Lot’s of news today, as well as some overflow from yesterday, but also lots of fluff and FUD. I’ve tried to weed through some of the clutter for you in today’s list:
Anatomy of a zero-day: Security researchers face hurdles
Cody Pierce knew right away what he had found, but he wasn’t exactly sure how serious it was. Pierce and his fellow researchers at TippingPoint had spent much of the early part of last year poking around in the ActiveX controls in Windows XP, looking for controls that might be vulnerable.
Alla Bezroutchko released a tool yesterday to do automated XSS testing against webmail clients. It is heavily based off of the cross site scripting cheat sheet, but ties that in with a series of emails that attempt to override the built in validation engines built into various web-mail implementations. I am literally the first to admit that I have never looked at webmail in depth. The only time I did, in the case of Roundcube I didn’t even have to go past the first page (it’s now been fixed).
At the Web 2.0 Expo in San Francisco this week, conference organizers attempted to apply the concepts of Web 2.0 to the conference itself. In addition to the expected sessions and BoF sessions, organizers introduced a concept they called “Web2Open”. Web2Open was to be a participatory, attendee directed and led set of sessions similar to BoF but organized completely by attendees. Like a real life forum, attendees would post ideas in open slots on the Web2Open board with descriptions of the topics they wanted to discuss in the session and other attendees could join in or not as was their wont.
Packet fragmentation versus the Intrusion Detection System (IDS) Part 2
Over the course of part one, we saw how to set up the various computers in our VMware lab. The setup was simple, and even the installation and use of fragrouter fairly pain free. We ended off part one with an attempt at packet fragmentation via fragrouter in an effort to evade Snort. That first attempt failed for Snort did indeed pick up the attack. It had no problem in reassembling the fragmented packets and recognizing the attack for what it was; an RPC bind attempt via the MS03-026 exploit contained in the Metasploit Framework. Fragrouter has quite a few more tricks in its arsenal. If you enter the “./fragrouter –help” command as seen in the screenshot below, you will be shown all of the fragrouter options available to you.
Microsoft Office Space: A SQL With Flair
Hey, folks! It’s challenge-time. Tom Liston whipped up this one based on his real-world adventures in the deepest, darkest cubicle jungles of the mid-west. The name? Microsoft Office Space. The game? Figure out how they plan to fool “The Man”. I hope you enjoy this brief excursion into the mind of Tom Liston as much as I did.
New attack puts routers, cell phones at risk
In a demonstration set to take place at the CanSecWest security conference in Vancouver Thursday, Juniper’s Barnaby Jack says he will show how this technique could be used to take control of a router, and then inject malicious software on virtually every machine on the network.
Automating Signature Updates for Cisco IPS/IDS Sensors
Without management software, administrators supporting these sensors must manually retrieve signature updates. I support a small network for one of my customers, for which purchasing this software was not an option. So I developed my own Perl scripts that run on a Solaris box to (1) automate the update discovery and retrieval task, and (2) verify success and send an email notification following the actual update installation. In this article, I will describe the details of these processes, highlighting remote management of a Cisco IPS device via SSH and explaining the integration with the IPS automatic upgrade feature.
Apple Stitches Up 25 Holes in Mac OS X
This latest shipment of 25 security updates came on the same day that a “pwn-2-own” contest launched at the CanSecWest security conference here in Vancouver. Hackers clustered in hotel rooms were feverishly trying to exploit the two unpatched Macs downstairs in the main conference hall, but Apple hopped on the phone to inform the conference organizers of the security update release. The show’s organizers patched the Macs before they were hacked.
As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn’t RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter: Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend). The hoster of the site has been informed, the owner of the domain and site seems to be located in China.
Effective Vulnerability Management (Part 2)
In this posting I wanted to focus on effectively responding to new threats and vulnerabilities. I am not talking about incident response, attack analysis, or forensics, as these are disciplines that are instantiated once something actually happens. I am referring to how an organization should respond to critical vulnerabilities; especially those with exploit code or attacks occurring in the wild, prior to an incident actually occurring.
Without having to have vendor X,Y,Z`s appliance or application on the network etc, you can simply install the PNLog Agent on your XP machine (sorry no Vista, i`ve refrained for now, due to colleagues screams in the office), create the simple parser, and test the functionality.
Argus: Practical BotNet Detection
I use argus for my daily task, like I mentioned argus client tools are easy to use but hard to master, it is trivial to work with it sometimes. However I believe experience may make you wiser when dealing with complex tools, I really appreciate Hanashi’s work on BIRT for sguil report generation. As Hanashi is working on sancp session data, I’m more of looking into argus flow data. Here’s very short paper that I have written in using argus client tools(ragrep and radump) to perform botnet detection.
Finally the sun is out! I’m looking forward to my weekend of warm weather, BBQ meat, and studying for my CISSP exam…
Well two out of three ain’t bad…
Here’s the list for today:
NAC all-in-one test on the horizon
We’ve provided comprehensive information on ways the available NAC architectures have been outfitted by a host of vendors to provide authorization tactics, end point security measures, enforcement points and management wares that tie all the necessary NAC pieces together.
Attackers improve on JavaScript trickery
As JavaScript becomes an increasingly key component of online attacks, attackers are investing more energy in obfuscation and other techniques to make defenders’ attempts at reverse engineering more difficult, a security researcher told attendees at the annual CanSecWest conference on Wednesday.
PRIAMOS – SQL Injection and Vulnerability Scanner
PRIAMOS is a powerful SQL Injector & Scanner, it allows you to search for SQL Injection vulnerabilities and execute the code injection using vulnerable strings to get all possible Databases, Table and Column data with the PRIAMOS SQL Injection Module.
Recently I wrote Taking the Fight to the Enemy Revisited that mentioned air power concepts as they relate to information warfare. The Air Force Association just published a story by Hampton Stephens titled War in the Third Domain. I found several points quoteworthy.
Anonymous Posting on the Internet: Privacy vs. Defamation vs. Information Security
Over the past few months I’ve discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.
One of the most often used, and later debated, analogies used for actions in the security/hacker industry is that of comparing port scanning to walking down a road checking doors and windows to see which are unlocked. This is fundamentally flawed because port scanning looks for open services that your computer is offering other people on the network. There is no expectation of ’services’ offered when walking down a neighborhood street, regardless of checking doors and windows. A slightly better analogy would be walking down a street full of shops that have no power (no lights, no neon open signs) checking doors to see which are open.
We know how many words a picture is worth. The figure above, from Boxed In by Information Security magazine, shows why Unified Threat Management appliances are going to replace all the middleboxes in the modern enterprise. At some point the UTM will be the firewall, so the gold UTM box above will also disappear. In some places even the firewall will disappear and all network security functions will collapse into switches and/or routers.
Hackers get free reign to develop techniques says Microsoft security chief
“Part of the picture is bleak. In the online world, cyber criminals can do their research for as long as they want in absolute security and secrecy then when they’re done they can take their exploit, find a way to automate it and post it on a Web site where thousands or millions of other criminals can download it,” said Scott Charney, vice president of Trustworthy Computing at Microsoft, in Redmond, Wash. “That doesn’t happen in the real world. One burglar, no matter how good he is, can’t breed hundreds or thousands of others just like him. The laws of physics kick in.”
Finally, Common Event Expression (CEE) is Out!!!
CEE standardizes the way computer events are described, logged, and exchanged. By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks. Tasks including log correlation and aggregation, enterprise-wide log management, auditing, and incident handling which once required expensive, specialized analysts or equipment can now be performed more efficiently and produce better results.
Andy Jaquith’s new excellent book, Security Metrics is a must-read for any anyone even slightly interested in getting more scientific about the Art of Security or perhaps even looking to rise up in unison against subjective, biased, sometimes excellent, oft-times not, auditors and other security reviewers that second guess everything you do (no offense to you good auditors out there ;-)).
This release from EMC/RSA makes compelling reading, but needs some careful analysis. (Please bear in mind I am not knocking RSA here, some of my best friends are algorithms. I think that Messrs Rivest, Shamir and Adleman would want this to be analysed in a logical way however.)
Pitfalls of a Home Based Ethical Hacking Business
Self-employed security professionals, or those who are involved with small businesses, will invariably find themselves conducting security assessments and penetration tests of Internet facing systems and services. These activities will happen through resources that are generally not as robust as those supplied to security professionals in medium and large organizations. The following is a list of a few items that a security team should take into consideration before performing security related activities under these conditions.
Top 10 Internet Crimes of 2006
The Internet Crime Complaint Center filed its annual report last month, but didn’t get the attention it deserved. A look inside offers some revealing statistics on the darker side of the Web.
The decision on what method to use, depends on a few factors, namely whether to install an agent on the host, the desired load on the MARS appliance, and how near real-time we want the event data that MARS will process.
In an interesting email that was sent to me I was asked to take a peek at a new software tool, not yet released to the public called Vidoop (there is an interesting article on it here). While I was unable to actually take a look at the software, I’ve got a pretty good idea of how it works from the Wired article. After downloading a software certificate that allows you to use their software basically you say, “I like animals” and it shows you pictures of horses and cats and dogs all mixed in with a bunch of non-animal photos. You choose the the correct photos (a la kittenauth CAPTCHA) and you are granted access.
To be honest, many Sguil analysts feel the need for more sophisticated reporting. Paul Halliday’s excellent Squert package fills part of this void, providing a nice LAMP platform for interactive reports based on Sguil alert information. I use it, and it’s great for providing some on-the-fly exploration of my recent alerts.
A simple defense against Google hacking techniques
“If you have company secrets, you have to take steps to make sure it doesn’t get into the public domain,” said Daniel Pinto, a Stewartsville, N.J.-based security consultant whose company is called RAC Partners LLC. “Google isn’t reaching into your company, it’s just making available what’s already out there. Sensitive information gets out if someone inside a company or one of its partners makes it available.”
Is it a bot or a worm? Neither, its a BOTWORM!
This is the first I’ve heard someone mash bot and worm together and dub it ‘botworm.’ Computerworld.com dubbed the latest variant of Rinbot a botworm because a worm propagates a bot payload. Nothing new here except (I think) the term botworm.
Half way to the weekend…..here’s the list for today:
Digital forensics lack standards
Court cases involving digital evidence are at risk of collapsing because some police forces fail to check the security of computer forensics suppliers.
Tim Winters, software managing engineer with the University of New Hampshire Interoperability Lab, predicts that the move to secure granular bits of data will finally mean the emergence of IPv6.
Corporate data slips out via Google calendar
It’s not clear what gets discussed during McKinsey & Co.’s weekly internal communication meeting, but the dial-in number and passcode for the event can be easily found by searching with Google.
We are experiencing technical difficulties with BlackBerry services affecting sending and receiving of emails. You will also experience issues using the BlackBerry Browser and sending and receiving of PIN to PIN messages. We are taking all necessary actions to restore regular service levels.
Where Do You Get Your Security Policies From?
Is there a good outline for a security policy out on the web or that you have?
I am the Sys Admin for a company that designs communications solutions for government agencies. I started here 6 months ago and I have not found any security practices! There are no computer policies at all!
I have been trying to get some put in place but have been over ruled until recently so I am looking for a good baseline to start.
Microsoft Urges Workaround as Worm Hits Unpatched DNS Flaw
With a worm exploiting the unpatched zero-day vulnerability in Microsoft’s Domain Name System Service mere days after it was discovered, Microsoft on Monday urged customers to apply workarounds the company had provided in its earlier security advisory.
Free Information Security Training Workshops from FISSEA
I hope information security and privacy pros know about the U.S. Federal Information Systems Security Educators’ Association (FISSEA).
Information Security and SearchSecurity.com recognize the best security technology with the Readers’ Choice awards. Security products in 15 categories, including emerging technologies, were voted on by more than 800 Information Security readers.
The Evolution of Peacomm to “all-in-one” Trojan
What we saw in the first Trojan.Peacomm outbreak during January was only the beginning of the “storm-worm” war. The initial outbreak seemed to be an experiment in setting up a peer-to-peer (P2P) bot network, and to test the potential of the Trojan. The bad guys who were behind those criminal activities used the first variant of Peacomm to distribute a set of single-module Trojans that were programmed to send spam, perform DDoS attacks, gather mail addresses, and distribute new versions of the Trojan.
Jim Rapoza’s 12 Ways to Be A Security Idiot
Are you a security idiot? In a popular column from 2003, Jim Rapoza ranted about how most viruses and computer security problems are made possible by stupid people doing stupid things with their computers. Unfortunately, things haven’t changed much since then. So if you’re feeling left out, read Jim’s list of 12 ways to join the ranks of the attachment-opening, virus-downloading masses.
SSDL rides the unicycle so you don’t have to
Many ambitious moons ago, in a bygone life since relinquished, I was an analyst. On those days I reminisce and smile warmly with a pocket or three bulging with priceless war stories, an agenda of clearly expressed nuisances that “someone should fix else I wear my frowny face again,” and a clear reverence for the analyst in their daily adventures in the Wonderland of Surprises that is the Internet I’ve come to know… and begrudgingly adore. Resistance is futile, apparently.
103 Free Security Tools + a Few
Rich McIver sent over an article on itsecurity.com entitled 103 Free Security Tools. It’s actually a pretty thorough list. Of course it’s not everything, but it actually covered quite a few programs that I personally have used.
Security Remains a Challenge for Browser Developers
The panelists, who were tasked with addressing the topic titled “The Arrival of Web 2.0: The State of the Union on Browser Technology,” hailed from the open-source community all the way to the most proprietary of companies, Microsoft, and those in between.