I went to my first HTCIA meeting last night and got to hear an interesting presentation on “The Importance of E-Mail Preservation in Litigation”. I’m not sure if I can post it or not but I’ll find out.
Here is today’s list:
Social Engineering Gets a Big Diamond Heist
It just goes to show, sometimes the simple things are the most effective. A box of chocolates can defeat all the most hi-tech security systems if you add a little charm.
Optical link hacking unsheathed – I guess my Windows NT 4 networking books were wrong 🙂
Instead of breaking a fibre and installing a device (splicing), an approach that might easily be detected, off-the shelf equipment makes it possible to extract data from an optical link without breaking a connection.
MS’ New Malware Protection Center to Go Global with Fighting e-Threats – I’m interested to see how this turns out.
Microsoft has unveiled what’s it’s calling its Malware Protection Center: a new think tank comprising security and threat experts that will provide global malware research, response and protection capabilities in order to help protect customers from new or existing threats.
The Good, The Bad, And The Risk Assessment
RAs can be conducted internally, however a RA conducted by an external third-party typically carries more weight should the information within the RA be questioned. It’s that whole impartiality thing, ya know?
0wning Vista from the boot – Interesting interview with the guys who wrote the VBootkit.
Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the “features” of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1500 bytes), and the chance to use it to bypass Vista’s product activation or avoid DRM.
Analyzing Mac OS X Applications 101: CrashReporter and Malloc – Very good article from the guys at Matasano…but if you read it then they get to keep your laptop.
For the most part, these tips apply to both GUI and command line apps. This isn’t rocket science, but is a good primer for people looking to dive into OSX vulnerability analysis. I am going to use Safari as an example, since it is somewhat topical. It isn’t the best example since enough of it is opensource that you can gain a lot more insight via debug builds.
NSA Attacks Student Soldiers in … Cyber War!
The NSA held its annual Cyber Defense Exercise last week in Annapolis, pitting the agency’s elite Red Team against Air Force cadets and Navy midshipmen in all out simulated cyber war. Can the NSA’s crusty electronic warriors slip the bulwark of firewalls and anti-virus products erected by the fresh-faced, tech savvy recruits, or will they be blockaded by the elite skills of the student defenders?
Companies Are Waking Up to the Reality of Data Theft
I was at my usual Starbucks this morning and saw a well-dressed guy using the Wi-Fi hotspot. For all I know he might have been a struggling author trying to write the next great novel. Or maybe not. Maybe he was a claims administrator for the hospital up the street—with a few thousand very personal records on his laptop, and with absolutely no idea that during his morning coffee he could end up having his most valuable data maliciously copied over the Wi-Fi network.
How can I change the default size of an inode when I create an ext2/ext3 filesystem? – Never hurts to have a refresher on some Linux commands
It is possible to define a non-standard sized inode by using the mke2fs tool with an undocumented option, -I. The size of the inode has to be a power of two and between the size of EXT2_GOOD_OLD_INODE_SIZE (128 bytes) and size of blocks in bytes. One reason for doing this could be that user is going to use extended attributes. Extended attributes are arbitrary name/value pairs used to store system objects like Access Control Lists (ACL). If the size of the inodes is larger than the default size, then sufficiently small attributes can be stored in inode. However, use this option with caution because of compatibility issues. It may render the filesystem unusable on most systems.
Storm Worm vs. IDS – Do we really need a new Gartner category?
The technology is ready for 0day viruses, the problem is that the market still isn’t. The technology I describe above doesn’t fit within any easy market category, it’s neither precisely what people understand as “intrusion-prevention” nor “anti-virus”. It’s like a thousand other bits of technology that languish in our industry because there is no neat category for them. I created the first IPS (BlackICE Guard aka. Proventia), but it was a just an IDS feature until Intruvert showered money on Gartner to create a new category for it.
Put your OpenSSH server in SSHjail – Lock it up for life (‘life’ being 2 years with good behavior in some States)
Jailing is a mechanism to virtually change a system’s root directory. By employing this method, administrators can isolate services so that they cannot access the real filesystem structure. You should run unsecured and sensitive network services in a chroot jail, because if a hacker can break into a vulnerable service he could exploit your whole system. If a service is jailed, the intruder will be able to see only what you want him to see — that is, nothing useful. Some of the most frequent targets of attack, which therefore should be jailed, are BIND, Apache, FTP, and SSH. SSHjail is a patch for the OpenSSH daemon. It modifies two OpenSSH files (session.c and version.h) and allows you to jail your SSH service without any need for SSH reconfiguration.
Building application firewall rule bases
During the past decade, most enterprises have made significant investments in network and perimeter security. Organizations have tightened their controls and moved toward a defense posture that dramatically limits the effectiveness of hackers’ network-scanning attacks. Unfortunately, while security professionals were busy building up network controls, attackers spent their time developing new techniques to strike at the next Achilles’ heel: the application layer.
Anti-debugging techniques of the past – Most of this stuff pre-dates me but it’s still a good history lesson 🙂
Most targeted anti-debugger techniques rely on exploiting shared resources. For example, a single interrupt vector cannot be used by both the application and the debugger at the same time. Reusing that resource as part of the protection scheme and for normal application operations forces the attacker to modify some other shared resource (perhaps by hooking the function prologue) instead.
Bastille for OS X? – Finally!
Apple customers ought to know that the OS is not secured as it is delivered to them, but is secureable (sounds like MS Windows). There is a great script to assist in securing OS X available as part of the Bastille project. This script is still in Beta, though I saw it demonstrated last year at DefCon and was very impressed. More can be found at: http://www.bastille-linux.org/running_bastille_on.htm#osx
Well my wife is heading to New York with work for 3 months so I guess I’ll have lots of time to read and blog. One of the downsides to her leaving for the next 3 months is that I won’t have a chance to head to a major city to sit for my CISSP exam until the fall. Perhaps this is a good thing as now I can enjoy my spring/summer and work on my horrible golf score 🙂
Here’s today’s list:
Vulnerabilities Are Not Marketing Fodder – I don’t agree with TippingPoint holding out but the funding for the prize had to come from somewhere…
I was a huge fan of the hack a mac (pwn to own) contest at CanSecWest last week. But I was only a fan because I, like many of us, wanted to see a point proven to the Apple Macintosh users that they suffer from the same security concerns that the rest of us do. I think that point has been proven.
U.S. Army team wants second chance at hacker contest – We’ll do better this time…..we promise…no foolin’
A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month, the conference organizer said Tuesday.
Techm4sters Releases ProTech Security Distribution – I’ll have to check this out.
– Is this like Nubuntu? It is similar, yes! But we wanted something friendlier to the end-user and so we tried a different approach and tested new tools. You’ll see that there are many differences amongst them. Many ideas have been taken from NUbuntu as well as other security distributions to try to make the most complete, reliable and easiest tool for your use. I hope you can appreciate our work.
XSS Attacks book — Congrats on the book Jeremiah! Hopefully he’ll let me review it 🙂
At long last, we put the finishing touches on our new book (XSS Attacks), the cover art, and sample chapter (including ToC). It’ll be sent to the printers May 5 and shipped a few days after. Woohoo!
Russinovich: Malware will thrive, even with Vista’s UAC – Wait…you mean a shiny new product won’t solve all of my problems?
Despite all the anti-malware roadblocks built into Windows Vista, a senior Microsoft official is lowering the security expectations, warning that viruses, password-stealing Trojans and rootkits will continue to thrive as malware authors adapt to the new operating system.
Follow the Bouncing Malware: Day of the Jackal – Funny story or scary story? You be the judge?
Otte Normalverbraucher leaned back in his chair, stretched and yawned. It was nearing midnight, and now that he stopped to think about it, he realized that he was going to be very tired in when his alarm clock went off in the morning.
SMTP Authentication Update – You can invent all the technologies in the world but unless people use it it’s useless (remember Betamax?)
Opinion: It’s about 2 and a half years since the standards bodies threw up their hands and left SMTP authentication to the industry. Implementation progress has been slow but positive. And there have been some surprises.
I apologize for not having any weekend updates but the weather was far too nice to sit at my computer. Going forward I will probably not have an update on Saturday and may only post one on Sunday if there is some good quality news that can’t wait for Monday. Here is the list for Today (including some from Saturday and Sunday):
Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do.
Apple Safari 0Day Demonstrated
According to the contest rules the OSX box was fully patched and the exploit had to require no user intervention. This first attack “owned” the OSX box with user privileges but under the contest rules that was all the exploit had to do. The second OSX box is still up for grabs and for that one a new exploit has to be used and the flaw must lead to a root level compromise.
LLTD – Link Layer Topology Discovery Protocol
Gomor released a LLTD (Link Layer Topology Discovery Protocol) implementation written in Perl (using Net::Frame framework).
It was a great week in Vancouver, Canada. It began with some really good instructional classes that the CanSecWest guys call Dojo Sessions then moved into some excellent and not so excellent presentations. Here is my breakdown of each day and what talks I thought were the best, the worst and why.
In a previous comment, Tim Newsham mentions reverse engineering an application by running it in a VM. As it so happened, I gave a talk on building and breaking systems using VMs a couple years ago. One very nice approach is ReVirt, which records the state of a VM, allowing debugging to go forwards or backwards. That is, you can actually rewind past interrupts, IO, and other system events to examine the state of the software at any arbitrary point. Obviously, this would be great for reverse engineering though, as Tim points out, there haven’t been many public instances of people doing this. (If there have, can you please point them out to me?)
Yesterday while I was helping Jeremiah with he forced basic auth cookie testing he asked a good question, which is how you can better de-anonymize users through alternative methods. Some of the initial thoughts he had wouldn’t work, but the first thing that popped into my head was FTP and Gopher. Using out of bound methods to make TCP or UDP connections to a monitoring site are easy ways to correlate users (compared with time).
My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won’t make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can’t have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe
Ever wondered whether Blue Pill really works or was just a PR stunt? Ever wanted to see how practical are various timing attacks against it? (And can even those “unpractical” be cheated?) Or how many Blue Pills inside each other can you run and still be able to play your favorite 3D game smoothly? Or how deep Alex can hook into Windows NDIS to bypass your personal firewall? Do you want to see Patch Guard from a “bird’s eye view” perspective? Or do you simply want to find out how well the latest Vista x64 kernel is protected? Ever wondered how rootkits like Deepdoor and Firewalk really worked? You can’t sleep, because you’re thinking constantly about how Blue Pill-like malware can be prevented? Does Northbridge hacking sound sexy to you? 🙂
David Naylor (a semi-reformed SEO Blackhat) has an interesting writeup on how to stop badly behaving robots from spidering your site. I would hardly call this technique new (I’ve seen this scripts in one form or another for nearly a decade). However, it’s a good primer for anyone who runs a big website and who is otherwise powerless to stop people from doing it.
what I learned a few weeks ago: http request smuggling
Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!
PCI: Is Compliance Really the Goal?
I think that really is the goal for larger merchants, but I’m not so sure about the smaller one’s. I can’t help thinking that for a smaller merchant, the cost of compliance would often exceed the cost of simply outsourcing the card processing such that PCI no longer applies. To be fair, I haven’t done the serious research to determine whether that’s true, but given the implementation time lines referenced in the article, it seems plausible. It’s also possible that there aren’t outsourcing services that really meet the needs of smaller merchants.