - Website Hacking - Sql Injection Part 2
• IEFD Ep. 12 - Hacking Basics - Backtrack Part 1
• IEFD Ep. 12 - Hacking Basics - Backtrack Part 2
• IEFD Ep. 13 - Website Hacking - XSS part 1
• IEFD Ep. 13 - Website Hacking - XSS part 2

A Wireless Pentest LiveCD: Russix

Hmmm, even more livecd goodies:

Russix was developed because we wanted a lighter and easier to mod wireless auditing tool.

Russix evolved from an internal UK Military Wireless auditing tool (debian based) which russ had developed while working for them as a penetration tester. He had tried to mod Backtrack with extra drivers and the aircrack-PTW tools but hit too many ’issues’.

Furthermore, Backtrack is over 600mb; not that we have an issue with Backtrack, it is a cool tool, it just had too much stuff we didn’t need.

Anyway, we were messing about with some wireless scripts and JackFrost showed us a cool script which we liked that parsed the airodump logs. We took some of Jacks work (cheers Jack) and modified it to grep for other bits.

Finally, evil twin was born - or as Nebs likes to call it Evil Tiny Twin (as the whole attack is performed on one laptop).

Russix is a free download for auditing. It scripts together several WLAN attacks and will allow the user to break a WEP key in about 6 keystrokes! It will not be modified by us to make it into a phishing tool as that would be .

Fun: Awesome Japanese Anti-virus Commercial

What's The Best Way To Promote Anti-Virus Software? Just watch this video. ;-)

Podcast: AudioParasitics Episode 23 - Microsoft Patch Tuesday Special Edition

AudioParasitics Episodes:

Episode 23 - Microsoft Patch Tuesday Special Edition - MS07-069, MS07-064, and MS07-068 are discussed. Craig Schmugar joins Dave and Jim to discuss the security implications of each bulletin.

Excellent Forensics Live CDs

I knew HELIX but I never hear about DEFT:

DEFT (acronym of "Digital Evidence & Forensic Toolkit) is a customized distribution of the Xubuntu live Linux CD.

It is a very easy to use system that includes an excellent hardware detection and the best open source applications dedicated to incident response and computer forensics.

Deft is meant to be used by:

• police
• investigators
• system administrator
  
• individuals
  

and all the people who need to use forensic tool but don't know the open source operative systems and the Forensic techniques.

• DEFT packet list
• Screenshots

Backtrack 3 beta is released!!!

From remote-exploit.org:

Version 3 beta is finally released to the public! The best security Distro just got better. An official announcement is due tomorrow, and until then, the ISO and USB images are available on torrent. Since the main website was having bandwith issues, there are several alternatives and mirrors:

Torrents:
ISO - http://www.offensive-security.com/bt3b141207.iso.torrent
USB/DVD - http://www.offensive-security.com/bt3b141207.rar.torrent

FTP Mirror: ftp://rt:rt@mirror2.fpux.com/_BackTrack_3_Beta_
(thats user/pass: rt)
CD ISO: ftp://rt:rt@mirror2.fpux.com/_BackTrack_3_Beta_/bt3b141207.iso
USB ISO: ftp://rt:rt@mirror2.fpux.com/_BackTrack_3_Beta_/bt3b141207.rar

Addl Mirror: http://addis0n.com/bt/bt3b141207.iso

Get a feeling of 24C3 security conference

From CCC event blog:

The 23C3 Documentation Video has been released. It is in our Chaos TV podcast. Check it out to get a feeling on how 24C3 is going to be.

Logging made easy: Common Event Expression

The CEE working group has launched their official website. This might make Security Event Management a tad easier.

Why CEE

If multiple systems observe the same occurrence, it should be expected that their description of that event is identical. When combined with relevant event details (time, source, destination), a computer should be able to immediately determine whether two or more logs, data logs, audit logs, alerts, alarms, or audit trails refer to the same event. In order to make this happen, there needs to be a scalable, well-defined way to express events.

Problem

Currently, vendors and products employ varying logging practices such as using inconsistent formats and terminology when describing events. This presents a significant burden to analysts and products in normalizing the vast quantities of heterogeneous log records in order to allow for aggregation, correlation, and further processing. With the potential for varying interpretations among event log consumers, the network and security awareness levels will fluctuate. NIST Publication 800-92: Guide to Computer Security Log Management describes this as a major problem stemming from "inconsistent log formats," noting that "there is no consensus in the security community as to the standard terms to be used to describe the composition of log entries and files."

Solution

CEE addresses the problem of event representation and communication. Previous attempts in this area have failed to gain adoption since they only target a portion of the larger problem by providing log format guidelines and ignoring the content. As a solution, the CEE Initiative suggests the following to facilitate log transmission and interpretation:

1. Creation of a CEE Event Taxonomy that allows event producers to consistently and unambiguously define each heterogeneous event.
2. Creation of a public CEE Data Dictionary combined with log syntaxes to provide consistency for specifying and gathering event-specific details.
3. Standardized transport to ensure the event data is properly transmitted and provides flexibility for each device to utilize the transport best suited for the data, environment, and operational requirements.
4. Industry agreement upon which events and associated attributes a device should log.

Fun: The 12 Threats of Christmas

The xmas holiday is a special season. Not just because it is a holiday, but because it's an excellent period for crackers to hit their mark. Have fun but be vigilant.

The 12 Threats of Christmas

Flood of vulnerabilities coming our way

The US-CERT Cyber Security Bulletin SB07-344 was released today. I'm only listing the high vulnerabilities:

APC -- Rack Power Distribution Unit
APC -- OAS
Apple -- Quicktime
Apple -- Mac OS X
bcoos -- bcoos
Beehive Forum -- Beehive Forum
DeluxeBB -- DeluxeBB
flac -- libflac
FTP Admin -- FTP Admin
GNU -- Emacs
HP -- Select Identity
Irola -- My-Time
Joomla -- Joomla
MIT -- Kerberos 5
phpBB -- Garage

Well, this is not that bad you might think? According to the Zero Day Initiative, we have lots more coming our way. These affect some high profile vendors like Computer Associates, Microsoft, Hewlett-Packard, Oracle, Trendmicro, Symantec etc.....

All vendors were warned and some of the vulnerabilties are over 400 days old. Makes you wonder who else has knowledge of the flaws and if there are exploits in the wild.

Report: December Symantec State of Spam

Here we are the end of another year. As 2007 rolls to a close, the December State of Spam Report reviews this past month’s key trends and reflects on some of the year’s most notable spam events and trends.

Monitoring more than 450 million inboxes worldwide, Symantec observed spam surge to 72% of overall email traffic in November. Spammers were also on the hunt for new email addresses, initiating a massive harvesting campaign. During a harvesting campaign spammers bombard email servers with guessed email addresses. Those that are not rejected are assumed to be valid email addresses and are added to spam lists for future attacks. Symantec estimates that it blocked approximately 35 million of these harvesting emails.

In November, Symantec also observed spam with a seasonal "hook." Symantec State Of Spam Report

CERT's Podcast Series: Security for Business Leaders

This looks like a very interesting series of podcasts:

Overview

Practicing strong information and cyber security is a nonnegotiable requirement for organizations doing business today. However, building security into an existing corporate culture is a complex undertaking. This series of podcasts provides both general principles and specific starting points for business leaders who want to launch an enterprise-wide security effort or make sure their existing security program is as good as it can be.

Podcast Categories

• Governing for Enterprise Security
• Privacy
• Risk Management and Resilience
• Security Education and Training
• Threat
• Trends and Lessons Learned
• Tips from the Trenches: Areas of Practice

The Standard of Good Practice for Information Security

The Standard of Good Practice presents a comprehensive set of practical and measurable information security-specific controls. The Standard comprises ten main parts, including high-level summary information, six detailed ‘aspects’ and a comprehensive index, Each of these parts is described in more detail below.

The Standard focuses on how information security supports an organisation’s key business processes. These processes increasingly depend on IT-based business applications, many of which are critical to their success. Thus the aspect of security concerned with Critical Business Applications is central to the design of the Standard.

Targeted attack on US nuclear arms lab succeeded

More spearphishing with emailattachments:

From the International Herald Tribune (By John Markoff)

SAN FRANCISCO: A cyber attack reported last week by one of the federal government's nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed to public and private security officials by the Department of Homeland Security.

Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.

Officials at the lab, Oak Ridge National Laboratory in Tennessee, said the attacks did not compromise classified information, though they acknowledged that they were still working to understand the full extent of the intrusion.

The Department of Homeland Security distributed the confidential warning to computer security officials on Wednesday after what it described as a set of "sophisticated attempts" to compromise computers used by the private sector and the government.

Government computer security officials said the warning, which was issued by the United States Computer Emergency Response Team, known as US-CERT, was related to an attack in October that was also disclosed last week by officials at the Oak Ridge laboratory.

According to a letter to employees written by the laboratory's director, Thom Mason, an unknown group of attackers sent targeted e-mail messages to roughly 1,100 employees as part of the ruse.

"At this point, we have determined that the thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate," he wrote in an e-mail message sent to employees Monday. "At present we believe that about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data."

In a statement posted on the laboratory's Web site, the agency stated: "The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory."

The laboratory said the attackers were able to gain access to a database containing personal information about visitors to the laboratory going back to 1990.

The US-CERT advisory, which was not made public, stated: "The level of sophistication and the scope of these cyber security incidents indicate that they are coordinated and targeted at private sector systems."

The US-CERT memo referred to the use of e-mail messages that fool employees into clicking on documents that then permit attackers to plant programs in their computers. These programs are then able to copy and forward specific data - like passwords - to remote locations.

I found some more details on valleywag.com:

"At first glance, they appeared legitimate," Mason wrote. One notified employees of a scientific conference. Another pretended to notify the employee of a complaint on behalf of the Federal Trade Commission.

Each one instructed recipients to open an attachment for further information. And when they did, it "enabled the hackers to infiltrate the system and remove data," Mason wrote.

The lab's cyber police determined about 1,100 phony e-mail messages entered the lab's network. In 11 cases, an employee took the bait and opened the attachments.

Some social engineering will always work. Some advice:

• Training: It may not seem as easy as installing a security appliance at the perimeter it is still one of the most effective steps against any social engineering attack.
  
• Block inbound message at the perimeter that contain a from address with your own domain
  
• Use digital signatures where possible. Its the best method for verifying the sender of an email.
  
• Increase your current spam defenses. Often, phishing messages originate from compromised computers or botnets.
  
• Make sure your users are using either IE7, Firefox 2.0, or Opera 9.1 as those web browsers include some built in protection against known phishing websites.

Compilation of 2008 Security Predictions

Some compilation of security predictions for 2008. First a video:

Saumil bases his assessment on seven years of experience in the security field. He talks about what we can expect in the upcoming year when it comes to Windows Vista, Mac OS X Leopard, the average clueless user and the threat of targeted attacks.




Secondly, a report from Ironport and Cisco with three major points: 2008 will be the year of social malware, spam volumes will continue to grow without limit and the use of blended attack techniques will continue.

"This report is designed to help highlight the key security trends of today and suggest ways to defend against the sophisticated new generation of Internet threats certain to arise in the future."

http://www.ironport.com/pdf/Trends_Report_IronPort_2008.pdf

On the third place, we have McAfee with their "VIRTUAL CRIMINOLOGY REPORT" warning us that several countries are using the Internet as a weapon to target financial markets, government computer systems and utilities and internet security companies.

Fourth on our list are the Websense 2008 Security Threat Predictions

1. Olympics – new cyber attacks, phishing and fraud
2. Malicious SPAM invades blogs, search engines, forums and Web sites
3. Attackers use Web’s ‘weakest links’ to launch attacks
4. Number of compromised Web sites will surpass number of created malicious sites
5. Cross-platform Web attacks – Mac, iPhone popularity spurs increase
6. Rise in targeted Web 2.0 special interest attacks—hackers targeting specific groups of people based on interests and profile
7. Morphing JavaScript to evade anti-virus scanners
8. Data concealment methods increase in sophistication
9. Global law enforcement will crack down on key hacker groups and individuals
10. Vishing and voice spam will combine and increase

To quote Christofer Hoff: "Security predictions are like elbows. Most everyone's got at least two, they're usually ignored unless rubbed the wrong way but when used appropriately, can be devastating in a cage match..." Don't forget to read Hoff's 2008 Security Predictions.

To finish off, we have the Emerging Cyber Threats Report for 2008 from Georgia Tech Information Center:

Based on GTISC research and advance interviews with the panelists, this report covers five emerging threats expected to increase and evolve in 2008: Web 2.0 and client-side attacks, Targeted messaging attacks, Botnets, Threats targeting mobile convergence, Threats to Radio Frequency Identification systems. [Read More]

Sans Top 20 Vulnerabilities for 2007

It's been out for a week but nevertheless ;the Sans Top 20 Vulnerabilities for 2007 was released.

Seven years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first.

The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past. Here are some observations:

This year’s list of top risks diverges from lists in past years that focused on very specific technical vulnerabilities that could be fixed by tweaking a configuration or applying one patch. Because attackers are moving so quickly today, such point-fixes are outdated almost immediately. For that reason, this year’s list of top risks focuses more on the areas that attackers are targeting and where organizations need to enhance their security processes to ensure consistent application of technical fixes.

Read the 2007 SANS Top 20

Top Ten Bruce Schneier Facts

Some Sunday fun. The Top Ten Bruce Schneier Facts:

1. Bruce Schneier once decrypted a box of AlphaBits.
   
2. Bruce Schneier knows Alice and Bob's shared secret.
   
3. Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.
   
4. Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
   
5. Bruce Schneier knows the state of schroedinger's cat
   
6. Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
   
7. If we built a Dyson sphere around Bruce Schneier and captured all of his energy for 2 months, without any loss, we could power an ideal computer running at 3.2 degrees K to count up to 2^256. This strongly implies that not only can Bruce Schneier brute-force attack 256-bit keys, but that he is built of something other than matter and occupies something other than space.
   
8. When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.
   
9. Bruce Schneier writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it.
   
10. Though a superhero, Bruce Schneier disdanes the use of a mask or secret identity as 'security through obscurity'.
    

If you want more, go to geekz.co.uk

Latest VB100 test result and how to evaluate virusscanners

From PCWorld.com:

Many big-brand security products fail to spot commonly-circulating malware, testing outfit has Virus Bulletin found in its latest tests.
A total of 17 out of 32 of antivirus products failed the company's stringent VB100 test, which expects software to detect 100 percent of the commonly-circulating 'WildList' thrown at it without signalling any false positives.
Programs failing included those from Sophos, Kaspersky, Fortinet, Trend Micro, CA Home, and PC Tools, though within this group detection failures varied widely. CA's Home program scored a disturbingly high 40 misses, while the others scored from 8 misses down to only one miss for Kaspersky. PC Tools' Spyware Doctor detected the WildList suite but failed because it falsely identified two files as malware.

But since there is no standard methodology for testing AV, a lot of tests are disputed. From Darkreading.com:

Antivirus software testing has always been hit or miss because most testing relies on the virus signatures catching suspicious files, not on how those suspicious files may interact with the system. Rarely are AV products really put to the test -- on just how effective they are when deployed. The AV fight club put on by Untangle Inc. is a perfect example of this.

But hopefully the formation of the Anti-Malware Testing Working Group, will help magazines, vendors, and prospective customers test these solutions to see if they can protect computers from all types of malware. The group, which was formed last week during a meeting of security vendors and software testing organizations, will determine how best to conduct behavioral tests -- something that reputable testing groups have been doing for a couple years.

Data security a top priority for Europe

The European Commission is intent on boosting data security and raising awareness around the protection of personal information.
Speaking at the Microsoft Innovation Day in Brussels yesterday, vice president of the European Commission, Franco Frattini, said: "We must dramatically improve people's awareness of these crimes. Better data protection would also have a positive impact on consumer trust in cyberspace."

Full article at Silicon.com

Report: Malware doubled in H2 2007 (F-Secure Data Security Summary)

The F-Secure Data Security Summary was published today.

Read: www.f-secure.com/2007

Watch: www.f-secure.com/video-channel

The video is also available on their YouTube Channel.

Abstract:

There was a great deal of volume seen during 2007. Malware authors are producing variants in bulk. Genuine innovation appears to be on the decline and is currently being replaced with volume and mass-produced kit malware. But while new techniques weren't developed — the existing techniques were refined and adapted for much greater effectiveness. There are some very dangerous faces in the big crowd.

Windows Vista was on the horizon at the end of 2006 and the question was — would Vista be the end to malware threats? Not this year at least — The year 2007 ends with Windows XP still dominating the world's installed base leaving Vista little opportunity to make an impact. The potential strength of Vista has not yet been tested in full force. And much of the malware in the wild running on XP machines is stronger than ever. We predict that the situation will not change very soon looking at Vista's current sales.

Video: Hack5 Episode 3x05 released

Hack5 Episode 3x05 is out.

In this episode Simon Jakesch from Zenoss joins us to talk about the open source network management suite. Wess shows us the science behind the infrared camera mod. Chris Gerling hacks the Nokia 770 Internet tablet. Darren builds a one-click remote assistance package to help save the holidays, and Will Coppola drops by with an EVDO antenna mod sure to boost signal. Plus details on the upcoming Hak5Live / meetup at the East Coast LAN as always trivia. Grab some hax0rflakes, it’s time for a heavy dose of technolust.

Apparently, I missed out on Episode 3x04.

Paper: "Botnet Phenomenon" and "Chinese Underground Economy"

Honeyblog.org has released two very interesting papers:

• Characterizing the IRC-based Botnet Phenomenon

Abstract:

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

• Studying Malicious Websites and the Underground Economy on the Chinese Web

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

Some relevant news from heise.de:

China apparently remains the most popular refuge for malicious code on the internet. According to Sophos, the majority of infected websites are currently located there. Around 55 percent of all virus dispersers are in China, just under 20 percent in the US and just 11 percent in Russia. The latter figure is a little surprising, as a high proportion of online criminal activity is thought to be carried out by the Russian Business Network - at present, however, the RBN seems to be on the ropes. Nonetheless, the Russian share of infected websites has doubled since July 2007.

It seems botnets and malicious sites are everywhere. Oh dear.

RBN poisening Google Search results with exploits

Last week, Sunbelt's security blog warned us that thousands of malware redirects were showing up in search engine results. Botnets were posting relevant keywords and links in online forms to help attackers achieve top rank engine positions for various obscure and innocent search terms.
Two examples were "infinity" and "hospice". Visiting these links would potentially infect your PC with malware and additionally join in the botnet army.
The day after, Sunbelt revealed more details on the repercussions of clicking on these fake links

From Forbes.com:

For its part, Mountain View, Calif.-based Google was quick to scrub its search results following Sunbelt's blog post. Google removed the offending pages from the search engine's index Tuesday and added them to a malware blacklist that the company has been assembling since it began incorporating security measures in its search filters a year and a half ago.

But despite the initial cleanup, malware pages soon crept back into search results and had to be banned again, says Thomas. That's a sign that the malware writers may be an ongoing problem for the search engine. Google "did an excellent job of cleaning out the links to malware sites the night after we told them about it," Thomas says. "But by the next morning, bad guys had taken over again. Until they can tweak their algorithm to find this stuff effectively, it's going to be a continuing problem."

On the Google Security Blog, they are asking the users to "Help us fill in the gaps!", by reporting malware sites online at http://www.google.com/safebrowsing/report_badware/. However, I'm skeptical about this making a difference.

As for the culprits behind the SEO poisening? Guess which three letter acronym pops up?
Yes, RBN - Google Search Exploits :

The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.

The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts

As always, take the necessary precautions when surfing.