Monday, May 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

links for 2008-05-12 [Srcasm]

Posted: 12 May 2008 12:37 AM CDT

Its Mothers Day, be thankful you have a mom to call - so do it. [StillSecure, After All These Years]

Posted: 11 May 2008 02:47 PM CDT

Mothers Day is always a tough one for me. My mom passed away 25 years ago and though time has passed to cover up a never healed wound, every Mothers Day the scab is torn off a bit and the regret and pain ooze through. Having our kids celebrate Mothers Day with my wife has made it better, but nothing takes the place of your own Mom. Fred Wilson reminded me of that today with this post about a Tom Friedman piece in the NY Times today.

Tom just lost his mom last year after a long bout with dementia it seems. She was 89. Tom reflects on her remarkable life and how she influenced him to be what he is. Can any of us say any differently? Weren't all of our Moms special to each of us. Isn't so much of the people we are today directly related to that woman who raised and nourished us? Of course. So on this day honoring Mothers everywhere, if you are lucky enough to have your Mom available to thank, do so and don't miss the chance because you never know when you might not be able to.

Happy Mothers Day Bonnie and to all of you mothers everywhere!

Happy 60 years of SPAM - a look into the future [Amir Harel]

Posted: 11 May 2008 02:40 PM CDT

In honor of the so called celebrating 30 years of spam, I thought it would be interesting to give you a pip into the future – 30 years from now – at how spam will affect our lives. So I used my time machine and brought you some spam headlines directly from 2038 news:

Another Spam Attack on VNYC (Virtual New-York City)
Last night an army of zombies had invaded New-York City in the virtual world SecondLife. According to local sources, the botnet attack included more than 100,000 zombies which approached avatars on the streets and offered them cheap Viagra and fake Rolex watches. It is still early to know for sure, but local authorities estimate that at least 50,000 people were infected in this horrible attack. City authorities are asking the entire city users to go and check themselves in the local security healthcare – the Check Point General Hospital – to make sure that they were not infected by any viruses. According to the Chief of Spam Police, this is the biggest attack in the last few years, and the Investigation about why the Intruder Prevention System had failed again will be starting immediately. Residences are complaining that unless new security will be implemented in the city they will be forced to move to more secure and peaceful countries.

Europe - Infected Refrigerators are at it again
Last night more than 50,000 infected refrigerators in Europe had made online purchases to their local supply vendors for thousands of canned meat - SPAM. Security experts tend to blame the GSPs (grocery service provider) for not installing proper Zombie Intelligence measurements. GSP officials had replied that since SPAM is their number one online product it's hard to know which orders comes from the good refrigerators and which come from the bad refrigerators.

Spam in the NBA final
In the half time of the NBA finals, IPTV broadcast were disrupted by spam commercials. Users who tried to switch channels found that the spammers have replaced all other channels by reruns of Seinfeld that forced them to watch the spam commercials. Most of the spam commercials were trying to push pink sheet stocks and useless products like Windows Vista.

I'm inviting you to share with me – what do you think will be the spam of the future?

Live Stream from my Office [Random Thoughts from Joel's World]

Posted: 11 May 2008 01:42 PM CDT

Just playing around with a live stream from my office on Stickam.  Feel free to pop in and say hello if you want, you'll know if I am in there, I'll be there, I'll have the audio off the majority of the time unless I'm in the office and someone asks me a question.  But I'll have the camera on.  I put the link over there on the right as well (Live stream from my office)  But here is the link as well.  This is the office where I record the Internet Storm Center Podcast as well, so soon, I might be able to get that going on there.

 Subscribe in a reader

Agile Hacking: a homegrown telnet-based portscanner [GNUCITIZEN Media Portfolio]

Posted: 11 May 2008 01:21 AM CDT

So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint.

Fixed Scanner

In my case, the reason why I had to come up with a solution to this problem is because I had to simulate an attack in which the attacker had gained access to a Internet-visible web server. In this case, I needed to perform a portscan of the backend database server and make sure that only required ports are visible (a customized mssql port in this case). For reasons that are irrelevant to this post, the customer could only give me restricted access (NOT root) to the web server via SSH.

I really didn’t want to download a tool such as nmap and then compile it. In theory, I wouldn’t be able to cause serious damage to the system since I was using a restricted user account. Even then, I always try to be as polite as possible with customers’ environments during security assessments, especially when it’s a production system.

Anyway, my solution to this problem was to write a simple TCP portscanner in bash which glues around the telnet command which is present on most Unix/Linux distributions. Literally, all I’m doing is looking for Connected to responses generated by telnet which tells us that a successful TCP connection was established (open port). Very vanilla and trivial stuff as you can see! Nevertheless, I accomplished what I wanted, which is to perform a portscan without having to download any tools and without requiring root privileges.

The following is the short version of our agile hacking TCP portscanner which you can literally copy and paste on your shell (just change the value of the HOST variable to the IP address of the system you want to scan):

HOST=;for((port=1;port<=65535;++port));do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null;then echo -en "\n\nport $port/tcp is open\n\n";fi;done

The following is a more elaborate version of our portscanner which supports scanning for either common or all ports. The list of common ports is read from the ‘/etc/services’ file which is present on most Unix/Linux systems:

#!/bin/bash  # telnet-based TCP portscanner # By Adrian 'pagvac' Pastor |  # delay in seconds DELAY=0.001  if [[ $# -ne 2 ]] then 	echo "usage: $0 <mode> <host>" 	echo -e "modes:\t1 - common TCP ports only" 	echo -e "\t2 - all TCP ports" 	exit fi  if [[ $1 -eq 1 ]] then 	echo "scanning for the following common TCP ports on $2 ..." 	for port in `grep '/tcp' /etc/services | cut -d '/' -f 1 | cut -d ' ' -f 2 | grep -v '#' | awk '{print $2}' | sort | uniq` 	do 		echo -en "$port " 		if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null 		then	 			echo -en "\n\nport $port/tcp is open\n\n" 		fi 		sleep $DELAY 	done 	echo -en "\n" elif [[ $1 -eq 2 ]] then 	echo "scanning for all TCP ports on $2 ..." 	for((port=1;port<=65535;++port)) 	do 		echo -en "$port " 		if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null 		then	 			echo -en "\n\nport $port/tcp is open\n\n" 		fi 		sleep $DELAY 	done 	echo -en "\n" fi

Syntax follows:

gnucitizen $ ./ usage: ./  <mode> <host> modes:         1 - common TCP ports only         2 - all TCP ports 
I realize this is not a very elegant tool, but I hope you can see how it can be useful in certain scenarios!

iptables dynamic port script for NFS [Robert Penz Blog]

Posted: 10 May 2008 02:47 PM CDT

Some days ago I talked with a friend (here a link to his homepage) about firewalls and file servers and he told me he has a iptables script which adapts to the NFS ports automatically. I asked him for this script and here is it. Thx Hannes for the script.

# rpcinfo -p prints a list of all registered RPC programs
# sed -e '1D' removes the headline
# tr -s ' ' '\t' replaces repeated spaces with a single tab
# cut -f 4,5 we only need the protocol- and port-columns
# sort | uniq removes the duplicate lines
# now we have lines with the needed protocol and port but for splits
# this lines to single words so we have to store the protocol
for l in `rpcinfo -p | sed -e '1D' | tr -s ' ' '\t' | cut -f 4,5 | sort | uniq`
  case $l in
      iptables -A INPUT -p $PROTOCOL --dport $l $SYN -j ACCEPT

Online VM builder for VMware Player [Robert Penz Blog]

Posted: 10 May 2008 02:20 PM CDT

Every used VMware Player to “play” precreated VMs? I did, but I thought when I need to create VMs by my own I need VMware Workstation or Virtual PC if was running Windows and not Linux. Ok and there is now VirtualBox, but I never used it before, but as it comes now with Ubuntu 8.04 its changes are raising (no need to compile anything like kernel modules for every security update of the kernel). Anyway I found some thing that allows you to use Vmware Player with your own VMs. Following Websites allow you to create images for VMware Player:

VM Builder

I think the first is the best one. Maybe this info helps also others, as most of the time VMware Player is enough and someone does not need the Workstation version, and Virtual PC 2007 is bad product. Ever tried to run a current Linux kernel on it. It crashes the kernel. I learned that the hard way with Ubuntu 8.04 server within a Virtual PC 2007. Which was not easy to install in the first place, but booting the current kernel after the installation was the end point of the journey, no problem with VMware Player however.

Kubuntu 8.04 hardy addition packages install script [Robert Penz Blog]

Posted: 10 May 2008 10:05 AM CDT

This script is for my friends, who most know the previous versions already. It installs additional packages for kubuntu 8.04 hardy. I use it for the initial setup of a desktop system. First install Kubuntu from CD and than use this script to get the system which, has all codecs and commonly used programs (be it free or non free software) installed. So this blog entry is for my own reference and for my friends. Basically after running this script you’ll have a system which is ready for usage by a standard user.

Virtualization Vendors Are Not In The Security Business? [Security In The Virtual World]

Posted: 09 May 2008 12:46 PM CDT

Simon Crosby, CTO of Citrix/XenSource made a pretty bold statement yesterday that has some people agreeing with his position and others disagreeing.  In an interview with he publicy stated that virtualization vendors are not competent to try and secure virtual environments and therefore looks to 3rd party security companies to solve these concerns. 

Listen to the podcast here

Who are these 3rd party security companies?  Well, there are a number of startup companies such as Montego Networks, Blue Lane, Catbird, Altor Networks as well as some of the big guys that are working on helping the virtualization vendors with these security concerns.

I tend to agree with Simon that the virtualization vendors don't currently have the expertise to deliver appropriate security controls for virtual environments BUT should they?

Well, Chris Hoff who blogs on the topic of virtualization security a lot seems to think that they should deliver security tools and and by not delivering solutions to secure the environment they are doing their customers a disservice.

"Further, I don't expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical."  Said Chris Hoff in his blog on this topic

I've spoken with a number of research analysts, venture capitalists and customers on this topic over the last several months and whenever I tell them what Montego Networks is off building they ALL seem to ask the same questions.  One of those questions is:  Why isn't VMWare or Citrix/Xensource doing this?  My response has always been that "they have publicly stated they do not want to and plan on leveraging an eco-system of security vendors to provide this". 

Well, Simon's public statement is right in line with what I've been saying all along.  The other question I get when I describe how Montego has security built into a virtual switch we've created is; shouldn't this technology be in the VMWare Virtual Switch?  And my response is "absolutely!  But it isn't!  so, someones got to do it."

So, I agree with Chris Hoff and I also agree with Simon Crosby.  The virtualization vendors don't have the expertise BUT I feel they should provide SOME security tools to ensure the environment is safe. 

There are some virtualization vendors that I have spoken with that are planning on using security as a differentiator and its my prediction that one of them will acquire security technology to do this.   Its often easier to acquire vs. try and built it yourself given you don't currently have the expertise.

So who's problem is it to solve??  Virtualization Vendors or Security Vendors??

I see the finger pointing game starting!


-John Peterson

CTO / Montego Networks

A pair of podcast interviews [Jeremiah Grossman]

Posted: 09 May 2008 11:44 AM CDT

1) In the Security Bites podcast with Rob Vamosi (transcript) of C-Net I describe what's new and interesting about the recent malicious mass scale SQL Injection attack. This is where website DBs are loaded up with malicious JavaScript exploiting browser based vulnerabilities, the so-called drive-by-downloads. Reports are saying 600,000 or so pages are infected with several high provide targets (UN, DHS, USAToday, etc.) on the hit list.

2) During RSA I spent some time with Help Net Security guys answering question about my favorite infosec conferences and what they have to offer. Of course each has a different focus for the content and the audience, so it just depends on what you are into.

Cisco announces a Web Application Firewall [Jeremiah Grossman]

Posted: 09 May 2008 11:26 AM CDT

Cisco has jumped into the WAF game with their recently announced Cisco ACE Web Application Firewall. A full proxy device with HTTP(s) and XML policy enforcement, web-based/shell management interfaces, solid performance metrics, and support for both black and white list rules. Apparently Cisco sees a sizable market for WAFs and PCI 6.6 as a driver by reading their overview literature (video). So now most big players have a stake in webappsec. This should make things interesting. With Cisco's brand reputation and reach, people might be willing to get over their initial trust issues with WAFs and do quite well. Should customers demand, perhaps another device we can integrate Sentinel with for virtual patching purposes. The interest has been quite impressive.

Microsoft Security Patch Advance Notification - May 2008 [Sunnet Beskerming Security Advisories]

Posted: 09 May 2008 03:49 AM CDT

As the second Tuesday of the month will be with us next week, Microsoft have provided advance notice of the patches that they expect to release on that day.

This month there are four patches scheduled for release, three Critical patches, and one Moderate. The three Critical patches address remote code execution risks in Office (2) and Windows (1), with the Moderate patch addressing a Denial of Service vulnerability affecting Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft Forefront Security. It is important to note for OS X users that Microsoft will be issuing Critical updates for Office 2004 and 2008.

What is probably most surprising is the patch to be released for the Microsoft Jet Database Engine, a technology which was widely reported that it would not be receiving any further updates from Microsoft.

More on Application Security Metrics [Security Retentive]

Posted: 08 May 2008 11:57 PM CDT

Eric Bidstrup of Microsoft has a blog entry up titled "How Secure is Secure?" In it he makes a number of points related, essentially, to measuring the security of software and what the appropriate metrics might be.

I'd been asking the Microsoft guys for a while whether they had any decent metrics to break down the difference between:
  • Architectural/Design Defects
  • Implementation Defects
I hadn't gotten good answers up to this point because measuring those internally during the development process is a constantly moving target. If your testing methodology is always changing, then its hard to say whether you're seeing more or fewer defects of a given type than before, especially as a percentage. That is, if you weren't catching a certain class of issue with the previous version of a static analysis tool but now you are, its hard to correlate the results to previous versions of the software.

Eric says:
Microsoft has been releasing security bulletins since 1999. Based on some informal analysis that members of our organization have done, we believe well over 50% of *all* security bulletins have resulted from implementation vulnerabilities and by some estimates as high as 70-80%. (Some cases are questionable and we debate if they are truly "implementation issues" vs. "design issues" – hence this metric isn't precise, but still useful). I have also heard similar ratios described in casual discussions with other software developers.
In general I think you're likely to find this trend across the board. Part of the reason though is that in general implementation defects are easier to find and exploit. Exploiting input validation failures that result in buffer overflows is a lot easier than complicated business logic attacks, multi-step attacks against distributed systems, etc.

We haven't answered whether there are more Architectural/Design defects or Implementation defects, but from an exploitability standpoint, its fairly clear that implementation defects are probably the first issues we want to fix.

At the same time, we do need to balance that against the damage that can be done by an architectural flaw, and just how difficult they can be to fix, especially in deployed software. Take as an example Lanman authentication. Even if implemented without defects, the security design isn't nearly good enough to resist exploit. Completely removing Lanman authentication from Windows and getting everyone switched over to it has taken an extremely long time in most businesses because of legacy deployment, etc. So, as much as implementation defects are the ones generally exploited and that need patching, architectural defects can in some cases cause a lot more damage and be harder to address/remediate once discovered/exploited.

Another defect to throw into this category would be something like WEP. Standard WEP implementations aren't defect ridden. They don't suffer from buffer overflows, race conditions, etc. They suffer from fundamental design defects that can't be corrected without a fundamental rewrite. The number of attacks resulting from WEP probably isn't known. Even throwing out high profile cases such as TJ Maxx and Home Depot, I'm guessing the damage done is substantial.

So far then things aren't looking good for using implementation defects as a measuring stick of how secure a piece of software is. Especially for widely deployed products that have a long lifetime and complicated architecture.

Though I suppose I can come up counter-examples as well. SQL-Slammer after all was a worm that exploited a buffer overflow in MS-SQL Server via a function that was open by default to the world. It was one of the biggest worms ever (if not the biggest, I stopped paying attention years ago) and it exploited an implementation defect, though one that was exploitable because it was part of the unauthenticated attack surface of the application - a design defect.

All this really proves is that determining which of these types of defects to measure, prioritize, and fix is a tricky business and as always, you mileage may vary.

As Eric clearly points out the threat landscape isn't static either. So, what you think is a priority today might change tomorrow. And, its different for different types of software. The appropriate methodology for assessing and prioritizing defects for a desktop application is substantially different than that for a centrally hosted web application. Differences related to exploitability, time-to-fix, etc.

More on that in a post to follow.

File System Audit [Matt Flynn's Identity Management Blog]

Posted: 08 May 2008 09:57 PM CDT

Anton Chuvakin of LogLogic posted today on some of the intricacies of Windows native file system audit. If you have a need for monitoring access or changes to files, beware of the do-it-yourself method. Chuvakin provides insight on some of the challenges.

One of the things that NetVision engineers brought to market long before I joined is a very slick file system monitoring solution. Slick mostly because you have extreme control over which events you want to capture. You can filter on server, folder, file, person acting, event type (read, create, modify, delete, ACL or attribute changes) – you can even specify times of day to activate a particular policy. And you can have different policies for different files or folders. You can also choose what to do when an event occurs. For some events, write it to a database or file. For others, send an email too or kick off another process. None of it relies on system logs and the reports are delivered in a nice web UI running on Crystal Reports. So the business people get relevant results without having to understand the tech stuff.

Some of our customers even use our filtering to narrow down the events that are then fed into an enterprise security event management or log management system (like LogLogic). It's File System audit made easy.

Live Podcast [Random Thoughts from Joel's World]

Posted: 08 May 2008 07:43 PM CDT

Hey everyone, just to kinda tease you a bit, the Internet Storm Center is planning a live Podcast for SANSFIRE 2008. We are going to have a special event, with some surprise guest hosts and everything. We don't have dates nailed down yet, but if you are going to be at SANSFIRE 2008, please feel free to email me at my contact link, or follow me on Twitter (both links at the top of the blog). Of course I will be updating here as well, but we've got something special planned!

Hope to see you there, we hope to have a great turn out!

Subscribe in a reader

OWASP Toronto Presentation - Building A Web Spider [360 Security]

Posted: 08 May 2008 03:21 PM CDT

A couple of weeks ago I spoke at OWASP Toronto. My goal was to lead a discussion on building a web application spider... what you had to consider, pitfalls to avoid and so forth. I felt like it went fairly well, the discussion lasted about an hour and there was quite a bit of group interaction. I picked up some interesting things from the attendees and I'm hoping that they picked up some interesting ideas from me. At the end of the discussion, I was asked if I could make the slides and the sample source (for a very basic spider) available. So here they are.

PowerPoint Presentation
Simple Spider written in Python

No comments: