Spliced feed for Security Bloggers Network |
| China Denies Hacking US Gov Laptop [Liquidmatrix Security Digest] Posted: 06 Jun 2008 07:15 AM CDT “Wasn’t me. Didn’t see me do it” - Bart Simpson From the Associated Press:
OK, there was a point where I was willing to play along. I figured it was a Bush administration tactic to point at the Chinese and say, “there, baddies”. But, with France, Australia, India and others all singing the same tune one has to wonder. Especially when you take into account this interview by CNN with Chinese hackers in March. I don’t doubt that the Chinese have hackers all countries do. Is it all a media gambit or is there a clear and present danger? I know the Chinese government are no fans of mine. | ||
| Use your GFX Memory as Swap [/dev/random] [Belgian Security Blognetwork] Posted: 06 Jun 2008 06:58 AM CDT
Check out: http://gentoo-wiki.com/TIP_Use_memory_on_video_card_as_swap. | ||
| insert a poison in your site against spambots [belsec] [Belgian Security Blognetwork] Posted: 06 Jun 2008 02:00 AM CDT <a href="http://english-115136652766.spampoison.com"><img src="http://pics3.inxhost.com/images/sticker.gif" border="0" width="80" height="15"/></a> which will look like this WWW Robots (also called wanderers, spiders, crawlers, or bots) are programs that crawl the Web continually retrieving linked pages. When a spammer's bot visits your website, blog, forum, etc, all pages and sites linked to it will be searched looking for email addresses. All you have to do is link to this page so that whenever a spammer's robot scans your page, it will be sucked into this one. To link to this page, just use this simple code: | ||
| Stealing Password Hashes with Java and IE [aut disce, aut discede] Posted: 06 Jun 2008 12:04 AM CDT  Consider for a moment the state of client-side bugs 5 or 6 years ago. Attacks such as this, a multi-stage miscellany of IE and Mediaplayer bugs that resulted in the "silent delivery and installation of an executable on the target As a teaser for that, I'm going to revisit an old attack - pre-computed dictionary attacks on NTLM - and discuss how we can steal domain credentials from the Internet with a bit of help from Java. I'm going to split it into two posts. In this post we'll apply the attack to Windows XP (a fully patched SP3 with IE7). In my next post we'll consider its impact on Windows Vista. NTLM Fun and Games The weaknesses of NTLM have long been understood (and documented and presented) so I'm not going to cover them in detail here. For the interested reader I recommend this L0phtCrack Technical Rant and Jesse Burn's presentation from SyScan 2004, NTLM Authentication Unsafe. The pre-computed dictionary attack on NTLM that we are interested in has also already been implemented in tools such as PokeHashBall. In a nutshell, this attack works as follows:
A requirement of this attack is for the attacker to be located on the Intranet. There have been suggestions on how to remove this necessity; see this post for a discussion on DNS rebinding as a potential solution. Let's take a step back though and begin by reviewing IE's criteria for determining whether a site is located on the Intranet or the Internet:  By default, the Local Intranet zone contains all network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), as long as they are not assigned to either the Restricted Sites or Trusted Sites zone Let's focus on names that do not include periods. As Rob Carter has pointed out, there are more than a few home/corporate products that install web servers bound to localhost and since http://localhost meets the above criteria, XSS in these products let's us control content in the Local Intranet Zone. If we were therefore able to fully control a web server on the local machine, headers and all, and we were able to cause IE to connect to it, we could ask IE to authenticate allowing us to use a pre-selected challenge in order to carry out a pre-computed dictionary attack. But how does a malicious website run a web server on your machine? This is where the Java browser plugin comes into play... A Web Server in Java There is nothing to stop an unsigned Java applet from binding a port provided the port number is greater than 1024. The same origin policy, which I've discussed previously is enforced when the applets accepts() a connection from a client; only the host from which the applet was loaded is allowed to connect to the port. If a different host connects, a security exception is thrown, as shown below.  This means that if we can make the applet think it was loaded from localhost, we can bind a port and act as a web server, serving requests originating from localhost. I have previously covered two ways of manipulating the applet codebase (the verbatim protocol handler and defeating the same origin policy), but these flaws are now patched. We can accomplish the same effect on the most recent Java browser plugin by forcing content to be cached in a known location on the file system and by referencing it using the file:// protocol handler*. So if we know that our class was stored at c:\test.class for example, we could load it via the following APPLET tag (the default directory is the desktop hence the ..\..\..\): <APPLET code="test" codebase="file:..\..\..\"></APPLET> The result of loading content from the local machine is that a SocketPermission is added allowing the applet to bind a port and accept connections from localhost. So this attack effectively boils down to caching content in a known location. The Java applet caching mechanism stores content at %UserProfile%\Application Data\Sun\Java\Deployment\cache (or equivalent under Protected Mode on Vista). Class files and JARs are given randomly generated names (and that's SecureRandom before you ask). There are, however, multiple ways of silently getting content onto the local machine with a fixed name. And thats all I'm going to say for now; we'll be addressing this topic further in our Black Hat talk :) The Windows Firewall What about the Windows firewall you may ask. The trick is to make sure we bind to 127.0.0.1 only as doing so will not trigger a security dialog. This is accomplished in Java as follows: ServerSocket ss = new ServerSocket(port, 0, InetAddress.getByName("127.0.0.1"));Actually it turns out that on Vista in order for our web server applet to work at all, we must call the ServerSocket(int port, int backlog, InetAddress bindAddr) constructor anyway rather than simply ServerSocket(int port). Calling ServerSocket(int port) will bind using IPv6 as well as IPv4; when we then point IE to http://localhost, it will connect to the IPv6 endpoint and throw the following exception:  The reason for this is that the Java code adds a SocketPermission for 127.0.0.1 which is obviously IPv4 only. Putting it all together The code for the web server applet is very simple. We needn't implement a full, multi-threaded web server; all we really need to do is send an HTTP/1.1 401 return code with a WWW-Authenticate header of NTLM in response to IE's first request. This will trigger the NTLM exchange of base-64 encoded messages. Since NTLM authenticates connections we must remember to send a Content-Length header (even if there's no content, i.e. Content-Length: 0) to ensure the connection stays open. There are several resources out there that provide detailed NTLM specs and examples. I used this one. The HTML page that we use to tie the attack together consists of multiple hidden IFRAMEs: firstly to load the Java browser plugin and cache the content, then to launch the web server applet from file://, then to make a request to http://localhost. For my PoC I created a 2nd applet to display the progress of the attack and to allow me to easily copy and paste the hashes out of the browser; a sample capture is shown below. Obviously in a real attack we'd want to ship the hashes off the victim's box either via JavaScript or Java.  Once we have the hashes, we can use rainbow tables to crack the first 7 characters of the LM response or brute force via a password cracker that can handle captured NTLM exchanges, such as John the Ripper with this patch. We can then brute force the remainder of the password. For anyone interested in the approaches to cracking NTLM, I recommend warlord's Uninformed paper, Attacking NTLM with Precomputed Hashtables.  Summary So to summarise the above, if a user on a domain joined XP machine with the Java browser plugin visits a malicious website with IE, the malicious website can steal their username, domain name and a challenge response pair in order to carry out a pre-computed dictionary attack, likely revealing the user's password in a short time. Once again this is not a new attack - there are a good many tools that implement the well known NTLM attacks such as SMBRelay, ScoopLM and Cain & Abel. The delivery and execution of this attack, however, demonstrates that multi-stage client-side attacks are alive and well... That's it for now. Next time we'll consider how this attack applies to Vista, which enforces the more secure NTLMv2 by default. Cheers John *Note that unlike Flash, Java implements its own protocol handlers rather than relying on the browser's. | ||
| Chinese hacker instructional video of the Gray Pigeon trojan [The Dark Visitor] Posted: 05 Jun 2008 10:06 PM CDT One of the clearest instructional videos I have seen on how to use the Gray Pigeon trojan horse. I haven’t tried to translate the video but thought it might be of interest to some of our more technically inclinded audience. The first part describes how to use the program and the second part shows how the information is collected from an infected computer. | ||
| Tripwire Releases VMWare Security Tool [Liquidmatrix Security Digest] Posted: 05 Jun 2008 09:59 PM CDT I received an email from the folks over at Tripwire today. They have released a tool that can be used to check the security on VMWare configs. I haven’t got the time to review this one so I’ll leave to you the good readership to arrive at your own conclusions. From Tripwire:
And the best part? It’s free. Now it would be nice if more vendors would take a hint and release free tools from time to time to help us get our job done. It would leave us collectively better disposed to them and their product portfolios in the long run. | ||
| US-CERT Gets New Boss [Liquidmatrix Security Digest] Posted: 05 Jun 2008 09:51 PM CDT Former DOJ staffer Mischel Kwon to head up the US-CERT. From Network World:
Deducting 10 points for excessive use of the word “cyber”. | ||
| links for 2008-06-06 [Raffy's Computer Security Blog] Posted: 05 Jun 2008 09:32 PM CDT | ||
| Quoted in Network World: 6 burning questions about network security [Andrew Hay] Posted: 05 Jun 2008 06:25 PM CDT Hello All, To my surprise, a conversation that I had with Ellen Messmer, of Network World, evolved into an article entitled the 6 burning questions about network security. We talked for a good 30 minutes on virtualization, where it’s at, and where it’s going. From the article:
You can check out the full article here. | ||
| Liberated CCC terrorists arrested again in Belgium (videoà [belsec] [Belgian Security Blognetwork] Posted: 05 Jun 2008 05:27 PM CDT THe leader Carette is for reasons still unknown but his comrade in arms was a bit too close to the Italian terrorist movements to be let walk (and talk) free around in Brussels as this Video of a meeting on 28 april in Brussels shows. You can also read this interesting Europol report on Terrorism in Europe (2008) and by the way our OCAD counterterrorism intelligence service is at last getting the necessary people and funding. | ||
| gltail: cisco asa parser [Security Data Visualization] Posted: 05 Jun 2008 05:22 PM CDT worked up a cisco asa parser for gltail ( http://www.fudgie.org/ ) to do firewall movies specific to cisco. I'll submit to the ruby project for gltail, but if anyone wants it email me at jeff@jeffbryner.com. | ||
| How Great Britain got the atomic bomb (wikileaks) [belsec] [Belgian Security Blognetwork] Posted: 05 Jun 2008 04:40 PM CDT | ||
| Posted: 05 Jun 2008 04:29 PM CDT Somebody will have had access to his computer and network because they files are clearly taken from his computer and network. They are against the Belgian law that is already clear. Even the log files of their servers is published.
| ||
| Posted: 05 Jun 2008 03:22 PM CDT | ||
| Hack of the week : site of the Mars Mission [belsec] [Belgian Security Blognetwork] Posted: 05 Jun 2008 03:16 PM CDT source zone-H.org The Phoenix Mars Lander has finally landed on Mars' surface. The website of the project immediately grabbed attention of thousands of visitors looking for pictures from red planet and also defacers who defaced project's website on May 31st. The website hosted by Lunar and Planetary Laboratory of University of Arizona was defaced by sql loverz crew 2008 members. Three defacements were reported by Turkish defacers Cr@zy_King (defacement mirror of fawkes1.lpl.arizona.edu and defacement mirror of phoenix.lpl.arizona.edu ) and by BLaSTER (defacement mirror of fawkes3.lpl.arizona.edu).
| ||
| Site Security Policy – open for comments [Jeremiah Grossman] Posted: 05 Jun 2008 11:05 AM CDT OK gang, this is one of those rare moments where feedback from community will directly influence a security feature that'll make a real difference. First some background... About 6 months ago Brandon Sterne left a cushy infosec position at eBay for Mozilla to solve an extremely important Web security problem he couldn't while he was there. The same exact problem a lot of major website properties have including Google, Yahoo, MySpace, Microsoft, Facebook and so on. Where business requirements say that users must be able to upload dynamic content (HTML/JavaScript) where it'll interact with other users. The other being including CDN content (advertising) supplied by multiple unknown upstream providers. We all know the damage this stuff do when abused. Unfortunately browsers lack any mechanism to specify what the content on its website should be able to do and where its supposed to originate. When accepting user-supplied dynamic content on a website, it's all or nothing. Website owners need more granularity. This is where the idea of content-restrictions came from years ago, ironically by RSnake whom also worked for eBay years back. The idea never really got off the paper and into browser code despite a lot experts, including myself, pleading for even a limited implementation. This is where Brandon comes in and this presentation on "Web Application Security and the Browser" he recently gave during Yahoo Security Week. Brandon is in the process of creating Site Security Policy, a specification for people to comment on and proof-of-concept extension for people to play around with. He's got policy provisions worked in to help prevent XSS, CSRF, and even Intranet Hacking. Brandon even has some cool client-side IDS stuff worked in. The vision is to later formalize the specification through W3C and integrate the feature natively into the browser once trouble spots are ironed out. Comment away! | ||
| The Daily Incite - June 5, 2008 [Security Incite Rants] Posted: 05 Jun 2008 10:55 AM CDT  June 5, 2008 - Volume 3, #54 Good Morning:
Top Security News The enemy of your friend is what?
Top Blog Postings We can't write secure code - so let's give up! | ||
| DEMIDS and Database Misuse Detection [Information Centric Security] Posted: 05 Jun 2008 09:44 AM CDT DEMIDS is an early paper on how to detect errant use of a database. As an overview, the paper describes a system where misuse is 'detected' by the use of a distance function. It attributes a set of tables or database functions as the normal domain of a user, and everything that the user accesses outside of that specified domain has some distance factor associated with it. Tables in other schema's are viewed as being a certain distance outside of that domain, and tables in different database further still. The further away a resource is, the more likely there is misuse. It is a basic assumption that the users are sufficiently privileged to perform the access. And it is inherent with the methodology described that the system is closely coupled to the database itself, and it performs the work of detection locally. | ||
| One more reminder – BayouSec is tonight!!! [An Information Security Place] Posted: 05 Jun 2008 09:19 AM CDT It is at the Alert Logic facilities @ 1776 Yorktown, 7th floor, just south of the Marathon Oil tower on San Felipe. It will start at around 6:30pm. Below is the information on the talk and the speaker. I expect the talk to last about 25 minutes, and then it will be open to questions and comments. We can just let it grow from there. Thanks to Adam Pridgen for volunteering for this. In the future, if you have something you want to speak on, please let me know. Michael Farnum —————————- Speaker: Adam Pridgen Title: Reverse Engineering Software with Basic Protections Summary: The presentation will cover the basics of reverse engineering malware or any other software protected with basic protectors and packers using ImmDbg, IDA Pro, LordPE, ImpRefound, Wireshark, and an IRC server. The presentation will walk through dumping the malware to disk, and then cover the general process I used to identify the command structure, functionality, and required parameters to interact with the malware sample. —————————- | ||
| bpmtk: How About SRP Whitelists? [Didier Stevens] [Belgian Security Blognetwork] Posted: 05 Jun 2008 08:44 AM CDT After having showed you how my Basic Process Manipulation Tool Kit can be used to bypass Software Restriction Policies, I wanted to follow this with a post showing how SRP whitelisting can prevent this. However, while preparing this new post, I got an idea how I could bypass SRP whitelists (under certain conditions), but I’ve no idea how to prevent this. I finally decided to post this without a solution, maybe you’ll come up with one. With a SRP whitelist, starting a program is denied by default:
As an administrator, you’ve to explicitly specify the programs that are allowed to be executed by your users (if there are many programs, maintaining this whitelist becomes time consuming). Because of this whitelist, tools like gpdisable or bpmtk can’t be executed to disable SRP. However, if I can execute these tools without starting a new process, SRP will not block them … First, we adapt our C program from an EXE to a DLL (entrypoint DllMain in stead of main), because VBscript can load a DLL. We’ll use Excel’s scripting features. I’ve created an Excel spreadsheet that embeds a DLL that can be executed with a mouse-click:
The MyDLL dialog is displayed by the embedded DLL. The DoIt button starts this Sub: DoIt will create a temporary file (in the user’s temporary file folder), write the embedded DLL to it (DumpFile), and then load the DLL (LoadLibrary). Generating the temporary filename:
Writing the embedded DLL to the temporary file:
Each DumpFileX sub writes bytes to the temporary file (the DLL is embedded in these subs by including the hex dump in strings). It’s necessary to split this over several subs, because of the sub size limitation.
Once the DLL is stored in the temporary file, we call LoadLibrary to load our library in the Excel process. And this executes our code inside the Excel process. Because of this, SRP will not deny it, and our code can disable SRP.
Creating temporary files and loading libraries is normal behavior for programs, SRP will not block this. Even most HIPS will not block this, because loading a library is not the same as injecting a DLL (injecting a DLL is loading a library inside another process). The only thing that might be considered abnormal by the HIPS, is that a temporary file is mapped into memory, but there are also legitimate programs that do this. SRP has an option to whitelist DLLs, but then you’re facing the huge task of identifying and specifying all DLLs your programs use! If you implement a SRP whitelist because you absolutely want to control the programs executed by your users, take some time to reflect on your users and the scripting capabilities of your whitelisted applications. And if you really have to prevent the technique I show here, you’ll have to find another solution than SRP whitelists. Unfortunately, I’ve not found one yet… If you’ve an idea, post a comment (banning applications with embedded scripting or disabling scripting is not an option).         | ||
| Posted: 05 Jun 2008 01:10 AM CDT
Funny IBM typo typo. Can’t remember what page I saw this on but it was last week. | ||
| Accessing the Menu Bar in OS X [Jon's Network] Posted: 05 Jun 2008 12:52 AM CDT
Someone told me once that they didn’t like using a Mac because it doesn’t have enough keyboard shortcuts built in. For example, how do you access the menu bar without using your mouse? On Windows, you use the alt key to access any menu item. In OS X, you just need to turn on full keyboard access in system preferences (see image) and use ctrl-F2 to do the same thing. | ||
| Spend a month using OS X exclusively [Jon's Network] Posted: 04 Jun 2008 11:00 PM CDT Daniel challenges you to spend a month using OS X exclusively and see if it’s not much better than Windows. Too bad there isn’t a try-and-buy program to let people actually do this without risking any money. Absent of that, we are left to testimonials by current owners (fanboys) and marketing. In 2006, I read Lifehacker quite a bit trying to squeeze more productivity out of my PC. Someone in the comments always mentioned how Macs “didn’t have that problem” or that some feature was already built in to the OS (Apache web server or something). I switched because I could see that a Mac was going to give me much more value than a PC. I’m glad there were “fanboys” passionate enough to comment all over the internet to teach me this. |
Modern graphics cards are now today with plenty of RAM. This memory has a very high throughput. If you don’t run a big X11 environment, why not dedicate this memory to another purpose? Swap space by example!
| You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment