802.11 Wireless attack paper and updates from Blackhat on PEAP/EAP-TLS issues

Foundstone released a whitepaper describing all the new and previous 802.11 attacks. The paper gives good information about AP Impersonation, Rogue Access Points, Implementation Attacks (WEP, Dynamic WEP, WPA/WPA-2 cracking and the Cafe Latte attack). Even wireless client adapters and wireless DoS attacks are covered.

On another note, forget WEP or WPA-PSK cracking. WPA with Radius authentication or certificates might have its caveats if you misconfigure the client.

If you are running WPA Enterprise with PEAP, or EAP/TTLS its about time you take a serious look at your client configuration! This weekend at Shmoocon in Washington D.C, Josh Wright and I gave a presentation that demonstrated how a very common, but incorrect client supplicant configuration can lead to the compromise of certain wireless networks and in some cases, provide Windows domain access.

Our AP impersonation attack on PEAP and EAP/TTLS relies on the client failing to properly validate the authentication server’s (RADIUS) TLS certificate. By default, the Windows Zero Configuration (WZC) wireless supplicant performs this validation by putting the trust of the network in the client’s hands. WZC will prompt the client to either continue or cancel upon connecting to the wireless network (similar to the way your web browser prompts you when accessing certain websites over HTTPS). Furthermore, the client may be mislead by this message as it only contains the signing authorities’ name (i.e Verisign) rather then the actual certificate name. (McAfee Avertlabs)

Read more.

Deming's principles applied to IT security programs

The IPlocks blog has a very interesting article using the 14 points of Deming (Quality management) and applying them to risk management:

What struck me after a few months, having studied Kaizen, Deming and participated in a number of different Total Quality Management programs earlier in my career, that there were tremendous similarities in the motivation and processes common to both Risk Management and these quality driven programs. Both security and quality are difficult to quantify and measure internally, but metrics need to be applied. Both are often treated as a ‘thing’ or a destination, when they are in fact a cyclic process. Both are as much about people and process as they are technology, but seldom treated that way. Both need to be systemic to an organization to be effective. Both need to be implemented across the entire process lifecycle. Both are focused on efficiency in their approach to solving problems.

Read more.

TrendMicro's report shows us black hat industry prices

Trend Micro has released its 2007 Annual Roundup and 2008 Forecast. The report contains a few interesting points that could be new compared to other reports.

The report talks about the growth of web threats, which increased yearly up to 2006 but seems to have slowed down over the last twelve months. They also notice a significant increase in the number of attacks on smart phones and other mobile gadgets. Take it with a grain of salt.

However, the most interesting part of the report is the pricing chart for black hat services:

  • adware from 2 to 20 cents per installation depending on location
  • exploit kit rental around $1 per hour
  • access to installed information stealing trojans around $80 each
  • DDoS around $100 per day
  • individual banking credentials from $50

Other notable findings from the report:

- The Windows Animated Cursor exploit (EXPL_ANICMOO) encompassed over 50 percent of all exploit codes to hit the Internet computing population. 74 percent of its infections this year came from Asia. The same holds true for TROJ_ANICMOO.AX, a related threat which embedded the exploit. 64 percent of computers infected with this were from China.
- The top malware finding was WORM_SPYBOT.IS and WORM_GAOBOT.DF. Both created botnets and worms that infected USB-connected devices.
- Nearly 50 percent of all threat infections come from North America, but Asian countries are also experiencing a growth -- 40 percent of infections stem from that region.
-Social networking communities and user-created content such as blog sites became infection vectors due to attacks on their underlying Web 2.0 technologies, particularly cross-site scripting and streaming technologies.
- Infection volumes nearly quadrupled between September and November 2007, indicating that malware authors took advantage of the holiday seasons as an opportunity to send spam or deploy spyware while users are shopping online.
- In 2007, the top online commerce site attacked by phishers was still global auction site eBay and sister company PayPal. Financial institutions, especially those based in North America, also experienced a high volume of phising attacks.

2008 Forecast

Based on the emerging trends of this year, the following are Trend Micro’s forecasts for the 2008 threat landscape:
1. Legacy code used in operating systems and vulnerabilities in popular applications will continue to be attacked in the effort to inject in-process malicious code that criminals can exploit to run malware as they attempt to steal confidential and proprietary information.
2. High-profile Web sites that run the gamut of social networking, banking/financial, online gaming, search engine, travel, commercial ticketing, local government sectors, news, job, blogging, and e-commerce sites for auction and shopping will continue to be the most sought-after attack vectors by criminals to host links to phishing and identity theft code.
3. Unmanaged devices such as smart phones, mp3 players, digital frames, thumb drives and gaming stations will continue to provide opportunities for criminals and malware to infiltrate a company’s security borders due to their capabilities for storage, computing and Wi-Fi. Public access points such as those in coffee shops, bookstores, hotel lobbies, and airports will continue to be distribution points for malware or attack vectors used by malicious entities.
4. Communication services such as email, instant messaging, as well as file sharing will continue to be abused by content threats such as image spam, malicious URLs and attachments via targeted and localized social engineered themes.
5. Data protection and software security strategies will become standard in the commercial software lifecycle. This will also put a focus on data encryption technologies during storage and transit particularly in the vetting of data access in the information and distribution chain.
2007 Annual Roundup and 2008 Forecast (The Trend of Threats Today)


New release: ACCC "The little black book of scams"

I'm quite interested in the results that the ISSA-BE Cybercrime Survey will bring. In the meantime, Australian Competition and Consumer Commission (ACCC) has released the latest edition of "The little black book of scams", a guide that draws attention to a wide variety of scams regularly targeting Australian consumers and businesses in areas such as online, over the phone and door-to-door.
Appealing to a broad audience of business and families alike, the 46-page document includes case-by-case best practices for individual scenarios such as money transfer requests, banking, internet scams, Nigerian scams and lottery scams.

Google's CAPTCHA under fire by botnets

Captchas have been under fire before. After recent attempts on breaking Yahoo's systems, Google is the next target:

Websense believes that from the spammers’ perspective, there are four main advantages to this approach. First, signing up for an account with Google allows access to its wide portfolio of services. Second, Google’s domains are unlikely to be blacklisted. Third, they are free to sign up. And fourth, it may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis.

It is observed that at this stage bots (or bot-infected machines) are trying to sign up as many accounts as possible with Gmail mail services. One of the main concerns here is attacking CAPTCHA. Unfortunately, spammers seem to have success with it. The bot is signing up an account feeding all the prerequisites or input data that goes into the signup page and successfully creating a mail account.

On average, only 1 in every 5 CAPTCHA breaking requests are successfully including both algorithms used by the bot, approximating a success rate of 20%. The second algorithm (segmentation) has very poor performance that sometimes totally fails and returns garbage or incorrect answers.

Read more (Websense)


Two Online information gathering tools

The tools aren't completely online but use information from search engines to find vulnerable applications or private information.

1. The "Cult of the Dead Cow" hacker group – cDc for short – has published a tool that searches for vulnerabilities and private information across the web. Using well-chosen Google search queries, Goolag Scan discovers links to vulnerable web applications, back doors, or documents inadvertently put on the internet that contain sensitive information.

This kind of "Google hacking" is already well known: a hacker using the pseudonym Johnny has already published quite a collection of these "Google Hacks" or "Google Dorks" on his web site ihackstuff. What cDc has done is create an automated tool that allows an unskilled hacker to use these same techniques. (Source: Heise)

2. The second tool is a reintroduction: Maltego can be used for the information gathering phase of penetration testing making it possible for less experienced testers to work faster and more accurately.

It is a program that can be used to determine the relationships and real world links between:

  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
    • Domains
    • DNS names
    • Netblocks
    • IP addresses
  • Phrases
  • Affiliations
  • Documents and files

Beware of virtualization exploits

Since a lot of people are adopting virtualization, more and more people are wondering about the security risks. Since my last big post on virtualization security, it's time for some updates:

VMware has released a security alert in response to a vulnerability in Windows-hosted VMware Workstation, VMware Player, and VMware ACE. This vulnerability exists in the host-to-guest shared folders feature and allows applications running in the guest operating system to access the host operating system's file system. Exploitation of this vulnerability may allow an attacker to circumvent the controls on the guest system and gain read and write access to the host file system.

US-CERT encourages users to review VMware knowledge base article 1004034 and apply the workarounds. (Source: US-CERT)

Jon Oberheide, a researcher and PhD candidate at the University of Michigan, is releasing a proof-of-concept tool called Xensploit that lets an attacker take over the VM’s hypervisor and applications, and grab sensitive data from the live VMs.

Oberheide says organizations don’t typically realize or consider the risk of migrating live virtual machines . The last thing they want to do is take down the live system because that would defeat the purpose of the dynamic and high-availability features you get in a VM deployment.


McAfee's Magazine Sage 3 - The Globalization of Malware

McAfee released the third edition of their security journal - Sage:

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

Harddisk encryption loophole found

From heise:

Scientists at Princeton University have demonstrated how encryption keys can be retrieved from memory if the attacker has physical access to a computer which is switched on or in standby, by making use of a well known phenomenon – the relatively slow decay of DRAM data when power is removed.

So, has harddisk encryption become obsolete? For general data loss or the common thief, it's an effective defense. But for the determined hacker, it's not a total defense. Use a data classification and for the people with access to the most confidential information, limit the use of standby and hibernate.

See also:

Suddenly, I remembered the possibility of doing memory forensics through the firewire interface:

The ability to read and write to another computer's physical memory through the FireWire interface was first exploited by Quinn "The Eskimo" in 2002. His program FireStarter allowed to remotely manipulate the contents of a target Mac's display. For his hack Quinn was awarded the first price at the MacHack Best Hack Contest 2002.

Michael Becher, Maximillian Dornseif and Christian N. Klein explained in their talk 0wn3d by an iPod at PacSec 2004 how FireWire could be used in a forensically sound memory acquisition procedure.

Adam Boileau (aka "Metlstorm") solved the problem of accessing a computer running Microsoft Windows in his presentation at RUXCON 2006. He also released some Python modules and memory acquisition tools.

Remember that you don't need onboard firewire ports but you can just use a PCI or PCMCIA card. Plug and play. :-)

Also have a look at this CCCamp presentation:

Update (25/02/2007): Microsoft responded (MSDN Blog) to the whole story. They take the same stance that encryption has not become useless. You can disable standby (or sleep as they call it) and use additional authentication coming back from hibernate. The risk of a targeted physical attack with these skills is rather low. Read more.

For example BitLocker provides several options that allow for a user (or more likely Administrator) to increase their security protections but at the cost of somewhat lowering ease-of-use. BitLocker supports options that will not allow a machine to boot – or resume from hibernate – until the user can:

  • Enter a PIN
  • Insert a USB stick that contains a secret Key
  • … and as of Windows Vista SP1 both enter a PIN and insert the USB stick!

We provide best practice guidance in the Data Encryption Toolkit that describes the various manners in which the above choices can be made and also provides advice to help improve security, such as disabling ‘sleep mode’ – forcing a user to hibernate and thus allowing memory to lose the ghost images discussed. These power management settings can all be configured centrally using Group Policy Objects.


2 SANS Papers: "Insider Espionage Techniques" and "Malware Analysis"

Some recent papers from the SANS Information Security Reading Room:

Malware Analysis: An Introduction
Dennis Distler
Category: Malicious Code
Posted: February 12, 2008

Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider
Ahmed Abdel-Aziz
Category: Incident Handling
Posted: February 11, 2008

and some more:

The Controlled Event Framework for Information Asset Security
Chris Cronin
Category: Security Awareness
Posted: February 20, 2008

802.11 Denial of Service Attacks and Mitigation
Stuart Compton
Category: Wireless Access
Posted: February 20, 2008

Covert Data Storage Channel Using IP Packet Headers
Jonathan Thyer
Category: Covert Channels
Posted: February 7, 2008

Catching Phishers with Honey-Mail
Dennis Dragos
Category: Case Studies
Posted: February 7, 2008


I have been in security for a few years now but I never heard this term. The concept is all but new but when I heard this name, it made me laugh.

Podslurping is a term to describe where a portable storage device such as an iPod is used to illicitly download large quantities of data by directly plugging it in to a computer, where the data is held, or which is on the inside of a firewall where the data is held. As these storage devices get smaller and their storage capacity gets larger it is becoming an increasing security risk to companies and government agencies. Access is gained while the computer is unattended.

For the non-Apple fans, I can point out that the normal iPod classic now features 80GB and the second model 160GB. That's a lot of possible corporate data.


Info-Security Magazine Jan-Feb Released

Read it online here. Brussels on 19-20 March

Samen met Storage Expo en het LinuxWorld paviljoen biedt een uniek ICT-platform voor kennisuitwisseling met vakgenoten. Gedurende twee dagen kunt u als bezoeker deelnemen aan een uitgebreid seminarieprogramma met keynote sessies, technische en management sessies over actuele storage en security thema’s, en met verschillende boeiende klantengetuigenissen. Op de beursvloer tonen meer dan 120 toonaangevende exposanten hun laatste innovaties in IT-security, data-opslag en databeheer.

Business Continuity - The Risk Management Expo - 2 April London

Business Continuity Expo is the only event dedicated to managing operational risk, resilience and recovery. With a unique format combining a comprehensive exhibition, a highly popular free-to-attend seminar series and a stimulating and thought-provoking conference, the show brings together professionals spanning the growing Business Continuity and risk management industry. Business Continuity Expo is a unique opportunity to explore best practice, identify industry trends and cement vital relationships to help ensure operational continuity before, during and after an incident.
Whether developing your Business Impact Analysis or re-writing your Business Continuity plan; identifying key stakeholders or sharing a drink with BC industry peers, there is no other dedicated showcase for the diverse range of Business Continuity products, services, solutions and guides.

It's in London but I might consider visiting it if my busy schedule allows it.

Lock down ActiveX with Kill Bit

It is very common for Microsoft security bulletins to include “Kill-Bits” to disable individual ActiveX controls / COM objects. Here is the first part of a three-part FAQ we have developed to answer some questions around the Kill-Bit and related functionality.

The Kill-Bit FAQ – Part 1 of 3

What is the Kill-Bit?

The Kill-Bit (a.k.a. “killbit”) is not actually a bit. The Kill-Bit is a registry entry for a particular CLSID that marks the COM object / ActiveX control referenced by that CLSID as non-loadable in the browser and other scriptable environments. Microsoft releases Kill-Bits in security updates to block vulnerable ActiveX controls and COM objects which are vulnerable to security flaws when hosted in the browser.

There were several buffer overflows (Sans ISC) earlier this month. So disabling ActiveX or parts of it, might not be a bad idea.


Patching, Damned if you do, Damned if you don't

The IBM ISS Blog released a preview on vulnerability trends and started a discussion:

For the first time, X-Force witnessed a reduction (-5.4 percent) in new vulnerability disclosures from the previous year. The drop could represent an anomaly, a statistical correction or a new trend in the amount of disclosures.

Although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds.

So were there less flaws in general but are the flaws more serious????

And you wouldn’t necessarily hear about a successful zero-day attack, anyway, Aitel says. “How do we know these ‘known vulnerabilities’ were not first widely used as zero-day? We don’t.”

Robert Graham, CEO of Errata Security, notes that zero-days aren’t typically used for everyday attacks. “The average user does not have to worry about an 'O-day,'” he says. “But if you’re a high-value target, [then you do]. The military gets hit a lot with zero-days.”

“There are people who discover O-days and then those who take any exploit and make it widespread -- these are different skills,” Graham notes. Once a zero-day gets discovered and everyone starts using it, then it becomes well-known, he says. (Source:

With all the different patches for all different vendors coming out, malware writers don't need 0-day exploits. People aren't patching them at all or not that fast.

When I was testing Secunia's Personal Software Inspector. I discovered that installing new Java Runtimes (JREs) does not block off access to old ones. *gasp*
A website can request a specific version and if installed and it will load. So uninstall all those other versions before upgrading.

Keeping the OS up to date is less of a problem today with windows update but keeping third party software and plugins seems to be very hard for most people.

And even if you do patch, the latest Adobe pdf vulnerability seems to have been exploited three week before the patch. It's not the first vulnerability in Acrobat Reader. Replacing Acrobat Reader by an alternative like Foxit Reader seems like a good option.

Update: Other options besides Secunia PSI are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac). (Thanks SANS ISC)


Dutch government wants fingerprints of every dutchman in national database

CCTV, government keyloggers, datamining, biometric passports, ... we have seen a lot of measures that are akin to a double-edged sword. I have been very wary of the use of biometrics in ePassports. The use of this information to build a national database is only one step further. I do think that biometrics can help and could be used to limit fraud. But iris scans have a lower chance of being misused compared to fingerprints. The Dutch government is the first to prove me right:

State secretary Ank Bijleveld of The ministry of the Interior and Kingdom Relations wants fingerprints of every Dutchman in a national database (eng) and make it available to the police and the justice department.

It's not this specific fingerprint database that scares me. What really scares me is: where will this end? In the first place, the fingerprints taken during passport application were supposed be used only to prevent fraud with identity documents. Now, they want them make it available to the police and the justice department. The government has been busy with a public transport chipcard and a GPS system for vehicles for tax purposes. With those systems, the government can track the movement of every person. An interesting question is when they will.

What the government probably doesn't realize is that once a person has given his/her fingerprint to the government, he/she will be extra carefull not to leave behind fingerprints while committing a crime. In other words, as soon as you start building a fingerprint database, it will become useless.

During World War II, the Dutch government had a database which contained information about every Jew in the Netherlands. They had no bad intention with it, but the Nazis gratefully used it for their own purpose. So, the question is not what the government will do with it, but what will other people, like criminals, do with it once they obtain it. And since the government is really good at losing laptops, USB sticks and CD-roms, that's probably only a matter of time. (Source:

Thank you Mr. Leisink, I couldn't have said it any better.

The Web Hacking Incidents Database Annual Report 2007


The WHID annual report for 2007 is here!
Breach Labs which sponsors WHID has issued an analysis of the Web Hacking landscape in 2007 based on the incidents recorded at WHID. It took some time as we added the new attributes introduced lately to all 2007 incidents and mined the data to find the juicy stuff:
  • The drivers, business or other, behind Web hacking.
  • The vulnerabilities hackers exploit.
  • The types of organizations attacked most often.
To be able to answer those questions, WHID tracks the following key attributes for each incident:
  • Attack Method - The technical vulnerability exploited by the attacker to perform the hack.
  • Outcome - the real-world result of the attack.
  • Country - the country in which the attacked web site (or owning organization) resides.
  • Origin - the country from which the attack was launched.
  • Vertical - the field of operation of the organization that was attacked.
Key findings were:
  • 67% percent of the attacks in 2007 were "for profit" motivated. Ideological hacking came second.
  • With 20%, good old SQL injections dominated as the most common techniques used in the attacks. XSS finished 4th with 12 percent and the young and promising CSRF is still only seldom exploited out there and was included in the "others" group.
  • Over 44% percent of incidents were tied to non-commercial sites such as Government and Education. We assume that this is partially because incidents happen more in these organizations and partially because these organizations are more inclined to report attacks.
  • On the commercial side, internet-related organizations top the list. This group includes retail shops, comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. It seems that these companies do not compensate for the higher exposure they incur, with proper security procedures.
  • In incidents where records leaked or where stolen the average number of records affected was 6,000.
The full report can be found at Breach Security Network.


Neuro-linguistic programming: The map is not the territory

Neuro-linguistic programming (usually shortened to NLP) is an interpersonal communication model and an alternative approach to psychotherapy[1] based on the subjective study of language, communication and personal change. The first principle of NLP is, the map is not the territory.

I'm looking into NLP to get in the right state of mind and to help others get in the right state of mind. You could call it motivating yourself and others. I still have to read up more on NLP before giving my own insights but I wanted to share the following slides from the previous barcamp. The slides are very visual and not filled with loads of text. They tell a story and explain themselves. If you didn't see Monty Python and The Holy Grail, some of the visuals might not make sense. I did and it gave me a good laugh. A good example of a nice presentation.


The efficiency of anti-virus

The discussion about the efficiency of anti-virus is very much alive. I touched on the subject a few times before like here and here. Let's have another look at it with Google's latest security technical report: All Your iFrame Are Point to Us.

For this exercise, we are interested in chapter 7.1 Anti-virus engine detection rates:

We subject each binary for each of the anti-virus scanners using the latest virus definitions on that day. Then, for an anti-virus engine, the detection rate is simply the number of detected (flagged) samples divided by the total number of suspicious malware instances inspected on that day. Figure 15 illustrates the individual detection rates of each of the anti-virus engines. The graph reveals that the detection capability of the anti-virus engines is lacking, with an average detection rate of 70% for the best engine. These results are disturbing as they show that even the best anti-virus engines in the market (armed with their latest definitions) fail to cover a significant fraction of web malware.

I'm not telling you that anti-virus is useless, but it isn't as efficient as some people believe. Security is still about risk reduction. The only question you need to ask, if the price of the software is justifiable for the amount of protection you are getting today. Here is an example of someone who thought they weren't getting their value: Staying safe without anti-virus (BBC)

One such is Brent Rickels, the one-man IT department for the First National Bank of Bosque County in Texas, who has thrown out his anti-virus software and has a much quieter life as a result.

"I just wanted to be able to sleep at night," he said explaining the decision to stop using anti-virus.
"There had to be something better by now," Mr Rickels told the BBC News website. "Anti-virus is such a reactive model."

"The bad guys out there have copies of Symantec and Trend Micro and all of the anti-virus software and are using it to develop their stuff on and get their stuff past it," he said.

As its front line of defence the bank uses a so-called whitelist system that only lets a few programs run on every PC that bank staff use. Everything else, including viruses or malicious programs that try to strike via websites, are shut down before they can get a hold.

The bank has also imposed limits a 20 minute per day limit on the time staff can spend looking at non-work related websites.

Don't forget, it isn't all about prevention. Detection and Response are often overlooked. No single prevention measure is bulletproof. I like the whitelisting idea but it's all about the type of environment you're in. Flexibility vs Security. They are just two opposites on the scale. Pick your poison.

Help us get statistics about cybercrime in Belgium

ISSA is holding a Belgian Cybercrime Survey and they need YOU!

Building upon the work of ISSA Ireland in 2007, the ISSA Brussels-European Chapter will be holding the first ISSA Belgian Cybercrime Survey. In a short anonymous survey, respondents will be asked questions about the experience, the impact and the detection of cybercrime incidents.
Respondents will have the choice of answering the questions in Dutch, French or English, on-line as well as off-line (paper survey that can be sent in).

The preliminary results will be presented on March 19th, 2008, in a free seminar taking place during (you can register for the trade fair + seminars here). The final analysis and results will be presented during an ISSA event in April 2008. This edition of the cybercrime survey will be using the same questions in Belgium as in Ireland, enabling to compare cybercrime taking place in two different, but to a certain degree similar, European countries.

Help ISSA with the survey.

Damn Vulnerable Linux 1.4 released

DVL 1.4 final is ready to go and is uploaded at the moment. We hit the 1.6 GB size, including all necessary to train software development, IT security and Reverse Code Engineering. During the next time the mirrors will be informed. After this we post the links. As well we do a short intro video to show all features and on how to use DVL.

Direct Download ( Computer Defense )

Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. It was initiated for training tasks during university lessons by the IITAC (International Institute for Training, Assessment, and Certification) and S²e - Secure Software Engineering in cooperation with the French Reverse Engineering Team. Visit their websites at, , and . Main authors are Univ.-Doz. Dr. Thorsten Schneider [IITAC, S²e] and Kryshaam [French Reverse Enginering Team].

Update on the Middle East undersea internet cable cuts

I have been following up on the undersea cable cuts. Previously, I mentioned three cuts. It seems to have been a lot more. The Submarine Cables - A Complete Guide to the 2008 Internet Outage ( is the most complete review of the events so far. It really describes the When & Where.

The site speculates on the possible suspects:

  • U.S. Government
  • Israeli Government
  • Aliens
  • Underwater Monsters
  • The Cloverfield Monster
  • Rudy Giuliani

However, this author actually dug a bit deeper and found a trail that leads from the owners of most of these internet cables all the way back to some very, very large companies in the U.S. and in the U.K. Which companies you ask? Who is behind this?

So the WHY remains: The Iranian Oil Bourse???

Some locations were too deep to be caused by anchors. Another review: Connecting The Many Undersea Cut Cable Dots by Richard Sauder

Bonus: There is a lot of discussion ongoing on Schneier's blog.

Here is a map of all major cables

Recent exploits in the wild

Hopefully, you deployed the necessary patches, because the adobe exploits are in the wild and actually have been for weeks. If we have a look at the SANS ISC post, we see some more details about the discovery and the timing:

Vulnerability Timeline:

* Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)

* Virus Report (, Jan. 20, 2008)

* Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)

* Immunity POC Exploit (, Feb. 6, 2008)

* Adobe Reader Vulnerability Exploitation in the Wild (ID#467384, Feb. 8, 2008)

* Adobe Security Advisory APSA08-01 (, Feb. 7, 2008)

* iDefense Receives Hostile PDF Sample (Feb. 7, 2008)

* iDefense Customer Notification (ID#467398, Feb. 8, 2008)

That is quite some time between the iDefense discovery and the available patch. Zero day exploitation began 20 January and the patch availability was not until the 7th of February.

Besides disclosed vulnerabilities, how many of them are discovered by blackhats and sold or traded in secret? Pete Lindstrom has made a nice calculation: 93.75% of vulnerabilities are undisclosed. Really makes you wonder.

How autocomplete can be very dangerous

I mentioned this whitepaper before: Whitepaper: Understanding and Selecting a DLP Solution.
A nice example what DLP cannot cover: external parties possessing sensitive information from or about you. It might also be a good example why to implement DLP depending on your point of view. ;-)

E-mail gaffe leads to billion-dollar news leak
"A simple e-mail slip-up, the kind any one of us could make at any time:
A Philadelphia lawyer addresses his electronic missive to an Alex Berenson instead of Bradford Berenson.

But what happens next is anything but routine; it's front-page news in the New York Times.
That's because Alex Berenson happens to be a reporter for the New York Times...."

Full article at:
So watch carefully before sending your next email. Autocomplete might be handy but dangerous.

Bonus: Here is a Belgian example.


Podcast: Blue Box #75: Asterisk vulnerability, SANS paper on VoIP security, SPIT, tons of listener comments and much more...

The new episode is out:

Synopsis: Blue Box #75: Asterisk vulnerability, SANS paper on VoIP security, SPIT, tons of listener comments and much more...

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically.


Remote workers are behaving less responsible

Despite widespread security awareness campaigns, many users believe that their company's security "messaging is mellowing," Gray says. The growing use of mobile devices and "Web 2.0" technologies such as social networking are driving users toward the Internet at a higher rate, but security policies and enforcement are perceived to be softer than they were a year ago, he suggests.

Perhaps even more importantly, the lines between home computing and work computing are beginning to blur, the study suggests. Nearly half (49 percent) of respondents now say they are using their own personal devices to access their work files, up from 45 percent a year ago. And some 48 percent of users now use their work computers to access personal files, up from 46 percent last year.

"It's not just PCs -- it's smartphones, it's wireless devices, it's PDAs," Gray says. "Do those devices belong to the company? To the individual? It's all over the map."

So what can enterprises do about these growing problems? An update of the corporate security awareness program might be one place to start. (Source:

I do agree that this is a growing trend and threat. Mobile devices are growing in functionality and storage size. GPS, Internet Navigator, PDA, iPod/MP3 player, mobile harddisk, photo camera, you can have it all in one. I see a lot of people bringing their personal 'gadget' or devices to work. A lot of security policies don't have any updates for these devices or for homeworkers. Let alone any technological measures to secure these devices. Encryption can help but doesn't stop malware from copying live data. That is what I call defense in depth. Combine technology measures with policies and awareness efforts.

Gathering information about mobile security

For my postgraduate at Solvay Business School, I have to write a dissertation. I'm leaning towards mobile security and mobile devices as a subject matter. So I started collecting articles and alike. If you know of any articles or whitepapers on mobile devices, please contact me or leave a comment.

Some quotes:

1. Apple Grows More Powerful Apple will have doubled its computer market share by 2011, Gartner predicts. Contributing factors: Apple's software integration; frequent innovations; interoperability across multiple devices—and the failure of the rest of the industry to make similar innovations.
2. Pocketable Internet Takes Off By 2012, 50 percent of traveling workers will ditch notebooks for new products such as inexpensive new classes of Internet-centric pocketable devices, Gartner predicts. Users will demand the ability to create a preferred work environment across multiple locations.


After Yahoo, also Windows Live Mail Captchas seems to have been broken

Mid January, some researchers pointed out that Yahoo CAPTCHAs might be easily broken. Now Websense has a report about Windows Live Mail being actively targeted.

Websense believes that there are three main advantages to this approach for the spammers. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. And third, it may be hard to keep track of them as there are millions of users worldwide using the service.

With botnets sending increased amounts of spam, will this lead us to a critical mass?

Massive amounts of vulnerabilities are making a lot of PCs vulnerable

It's not just the upcoming Microsoft Black Tuesday with 7 critical and 5 important patches, but other popular software companies released critical security patches.

How fast are users patching? It might not be a representative sample but Secunia features a free software inspector which they used to gather statistics:

Currently, the Secunia PSI has been installed on 282,726 computers.

Looking at how many computers that have one or more of the above applications installed we get 229,023 out of 282,726 computers, or:"81.01% of all computers connected to the Internet needs to apply at least one security update to secure their computer, until updated, users risk falling victim of a hacker by simply: Visiting a website, opening a PDF file, viewing a movie, etc. - and this is just over a period of 24 hours"

If you will excuse me, I have some urgent patching to do.


Fun: How to measure a code review

Priceless!! (Source: Securitybuddha)

Results from my CISA exam

After 8 weeks of impatiently waiting, I got my results: PASSED. Now the administrative part.... I will post some study tips in the near future. Next in line should be my CISM exam.

Official Defcon 15 recordings online (updated)

When I linked to some Defcon 15 videos in september, they were unofficial recordings posted on Google Video. Now, after 6 months, Defcon has put the official recordings on their website.

There are 122 video and audio files in total. Have fun!


Update on Mega-D botnet and a new covert bot named MayDay

After our view on New kid on the block: Mega-D overtakes Storm Worm, Arbor Network suspected that Mega-D was actually a partition of StormWorm. Afterwards, they seemed to confirm that Mega-D was indeed not related to StormWorm.

So, this makes a lot more sense to me. After a bit of prodding, it does appear to NOT be Storm, though Cutwail and some of the related malware may indeed be the source, as suggested here.
Also Damballa stated that they were unrelated:

Damballa says Storm and Mega-D are unrelated. "Our research indicates that it's distinct from Storm," Cox says. "Each compromised host can send thousands of [spam] email addresses with random subject lines. It's clearly capable of sending out huge amounts of spam."

Size doesn't always matter with botnets. MayDay is not nearly as large as Storm, but Damballa says it could potentially do more damage due to its more sophisticated and targeted approach. "MayDay is unique because it has the ability to communicate from within the inside of the enterprise," Cox says. "It's powerful in the damage it could do when orchestrated for a common purpose. It could potentially be more powerful because of the types of networks it's successfully compromised." (Source:

So far about the confusion about Mega-D. The last article also talks about another botnet called MayDay. It uses different techniques to try to bypass networksecurity measures like using the browser proxy settings or tunneling through ICMP.

The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year. (See The World's Biggest Botnets .)

MayDay uses a combination of techniques to communicate with its bots, including hijacking browser proxy settings, says Tripp Cox, vice president of engineering for Damballa. He says, "It can communicate through an enterprise's secure Web proxy and conduct updates and attack activities" -- a unique method for a botnet.

The Web proxy approach also demonstrates that this is no random bot infection: "Designing bot malware to specifically use Web proxies is a clear indicator that it's targeting [specific] enterprise systems," Cox says. (Source:

Still not worried about targeted (enterprise) attacks?

Europe has become spam king?

At least according to the latest Symantec State of Spam (February). Nothing to be proud of. Maybe ENISA can take some initiative?

The February State of Spam Report highlights an interesting trend in the shift of spam moving from North America to EMEA. The percentage of spam originating from EMEA has surpassed that of North America, which represents a significant shift in where the bulk of the world’s spam is “supposedly” sent from.

This trend has been observed for the past three months with a culmination in January of approximately 44% of all spam email now originating from Europe, versus 35.1% from North America. But is this spam mail really originating in Europe? Although it appears that way the very nature of spam distribution makes it difficult to accurately pinpoint the true geographic origin the sender. Spammers often take advantage of tricks that allow them to mask their real location and bypass DNS block lists.

Why the increase in spam originating from Europe? One theory points to increased broadband usage. The past few years have seen a massive growth in broadband users in Europe. As of June 2007, Europe had six of the top ten countries for broadband users in the world. This massive growth in broadband users does appear to correlate to the sizeable increase in spam originating from Europe.

More information regarding this trend as well as highlights on other recent trends can be found in the February State of Spam Report.

Update (06/02/2008): ENISA pointed me to some of their previous initiatives concerning spam.

(IN)SECURE Magazine Issue 15 released

DOWNLOAD ISSUE 15 HERE (February 2008)

  • Proactive analysis of malware genes holds the key to network security
  • Advanced social engineering and human exploitation
  • Free visualization tools for security analysis and network monitoring
  • Internet terrorist: does such a thing really exist?
  • Weaknesses and protection of your wireless network
  • Fraud mitigation and biometrics following Sarbanes-Oxley
  • Application security matters: deploying enterprise software securely
  • The insider threat: hype vs. reality
  • How B2B gateways affect corporate information security
  • Reputation attacks, a little known Internet threat
  • Data protection and identity management
  • The good, the bad and the ugly of protecting data in a retail environment
  • Malware experts speak: F-Secure, Sophos, Trend Micro

Video: Hak5 Episode 3×07 Released

Episode 7 is out.

In this episode Chris Gerling shows us a little reverse engineering with Crackmes, Darren unlocks OpenWRT on the Fon router, Will Coppola demonstrates inprotect, a nessus/nmap web frontent, and Matt fixes the Rock Band guitar once and for all. Plus HakSnacks including installation package building with Iexpress, a Rock Band drum kit for your PC, converting flash videos to mobile media formats, and browsing the Internets with calculator. Grab some pwnj00z, the next hour is designated for technolust!

Download xvid
Watch on youtube