9/1/08 - 10/1/08 | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

Tuesday

BCI's Continuity magazine - September Issue

The Business Continuity Institute publishes Continuity magazine six times a year which contains articles and papers on business continuity management. Continuity is circulated to all BCI members, BCI Partnership contacts and to other interested registered readers. A digital version of the latest issue can be accessed by clicking here (PDF) or here (ZIP).

Related posts:

New browser exploit: Clickjacking

Since no single browser and Adobe has a patch for this Clickjacking attack, Jeremiah Grossman and Robert Hansen refrained from giving details during the OWASP NYC 2008 Conference.

But there is a small overview and explanation of the issue:

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening. “A normal user wouldn’t have any idea of what is going on. People in this audience may see something a little different from what they would expect and you would definitely see the results in the page’s source code.” Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.(Source: webadminblog.com)

This seems a serious issue. The only way to protect yourself at this moment is to disable browser plugins and scripting. The exception would be the Firefox plugin Noscript, which actually protects you from most attack scenarios. If you want Noscript to provide 100% protection against this specific attack, you need to check the “Plugins|Forbid <iframe>” option.

For more information follow up the US CERT report.

UPDATE: Computerworld.com has a good detailed article on this issue. (hat tip to Jeremiah Grossman on Twitter)

Monday

RSA Europe 2008 soon to come

A security conference I wasn't that familiar with, was the RSA Security Conference. I did see it show up on some of the pages of fellow security bloggers or on twitter. There is an USA and an Europe edition.

RSA Europe was this year so kind to extend press entrance to security bloggers. Some minimum requirements apply like you have to be blogging about security for at least 6 months and on a weekly basis. Technorati rating and some other factors may also be factored in for acceptance. Check the website for more information.

I am glad to have been accepted and I'm looking forward to provide coverage on the event. As well as to meet up with several of the @Securitytwits and SecurityCatalyst people. If you are also going and want to meet us, drop a message.

(Photo under creative commons from ggee's photostream)

Upcoming Security Event: "A Day in the Life of the SANS Internet Storm Center"

The Belgian ISSA Chapter is organizing an event next Thursday: "A Day in the Life of the SANS Internet Storm Center".

Malicious trends are spotted due to people from all over the world sending in their anonymized firewall logs to Dshield, a SANS ISC distributed intrusion detection system for data collection and analysis. A truly international team of volunteers ("Handlers") from all over the world is using automated analysis and graphical visualization tools to search for activity that corresponds with broad based attacks. They report their findings to the Internet community
through the ISC main web site, directly to ISPs, and via general postings and emails to newsgroups or public information sharing forums. They also spread the news if important new vulnerabilities in common software applications are being discovered.

We as information security professionals benefit a lot from the efforts of those volunteers who are on top of what's happening in our field. They have interesting stories and insights to tell and that's why we as the ISSA Brussels-European Chapter are very happy to have found a possibility to have the two Belgian SANS ISC Handlers give a joint presentation about "A Day in the Life of the SANS Internet Storm Center"! They told me they would leave a lot of room for questions, so finally I will get to know how they manage to stay awake from 0000hrs to 2359hrs UTC!

For more information, visit the ISSA-BE Website. Unfortunately, since I'm following a course that day, I won't be able to join you. Too bad. I always wondered how the day of an ISC Handler looks like.

I also want to take this occasion to thank all the volunteers at the SANS ISC for all their time and effort. Thanks guys!

The security calendar (look on the right) has been updated together with the RSA Europe 2008 Conference.

Related posts:

(Photo under Creative Commons from David Wulff's photostream)

Sunday

New version of Helix Forensics LiveCD released

A new version of Helix 3 has been released. Mind you that 3 is not the version but it stands for 3: Incident Response, Electronic Discovery, and Forensics. The latest 'version' is 2.0 (or 2008R1). This forensics centric live CD is now Ubuntu based and includes updates to many of the host programs.

From the website:

"Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special live side for Incident Response and Forensics."

The new version of Helix can be found at http://www.e-fense.com/helix/

Related posts:

Thursday

US Custom agents can now also seize hardcopy document

We know that digital 'searches' were possible at (US) border control. Now it seems that all documents, even hardcopy can be seized, read or copied at will. From SFGATE:

The Bush administration has overturned a 22-year-old policy and now allows customs agents to seize, read and copy documents from travelers at airports and borders without suspicion of wrongdoing, civil rights lawyers in San Francisco said Tuesday in releasing records obtained in a lawsuit.

Airport Security: All your data are belong to us

(Photo under creative commons from Mark Demeny's photostream)

(IN)SECURE Magazine Issue 18 released

Covered topics are:

Network and information security in Europe today
Browser security: bolt it on, then build it in
Passive network security analysis with NetworkMiner
Lynis - an introduction to UNIX system auditing
Windows driver vulnerabilities: the METHOD_NEITHER odyssey
Removing software armoring from executables
Insecurities in privacy protection software
Compliance does not equal security but it's a good start
Secure web application development
The insider threat
Web application security: risky business?
...

You can download the issue here.

Tuesday

The Ignite Presentation Method and Where the Hell is Matt

I talked about Pecha Kucha a few times before. The concept is simple, 20 slides 20 seconds per slide amounting to 6m 40s to deliver your message. Other concepts like elevator speech come to mind. There is a similar movement called ignite. With a bit simpler name, what is ignite?

If you had five minutes on stage what would you say? What if you only got 20 slides and they rotated automatically after 15 seconds? Around the world geeks have been putting together Ignite nights to show their answers.

Ignite was started in Seattle in 2006 by Brady Forrest and Bre Pettis. Since then 100s of 5 minute talks have been given across the world. There are thriving Ignite communities in Seattle, Portland, Paris, and NYC.

More information on http://ignite.oreilly.com/

I caught a discussion about this presentation style over at the presentationzen blog where they showed an example for ignite from Matt.

Matt is known from the 'Where the hell is Matt' website. Matt started a website showing videos of him dancing on locations all over the world. If you don't know him or his website, you should watch his latest video.

WASC Web Application Security Statistics Project 2007 published

This was released 2 weeks ago but it was still in my processing buffer. The Web Application Security Consortium (WASC) has published the WASC Web Application Security Statistics Project 2007. Besides the OWASP Top 10, it's a well known source of information about Web-based vulnerabilities and attacks.

An abstract:

Vulnerability frequency by types

The most prevalent vulnerabilities (BlackBox & WhiteBox)

Related posts:

.gov domains moving to DNSSEC and ENISA is looking into it

It seems after the DNS issues highlighted recently, some organizations are seriously looking into moving to DNSSEC:

That’s because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet’s DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. (Source: networkworld.com)

On our side of the pond, there are also ongoing discussions about implementing DNSSEC. To protect the public infrastructure, ENISA is even looking for a step further.

Recently a vulnerability of Domain Name System (DNS) caught a lot of media attention. A flaw in the DNS threatened to bring chaos to the Internet by poisoning the servers that translate domain names into Internet protocol addresses.
The European Network and Information Security Agency, ENISA, is stock taking the policies and regulations that exist across the EU Member States, the measures operators take and the technologies available to improve the resilience (availability and integrity) of public eCommunication Networks. This work is undertaken in close collaboration with regulators, policy makers, network operators, network equipment vendors and academia.

Three technologies, namely MPLS (Multiprotocol Label Switching), DNSSEC, IPv6, have been identified as promising to ensure this. To assess their effectiveness and identify potential problems or gaps that could compromise the availability of networks and services, the Agency is interviewing a number of network operators in the EU. The collected input will be analyzed, in direct consultation with all leading stakeholders, and lead to EU guidelines. The final results will be presented at an Agency workshop “Resilience of Public eCommunication Networks”, that will take place in Brussels, 12-13 November.(Source: ENISA)

While DNSSEC does solve a lot of the issues, it won't be easy to implement. Doxpara.com had the following comments:

The reality is there’s no harder task in all of IT than building a PKI, and the inescapable reality is that DNSSEC is a new identity infrastructure on the order of X.509. It does solve the problems though, at least for the authoritative servers that opt into it, and the side benefits of having the system fixed in this particular way are rather compelling. (Source: doxpara.com)

Read the rest of Dan's article, since it looks at alternatives and discusses a lot of issues of potential solutions. A very interesting read.

Related posts:

(Photo under creative commons from xeni's photostream)

Monday

iPhone Forensics video online and some recent iPhone Security Issues

For those who missed the Oreilly webcast on iPhone Forensics in April, the video has been posted on Youtube by them.

--
--

Speaking of the iPhone, the previous version (2.0.2) had a serious security flaw. Do the next trick:

Tap emergency call.
Double tap the home button.

You now have access to all the favorites. The first issue is that anyone can make a call to every number in your favorites. It doesn't stop here. If you tap on the blue arrows next to the names, it will give you full access to the private information in a favorite entry. It even gets worse:

If you click in a mail address, it will give you full access to the Mail application. All your mail will be exposed.
If there's a URL in your contact (or in a mail message) you can click on it and have full access to Safari.
If you click on send text message in a contact, it will give you full access to all your SMS.

This issue has been fixed in the latest version 2.1. For those who don't want to upgrade to 2.1, there is also a workaround:

In the iPhone home, go to Settings.
Click on General.
Click on Home Button.
Click on either "Home" or "iPod".

This will redirect the homebutton back to the locked screen. There is also another benefit in the iPhone firmware 2.1 One new features listed is the option to “wipe data after ten failed passcode attempts”.

Afraid that someone will wipe your information when you're not looking? Apple included staged throttles on the passcode screen. Adam O'Donnell did the test:

After 6 passcode failures, the user is required to wait 1 minute before attempting again. Failing 7 and 8 times in a row incurs 5 and 15 minute pauses. I didn’t want to see how long I would have to wait to use my phone after 9 failures. Collectively, the incorrect passcode throttles will generate at least 20 minutes of delay before someone can wipe your handset, more than enough time to intervene and stop someone from playing with your handset if it is still physically near you.

More software should do this.

UPDATE: Thnx for edsmiley for pointing me to a more recent Oreilly webcast featuring more on bypassing the iPhone passcode for forensics purposes.

(Photo under creative commons from Refracted Moments™'s photostream)

Social networks and webmail hacking

With all the public information online about us, the password recovery feature of some webmail providers might be a dangerous feature, as vice presidential candidate Sarah Palin found out the hard way. Secondly, you shouldn't use webmail accounts for work-related communication.

Here is a nice end-to-end coverage of the story by our friends at ZDnet.

Dan Kaminsky warned us before of the potential exploitation of the "Reset password" function, although it was in combination with DNS poisoning and MX records. Yesterday, he wrote a nice discussion about this incident (doxpara.com) and possible countermeasures. One potential option is to send a verification code by sms.

I found some interesting other remarks like using wrong answers to improve your security. Like answering "what is your favorite color" with "1992" if accepted by the website. Of course, use a system which makes it possible to remember. Maybe use HTML color codes (for the geeks?). Interesting to think about.

Last but not least, be careful what information you provide on social networks. Place and year of birth etc.... is not advised.

Related posts:

(Photo under creative commons from shaymus022's photostream)

Cisco running IOS on virtual switches in VmWare ESX. Some VMWorld 2008 coverage.

Today, VMWorld 2008 started and it will rock our ~~world~~ datacenters.

It's been some time since I used to manage LANs and Cisco switches myself. I remember when a former colleague used to bug me with virtual switch performance issues in the early days of our VMWare deployments. Since it was a piece of code and actually not a real switch, as a network engineer, I couldn't really help him. The definition of a vSwitch according to VMWare:

A virtual switch, vSwitch, works much like a physical Ethernet switch. It detects which virtual machines are logically connected to each of its virtual ports and uses that information to forward traffic to the correct virtual machines. A vSwitch can be connected to physical switches using physical Ethernet adapters, also referred to as uplink adapters, to join virtual networks with physical networks. This type of connection is similar to connecting physical switches together to create a larger network. Even though a vSwitch works much like a physical switch, it does not have some of the advanced functionality of a physical switch. For more information on vSwitches, see Virtual Switches.

But times are changing. Christofer Hoff was the first to point me to the opening of the developent of ESX virtual switches to third parties. So where vSwitches didn't have advanced capabilities like STP/PVST+/Private VLANs, HSRP, Multicast, etc., it's all about to change. During VMWorld, Cisco will unveal their Virtual Switch for VMware ESX.

vCompute, vStorage, vNetwork, Cloud vServices, it's all going to change the way we look at security. Especially the introduction of VMSafe in 2009:

VMware VMsafe provides x-ray visibility into virtual machine resources from the vantage point of the hypervisor, making it possible to monitor every aspect of the execution of the system and stop previously undetectable viruses, rootkits and malware before they can infect a system
Checkpoint, IBM, McAfee, Radware, TrendMicro and are announcing their plans to deliver VMSafe –integrated products in 2009 that provide superior protection to virtual machines than possible with physical machines or other virtualization solutions (Source: Vmware)

So keep tuned on VMWorld. Here are some interesting sites to keep an eye on:

http://www.yellow-bricks.com/
http://rationalsecurity.typepad.com/blog/
http://www.rtfm-ed.co.uk/
http://servervirtualization.blogs.techtarget.com/

You can also use Twitter for some more 'live' information:

http://search.twitter.com/search?q=vmworld

Related posts:

Video: Hak5 Episode 4×02: Spicy Reverse Engineering

Just on the heels of episode 1, is already the second one about reverse engineering.

In this episode of Hak5 Matt shows us how to map our networks with Spiceworks, an open source infrastructure mapping tool. Chris Gerling breaks down reverse engineering, Shannon talks about OpenDNS, and Christine has a Windows utility for everyone running multiple monitors.

LockCon, the hacker conference about locks

Well, if you are interested in the security of locks, this might be very interesting to you. But as you will read further, you need to be member of Toool.NL, Toool.US or SSDeV to be able to enter. Or you need someone to introduce you.

From http://www.toool.nl/LockCon:

What is LockCon?: LockCon is an international conference about ... locks. Although we are modest people (ahum), LockCon is hosting some pretty innovative and unique presentations. Besides these high quality presentations, there will be championships in lockpicking, safe combo-lock manipulation and impressioning. And LockCon is a place where creative energy flows and you can make friends for life (and an occasional enemy). It is the place where top lockpickers meet one another, and contacts are made between lockpickers and the lock industry. In other words: it is a unique event....

When will LockCon be held?: Real soon now! To be precise: October 9-12 2008.; Attendees are welcome from Thursday October 9 at 17:00, dinner will be served that day at 20:00 (because people will be arriving from the security show in Essen Germany). The official kick-off of the event is on Friday October 10 at 09:30 AM (the presentation of Peter Field).

Who are behind LockCon?: The event could not exist without the help of the attendees/volunteers, but the people responsible and in charge are the usual suspects of Toool.nl (Barry Wels and Han Fey).

Where will LockCon be held?: The location for this event is the StayOkay youth hostel in Sneek (Friesland) in the Netherlands.

How Much is the entrance fee for LockCon?: The 'full event' price is €150 for four days. This price includes four dinners, three breakfasts, three lunches and three overnights in the hostel. It also includes free beer and drinks (*), and a basic supply of snacks. People are encouraged to bring/donate snacks and drinks to support the event. Visitors who only visit one day will pay €75, or €125 if they stay two days (this includes meals, free drinks and a place to sleep). When you mail to registration@lockcon.com we will send you our bank details so you can transfer the money.

Who will attend LockCon?: A lot of interesting people. There will be lockpickers, safe technicians, locksmiths, 24-hour opening services, lock manufacturers, lock tool manufacturers, hackers, members of the law enforcement community, spies and an occasional beautiful girl. And a pretty big number of them will be overseas visitors.

Wow, where do I sign in?: Not so fast. LockCon is not an open event. This means you have to be a member of Toool.NL, Toool.US or SSDeV to be able to join. Or you need someone to introduce you and hope there is place left. We have set the maximum number of attendees to one hundred. For this event we have reserved 10 to 15 seats for 'new blood'. If you think you have something to contribute, but are not a Toool or SSDeV member, or do not have someone to introduce you, please mail us anyway. We are open to interesting people and might be able to work something out. Just give it a try, you might get lucky ;) If you want to attend, please send a mail to registration@lockcon.com. We will mail you our bank data so you can wire the money.

Sunday

Another look at harddisk encryption attack methods

We have seen 2 attacks in the last year that could circumvent harddisk encryption (in some cases):

One of the countermeasure to be used was a preboot password (read my previous posts for more info). Now, a presentation from Jonathan Brousard during the latest Defcon16 talks about abusing the BIOS keyboard buffer to attack preboot authentication mechanisms. Any software that doesn't clear this buffer is open to certain vulnerabilities.

Read the white paper at http://www.ivizsecurity.com/pdf/preboot_whitepaper.pdf for detailed information.

Abstract:

Pre-boot authentication software, in particular full harddisk encryption software, play a key role in preventing information theft. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without using or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academical research aiming at extracting information from the RAM our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.

Before you will reach the wrong conclusion, this doesn't make encryption software useless. It's all about not being the low hanging fruit and knowing your risks.

Previous posts:

(Photo under creative commons from john_a_ward's photostream)

Hacker media has found a new home.

In a previous post, we mentioned the hacker conference media archive maintained by darkoz was looking for a new home and luckily it has. Now everything from the previous blackhat and defcon conferences can be found at http://avondale.good.net/dl/bd/

(Hat tip to McGrew Security)

Related posts:

(Photo under creative commons from dullhunk's photostream)

Friday

One of those days. Murphy strikes. (updated)

Yesterday was not one of my best days. Since I wasn't able to go to Defcon, I decided to go to the debriefing by the DC4420 group in London. After making travel arrangements and changing my work schedule, everything was set to go.

But then it started, my afternoon meeting went over time. I had to (literally) run, trying to catch my first train towards Brussels, only to miss it in the end. The next train to Brussels (30 minutes later) had a 15 minutes delay, leaving me only 10 minutes to board the Eurostar. Of course I didn't make it. Luckily, the boardingdesk changed my boarding pass for the next train.

With one hour delay to London, I wouldn't miss too many presentations. If only that would have been all.

Through the speaker, the news that all trains were suspended due to a fire in the tunnel was announced. Great!!! I was forced to head back home, loosing half a day and being stressed out from all the running.

When I got home, I cancelled the hotel, paying some cancellation fees. After that, I tried to use the refund function on the Eurostar homepage and it threw me a Java.null.exception.pointer. I'll guess I'll have to make some phonecalls if I ever want to see my money back.

It was one of those days. If you'll excuse me, I'm looking up some yoga classes.

UPDATE (13/09/2008): After watching the news, it seems that this wasn't some small electrical fire. Luckily, no one was seriously injured. For more information, see tunnel fire 2008.

After contacting the service center, my ticket will be reimbursed within the next 5 days.

(Picture under creative commons from ambert's photostream)

Thursday

Google's new Browser Chrome: an overview of articles

Here is an overview of some of the information published about Google's own browser:

Bundesamt warnt vor Google Chrome (Spiegel.de) (Google Translate: German government warning for Google Chrome)
Chrome all polished up (Room362)
Google Goes Its Own Way (Darkreading)
Google Chrome vulnerabilities starting to pile up (Zdnet.com)
Google Mule (Aviv Raff)
Carpetbomb bug tarnishes Google Chrome (Register.co.uk)
Burned by Chrome - Fire put out (Register.co.uk)
Google Chrome (GNUCITIZEN)
Improving the Chrome browser (GNUCITIZEN)
Google’s Chrome is having a bad day, I am uninstalling. (i-hacked.com)
chrome plated security (anti-virus rants)
chrome follow-up (anti-virus rants)
Google Chrome first look (ts/sci security)

I kind of feel bad for Chrome because since it's release, it seemed people went at it like piranhas. Which is good. A good scrutiny during it's beta phase can help improve it.

It started with denial of service bugs, carpet bombing (the ability to drop files on the user's desktop), EULA discussions etc......

Although some of these issues have already been fixed. There are some things that I don't like at all.

It seems that even after an uninstall of the chrome browser, it leaves a scheduled task behind to run the googleupdate program and the googleupdate.exe itself is also left behind. An uninstall shouldn't leave binaries behind.
If the observation from Mubix is correct, (see Room362 article) Chrome updating itself without any user interaction is just evil. Even the Apple updater allows you to deselect items (like Safari which they seems to keep force feeding to the users.). I wonder if it's vulnerable to something like Evilgrade.

Summary: Wait until it's left the Beta phase for general use and Chrome gets some additional security improvements. Some of it's (security) concepts are good, but they are not there yet.

(Photo under creative commons from aacool's photostream)

Wednesday

Early release of some of the Defcon 16 videos

From Defcon.org:

We've decided to do an early release of a few of the news-making presentations from DEFCON 16 in video format! The following links are in two formats, the h.264 version is an iPod compatible version of the presenter's slides with audio of the speech, and the full .mov is quicktime with dual video of the speaker and the slides. Enjoy, and keep your eye out for all the videos and audio from DEFCON 16 to be released in the next couple months!

(Photo under creative commons from shootingsawk's photostream)

Monday

3 New SANS Whitepapers: DLP, Checkpoint firewalls cleanup/tuning and Mobile Device Forensics

The SANS Reading Room has been updated with 3 new interesting Papers.

Data Loss Prevention

Abstract:

Data breach has been one of the biggest fears that organizations face today. Quite a few organizations have been in the news for information disclosure and a popular recent case is that of T.J.Maxx. While DLP is not a panacea to such attacks, it should certainly be in the arsenal of tools to defend against such risks.

Check Point firewalls - rulebase cleanup and performance tuning

Abstract:

Firewall rulebases tend naturally toward disorder over time, and as the size of the ruleset grows, the performance of the firewall starts to suffer. In this paper, a simple procedure for culling unused rules and ordering the rulebase for performance will be presented. The procedure uses open-source software and purpose-built tools (which will be provided) and has been used to leanup the rulebase of large firewalls at a major financial institution. Anyone interested in mproving the performance of their Check Point firewall and/or improving their position come the next audit should read this paper.

Mobile Device Forensics

Abstract:

The world of mobile device forensics is a complicated one. There are countless manufacturers of mobile devices, unlike the PC world’s limited number of major operating system vendors. To complicate things further, each mobile device manufacturer may have their own proprietary technology and formats. Add to this the fact that new mobile devices such as cellular phones and personal digital assistants (PDAs) are released at a blistering pace and you have a challenging environment to work in.

This research paper will document in detail the methodology used to examine mobile electronic devices for the data critical to security investigations. The methodology encompasses the tools, techniques and procedures needed to gather data from a variety of common devices.

Related posts:

(Photo under creative commons from paulbence's photostream)

Video: Hak5 Episode 4×01 Released: Wi-Fi Pineapples

The fourth season of hak5 has begun.

In this season premiere episode of Hak5 Mubix joins us to talk about what’s new in Maltego, an open source forensics and intelligence gathering tool. Shannon rocks out with Audio surf, and Darren heads downtown to the coffee shop to own a wireless network with a pineapple. Grab some hax0rflakes ’cause the bricks are gone and we’re back!

For more information, visit the hak5 website.

You can also follow hak5 on twitter @hak5.

Belgian Information Security Professionals call for a Belgian Strategy on Information Security

A whitepaper “Towards a Belgian Strategy on Information Security” written by an initiative by private associations and academic institutions, has been published.

Intended towards government and public authorities in the first place, the paper describes 6 main areas of activities that the Belgian federal and regional governments urgently need to pay attention to.
The initiative was announced while focusing on the lack of a Belgian CERT, the call for a Belgian Information Security Body and the installation of a certification authority, three out of six recommendations for immediate improvement of the situation.

You may read the press release

- in Dutch : http://www.isaca.be/Documents/20080908%20BISI-NL.doc

- in French : http://www.isaca.be/Documents/20080908%20BISI-FR.doc

and/or the full report "Towards a Belgian Strategy on Information Security"

- in English : http://www.isaca.be/Documents/Belgian%20Information%20Security%20Strategy-ENG.pdf

- in Dutch : http://www.isaca.be/Documents/Belgian_Information_Security_Strategy-NL.pdf

- in French : http://www.isaca.be/Documents/Belgian%20Information%20Security%20Strategy%20V2FR.pdf

The organizations signing this document are:

Belgian experts involved in ISO/IEC JTC1 SC27, an international standards committee on information security techniques, including Information Security Management System (ISMS) aspects.
CETIC
INFOPOLE Cluster TIC
the Belgian Chapter of ISACA
the Brussels European Chapter of ISSA
K.U. Leuven, ESAT/COSIC
LSEC (Leaders in Security)
Solvay Business School

Conclusion:

The signing organisations call upon the Belgian government for urgent action to be taken by relevant stakeholders in order to achieve the above-mentioned strategic objectives. The signing organisations are prepared to get involved and assume responsibility in order to bring the Belgium information security environment to an adequate level. More information in relation to this document can be obtained from the following representatives of the signing organisations: Jean-Luc Allard (ISACA) and Bart Moerman (ISSA).

I can only say, bravo !!!!

Related posts:

(Photo under creative commons from Tōei's photostream)

Sunday

PortablePwnage Part 3: Installing an atheros wlan card in the Eee PC 901

Unlike all the previous generations, the Asus Eee PC 901 (or 1000) doesn't include atheros based wifi anymore. Which is kind of sad, since the new RaLink rt2860 doesn't support packet injection. Luckily, the onboard wifi of the Eee PC is a mini-PCI express which is easily accessible through the backpanel.

So I ordered a GIGABYTE Aircruiser GN-WI01GT from oxfordtec.com (UK) after checking the madwifi compatibility page. Here is a quick walkthrough of how I installed the card.

The wlan card is easily accessible though the panel on the backside (only 2 screw). Click on the pictures for more details.

Step 1. Remove the battery (just to make sure)
Step 2. Remove the 2 screws and open the back panel. The shiny card on the upper left is the RaLink rt2860 card which is going to be replaced.

Step 3. Gently push the antenna connectors up so they will come off and remove the 2 screws on the card. Calmly shift the card in the direction of the screws and you will be able to take it out.

Step 4. Reverse your steps. Take your new atheros card and slide it into place. Fix it with the screws and (gently) push the antennas in place until you hear a small 'pop'. You can close everything up and boot your system.

Step 5. Install the correct driver for XP/Vista or get the latest madwifi drivers for Linux and you're set to go.

I must say that I get better range/signal strength then with the previous Azurewave card. Now I can really start with the rest of my lab experimentations.

Upcoming tutorials:

Installing Ubuntu EEE for the eeePC 901 on a SD Flash Card
Installing Backtrack 3 for the eeePC 901 on a SD Flash Card
Installing OSWA for the eeePC 901 on a SD Flash Card
Installing and configuring OpenVAS for BT3
Installing and configuring Karmetasploit for the eeePC 901

Defcon 16 Media Coverage

Defcon's comprehensive list of all articles known to have been written about DEFCON has been updated to include the 16th edition. Some of the topics you will find are:

Badges
BGP Exploit
Captcha
iPhone
Lock Picking
MBTA vs. MIT
Social Networks
Warballooning

Have a look at the list of articles.

Related articles:

Saturday

Follow Hack.lu 2008 on Twitter or IRC (updated)

The hack.lu 2008 conference is nearing. There are several ways to follow or participate (remotely).

Twitter: You can follow the hack_lu twitter page or use the #hacklu hashtag.
Flickr: For participants, upload pictures to Flickr using the hacklu tag. I will bring a camera of my own this year for some atmosphere shots.
IRC: You can join the #hack.lu irc channel on irc.hack.lu.
Wiki: The wiki is now up and available at http://wiki.hack.lu.
LinkedIN: There is a LinkedIN group called hack.lu (LinkedIN groups have now the possibility to have discussion within the group)

Planned CTF competition for Hack.lu 2008

I read that there will be another CTF at Hack.lu just like last year. This years CTF will again be organised by Hackerjoe of the famous Kenshoto group.

For a view on last years CTF, read my post on 'Capture The Flag at Hack.lu 2007'.

I should have BackTrack 3 Final running by then on my Eee PC 901. I'm working on some tutorials. Soon to follow.

Related posts:

(Photo of Defcon's CTF under creative commons from inju's photostream)

Friday

Botnets sizes have skyrocketed

Recent statistics from Shadowserver.org are showing that the size of botnets have quadrupled. Possible causes are the latest malware email campaigns like the CNN spam, the infected pages through recent SQL injections and possibly the start of the new school year. This is an opinion, not proof of course.

So this translates into more infected PCs under control of the bad guys. More spam, more credit card theft, bigger DDoS, etc.... It doesn't look good.

Related posts:

Some recent statistics on web application vulnerabilities

Jeremiah Grossman released a report last month giving a statistical view on current website vulnerabilities, accompanied by some expert analysis and recommendations.

Some highlights:

67% of sites suffer from Cross site scripting
17% of sites suffer from SQL Injection

Listen to the Jeremiah Grossman's presentation (68 minutes)
Download a PDF of the presentation (849 KB PDF)
Download a PDF of the the report

Related articles:

Study on a more Western version of the Russian Business Network

Remember the Russian Business Network? Let's have a short look back:

The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."

Since all the publicity, their operations split up and went to several other parts of the world like China or Turkey. But apparently, this kind of hosting is also present in some more Western parts of the world. A research paper was released and describes some of the activities located at a California based ISP.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

The study is downloadable from hostexploit.com
Watch the Video of an Exploitation of a PC User on YouTube

Besides this paper, investigative reporter Brian Krebs also had a look for himself into this case.

The portions of Atrivo most heavily used by RBN were Hostfresh -- which provides routing for Atrivo through Hong Kong and China -- and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

"While Intercage has legitimate clients and professes intolerance for abuse, it continues to turn a blind eye to massive amounts of cyber crime," iDefense analysts wrote. "Intercage Inc. previously operated as Atrivo Inc.; it was already infamous for abuse then and has not improved its reputation since changing names."

Read his entire analysis here.

These publications did have some effect. Arbornetworks noticed the following:

After the research article’s publication, Global Exchange de-peered with them after only a day or two (GLBX had been a BGP peer providing transit, one of two or three distinct ASNs doing so). It’s unknown what debates went on inside GLBX before this action, but the suggestion is pretty clear: public analysis of overtly hostile networks with a long history of security issues can lead to changes. Last year’s collection of reports on RBN (from iDefense, Shadowserver, and others) lead to the dissolution of RBN.

On my team, we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information. (Source: Arbor networks)

So it's not only the (now dispersed) RBN we have to keep an eye on. Be vigilant.

Related posts: