Friday, June 20, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Survey: One In Three IT Staff Snoops [Liquidmatrix Security Digest]

Posted: 20 Jun 2008 07:29 AM CDT

Only one in three? I would hazard that is being conservative.

From MSNBC:

One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues’ salary details, personal e-mails or board-meeting minutes, according to a survey.

U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.

Ah, there it is. One-third admitted to it. OK, that is more what I would expect. Now for the other two thirds get the electric cattle prod and some thumb screws and I’m sure they’ll start singing.

hyuk.

Article Link

RBAC For More [BlogInfoSec.com]

Posted: 20 Jun 2008 06:00 AM CDT

Organizations that face significant regulatory scrutiny — or have large numbers of disparate systems containing highly sensitive data — are most likely to have, or at least to need, Roles-Based Access Controls (RBAC). These organizations are usually trying to accomplish two ends by having both transparency to and limitations on users' access profiles.

The first is separation of duties, ensuring that critical processes (often those affecting financial statements) are not subject to fraud. For example, an accounts manager who can modify a customer's account information and approve and release refund payments can direct those payments to their own account. The refund process needs to be broken down into discrete steps for which distinct employees are responsible. Those controls are much more easily enforced when each staff member is assigned a role granting privileges to only the limited steps for which they are responsible. Since many organizations do an abysmal job with ongoing access reviews, individual entitlements for staff in sensitive departments is a certain prescription for audit findings or regulatory breakdowns.

The other control RBAC provides is when an organization wants to restrict what data each associate can access. For example, the various investment teams at a financial services firm where I formerly worked jealously guarded their respective research, investment decisions, portfolio weighting and trading activities. The segregation was further compounded by strong demarcation between equity, fixed income, high income and institutional groups. So roles were a business enabler that allowed these groups to compete


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

Las Vegas Hotel Security [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 20 Jun 2008 05:07 AM CDT

Las Vegas hotel security is apparently taking pointers from the TSA. You've all heard (or read) me rant about how the TSA is trying very hard to give the "perception" that commercial flight is more secure but the reality is much different... apparently the hotels here in Las Vegas are following suit.

On a recent business trip (still here as I write this) to Vegas I had occasion to stay at the Palazzo hotel, gorgeous in every way including their preception of security. As you walk towards the guest suites you're greeted and interrogated by "security guards" who ask you to show your room key - presumably to keep the hookers out, haha... The odd thing is just holding up a room key, or walking with someone who is, will get you in.

The other interesting thing is what happened to me as I walked out of my room to go down to the pool, realizing that I forgot my key in the room as it slammed behind me. In what I think is a rather disturbing story, here's what happened. I walked down to the registration desk, only to be asked for my photo ID (sound familiar yet?). Obviously I didn't have a wallet so I had no ID on me. The agent asked me for my room number, and my last name - then once I gave her that he told me to go up to my room and wait for security to come up. After about 2 minutes of waiting, security shows up, asks me my last name, which I give them, and lets me into my room. No need to watch me go in, no need for me to produce an ID from my room... nothing.

I am now offiicially worried as crap. I have a laptop, work stuff, and some rather expensive clothes in here, and if all it takes is to get security up to let you in - this is a problem. There is this illusion that there is high security in the hotel - but when it comes to practice, it's just all for show and the reality is security doesn't exist.

What a disappointment in the Palazzo, and what a scarry situation to have to be in... yikes.

Fear [GNUCITIZEN Media Portfolio]

Posted: 20 Jun 2008 03:43 AM CDT

Here is a thought for you: The entire information security industry today is based on fear. The fear of getting hacked and your integrity and reputation being publicly jeopardized and challenged.

This is what gives security vendors the power to sell you useless products which you don’t really need.

Technitium FREE MAC Address Changer v5 Released [Darknet - The Darkside]

Posted: 20 Jun 2008 02:25 AM CDT

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit...

Read the full post at darknet.org.uk

Taking a second look at Rohati [StillSecure, After All These Years]

Posted: 19 Jun 2008 11:33 PM CDT

Last week in response to Richard Stiennon's glowing write up, I questioned what it is exactly that Rohati does. Well someone from Rohati must have seen it and I was contacted by the Rohati team and offered a peek and a deep explanation of exactly what Rohati does.  So today I had a chance to speak with Shane Buckley, CEO, Prashant Ghandi VP of product management and strategy and Steven Wastie, VP of marketing.  I was impressed that such a triumvirate of power players from the Rohati team took the time to speak to me.  But I guess after I wrote what I did, it was followed up by JJ writing her article on it and than Rothman piling on with his own two cents. 

Rohati Give the Rohati team credit for recognizing the power of blogs to influence the influencer and reaching out to stem the tide.  It just goes to show you how far blogging has come. But enough about the power of blogs, lets talk about Rohati.

The best way for me to describe Rohati is that it is layer 7 ACLs to control access to applications.  Where we already have security at the perimeter and at the edge, Rohati is about controlling access at the server/application.  The diagram on the left (click on it to get a bigger version), is a good illustration of how Rohati works. By integrating with LDAPs Rohati can assign you an access policy to any application.  Based upon that Rohati gives a very fine grain level of access control at the application layer.  It acts as a proxy to the app server for both regular and encrypted traffic.  Because the ACLs are on the Rohati box itself, there really is not any integration with switches per say and so no integration worries.

The only problem is that the Rohati box has to be able to handle the traffic flow.  Hence the box is a big honker.  The cheap one is about 20k list I believe and the industrial size version is 80k. This product is aimed squarely at the data center space and is sold through channels.

Will Rohati succeed.  Yes, I think it will.  I think they have taken a unique approach to a security issue that will continue to grow in years to come.  Application access is an area that I think is still up and coming.  In a period of nothing is ever new in security, the Rohati team seems to have found something that has not been done before in a packaged dedicated way like this.  If nothing else, with all of the ex-Cisco folks there, if nothing else Cisco will eat its young and buy the technology back in.

We will watch Rohati's progress in the months to come.  At the very least, it seems they are blog savvy enough to navigate the waters of social media.  Maybe they will start their own blog soon.

Zemanta Pixie

Successful 802.1X Every Time [Security Uncorked]

Posted: 19 Jun 2008 11:18 PM CDT

It’s not rocket science, but any time we mingle and intertwine four or five different pieces of technology, there’s always the potential for a mess… or at least a misconfiguration or two along the way. Don’t know what 802.1X is? Check out the recent 802.1X technology primer.

If you’re planning to, or are implementing wired 802.1X, wireless security and/or NAC, the contents of this blog may save you hours of time and trouble.

Throughout the implementations I’ve done, for both wired and wireless 802.1X, I’ve developed a procedure for implementing and testing 802.1X each step of the way. Following these steps my seem to be tedious and unnecessarily time-consuming. But, if  you’re just starting with 802.1X, I’m offering a way to implement it in phased pieces that will give you the information to test, confirm and troubleshoot at each step.

To be honest, I frequently skip these steps, but I’ve done many 802.1X implementations and can usually hit the bullseye the first time (unless there’s buggy software or firmware- you guys know who you are). But, if something doesn’t work, I start right back at Number 1 here and I follow this procedure.

1) Configure wired 802.1X
First setup the basic wired 802.1X. Ideally, start with a Windows test, using XP SP3 or a later server edition and PEAP. Provision RADIUS, I recommend Microsoft IAS because it’s well-documented and well supported. Even if you have other future plans, if you’re using Active Directory, start with IAS. You’ll need to setup a test RADIUS group and policy and link to AD. Get a test switch, add it as a RADIUS client, and configure it to talk to your RADIUS. Set up some ports for 1X and enable it on the switch. I recommend testing with PEAP as the authentication method and a Windows credential pass-thru. Note- you’ll need to create a server certificate to use PEAP- a self-signed Microsoft cert is fine.

If this simple configuration doesn’t work, you have some troubleshooting options. First, view the system events log in the RADIUS/AD server and look for informational events from IAS. If the authentication request is making it from the client -> switch -> RADIUS, you’ll see something here. The something you see should tell you if the EAP method is mismatched, or if the credentials were wrong, etc. Your second line of troubleshooting comes if you don’t see any RADIUS log activity. If that happens, throw on a packet capture utility like Wireshark. You want to search for 2 things. First look for conversations from your Test Switch to the RADIUS server (filter on IP or MACs). If you see something here, see where the conversation drops off. If that comes up empty, it means the conversation is terminated between the Test Switch and Test Client. I have some neat tricks for troubleshooting I’ll share with you later.

2) Add in Wireless
If you’re planning to implement 802.1X for wireless, now is the time to throw 802.11 in the mix. It’s harder to sniff wireless traffic for troubleshooting, which is why I recommend starting with wired 1X. Keep it simple, and then start layering. Once you have the wired 1X configured, all you need to do is get your AP ready and configure it just as you did your switch- add it as a RADIUS client and configure it to talk to RADIUS. For wireless, you’ll need to configure encryption also. Note, I recommend (for testing) to begin with your primary VLAN.

If your wireless 802.1X isn’t working, follow our troubleshooting above and re-check settings based on the RADIUS event log contents. If nothing is making it to RADIUS, then most likely something is misconfigured in your AP/Controller and the AP isn’t communicating with the RADIUS server. You know the rest of it’s working (RADIUS, AD, Client) so you can narrow your troubleshooting scope. Once that’s working you can stop if wireless is your goal, or keep going if you’re layering on more security.

3) Replace with Custom Pieces
If you’re planning to use a different RADIUS server or a different supplicant, now would be a good time to start swapping out our vanilla configuration with custom pieces. Replace 1 piece at a time and re-test.

4) Add in NAC or Endpoint Integrity
Most NAC or EI solutions will integrate with your 802.1X infrastructure (if you want them to) and can be ‘consulted’ prior to authenticating and opening the secured port. My suggestion is to always get 1X working 100% before you add any type of integrity or compliance testing.

If you follow these steps, you can turn a complex configuration into a set of simple baby-steps. It may sound stupid, but I promise it’ll work for you every time!

# # #

 

DLP moves slowly into data security... [IT Security: The view from here]

Posted: 19 Jun 2008 11:03 PM CDT

Today it seems to be big news that DLP deployments should include encryption. I'm amazed that it's taken this long for something purporting to be data centric security to have this included as a standard feature, but it's about time!

This report includes soundbites from an RSA marketing guy, which is all fine, they are the people to go to for encryption information after all, but I wonder how much of this will come back to bite them, or rather the hand that feeds them. I'm sure over time EMC will work out a clever strategy for commoditising their storage again, but data-centric security can only see storage getting cheaper and cheaper - the protection being in the data, not the hardware around it, or the applications it runs through. Centera and Celerra arrays are massively over engineered blocks of expense, but they sell at the moment because there are few well known alternatives.

What these big beasts don't do is allow you to move your data with any sort of security still attached. This is their big fault. Encrypted information with a master key available to decrypt at the endpoints for scanning purposes, or to make a decision on encrypting information as it is sent out - now that's more like it...

... and exactly what I was talking about yesterday. The trick is to get this all working without getting tied into one vendor, using a standard of some sort. Perhaps the ZIP standard would work? It is already installed in 25,000 corporate users, and those are just PKZIP and SecureZIP customers, not the free download users, or everyone on WinZIP, for whom half of the security is available, despite the lack of control.

I'm surprised DLP vendors have taken this long to come up with encryption, and I'm surprised they aren't already looking at compression and integrity on top of this. It would have been smarter to do this before now.

Security Circumvented: My Anti-Virus [Security Uncorked]

Posted: 19 Jun 2008 10:31 PM CDT

I recently needed to renew the anti-virus subscription on my tablet PC. Of course, Symantec popped up and let me know well in advance, and of course, I waited until the almost-last-day before I renewed.

When my renewal options appeared, there was a selection to upgrade to the shiny new Norton 360. Woo hoo! It listed all these great new security features… I don’t remember what they were… but, they sounded REALLY great (I promise).

So I went with the upgrade, instead of the anti-virus signature renewal. Okay.

It did seem like a good idea at the time. However, in addition to my overly-protective Vista popups eeeevvvvery time I want to run something, connect somewhere, or wipe my nose… Now, I have the Vista pop up AND the Norton 360 popup. Okay.

Except, the Norton pops up with flagrantly ambiguous information like “An application is trying to access your Internet.” Do I want to allow it? I don’t know. How am I supposed to know- which application wants to access my Internet? Oh, it’s not going to tell me. Okay.

Well, I guess I’ll click ‘Allow’ because I have no clue what is trying to access my Internet, but I’ll assume it’s something that I have somehow asked to access my Internet… and I’ll be quite upset if whatever I clicked on doesn’t work. So YES, ALLOW. Okay again.

And what was the point in that? One click has transformed to three, and I’m no more secure than I was before, I’m just being forced to make more clicks to earn my insecurity. So today I am the poster child of what NOT to do.

Security circumvented is quite possibly worse than no security at all. I see visions of ‘invalid browser certificate’ notices dancing in my head.

# # #

Securing Personal Data - Waste of Time? [CultSEC Blog]

Posted: 19 Jun 2008 08:27 PM CDT

I've often been asked from friends and relatives about why they should ensure their own personal data is protected. After all, it is only their home computer. What could anyone possibly want from that?

I read this interesting article today on Darkreading.com. It begins with the usual issues about stolen credit card numbers. The twist comes when an investigation has found other personal information. Such as, healthcare data, airlines, financial data, and on.

Information about ourselves may seem relatively benign. But, consider what someone can do with it when they piece it together bit by bit, or when they hit the data load, and find out all kinds of things about you. In effect, the more information on you, the easier it is to impersonate you. Especially in the digital world. Bruce Schneier recently posted an article discussing LifeLock and Identity Theft. In fact, a search of his blog using keyword of "identity" shows he has covered the topic quite a bit.

At any rate, protecting information is not a new thing. Governments and corporations have been doing it for some time. You decide if they have been effective at it. Data protection from the business or government sector is something each of us individuals should learn, and apply it to our own lives. Really, each individual is a small business. Perhaps we should mind our own for a change.

Patching and updating [IT Security, Windows Scripting and other matters]

Posted: 19 Jun 2008 08:15 PM CDT

I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System.

Microsoft provides WSUS for free.

Patch your systems.

Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)

Be safe out there.
James

Interesting series of events [IT Security, Windows Scripting and other matters]

Posted: 19 Jun 2008 07:44 PM CDT

I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway.

I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.

(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)

How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.

How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."

We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.

Be safe out there.
James

Myrcurial Selected To Speak At Last Hope [Liquidmatrix Security Digest]

Posted: 19 Jun 2008 05:26 PM CDT

I had a long crappy day as anyone who might follow my Twitter may have seen. I was wallowing in my own discontent when I met up with Myrcurial for lunch today. The cheshire grin on his face was something to behold. As it turns out, the weasel had been sitting on a rather significant announcement (for the last month) that he alluded to in his earlier posting today.

Myrcurial will be speaking at Last Hope! Very cool brother! His talk entitled, “From a Black Hat to a Black Suit” will be a must see for any propeller heads that have aspirations for a corner office one day.

From the talk summary:

You want it all. You can see the brass ring and you want to jump for it. But you’re scared. You don’t want to put on a suit and watch your soul shrivel like the spot price on RAM. There is another way.In this session, you will learn: why you want to do this to yourself, how to get the first job (which will suck), how to turn the first job into the next job (while still having fun), how to get the top job (sooner than you thought you could), and how to do it all without feeling like a corporate whore. You want to hack the planet? You’ve got to start somewhere.

I’ll be the smart ass in the back crackin wise.

Article Link

Nortel launches Voice Security Technology Blog [Voice of VOIPSA]

Posted: 19 Jun 2008 04:02 PM CDT

nortelvoicesecurityblog.jpgI recently learned that Nortel has launched their “Voice Security Technology Blog“. Their initial post outlines their goals for the blog. They only have two posts up so far but we’ll be interested to watch the blog and see what they do with it.

Technorati Tags:
, , , , ,

Bring it on, Cisco! [Napera Networks]

Posted: 19 Jun 2008 03:38 PM CDT

Some very interesting news for the NAC market this week with multiple analysts publishing predictions and market forecasts.

Patrik Bihammar at IDC talked up the threat landscape and says NAC has become a high priority because of the "everything, everywhere" network. IDC expects the NAC market to grow at 43 percent year on year to reach $US3.8 billion by 2011.

Infonetics also released its latest market forecast, appropriately titled, "Reports of NAC's death have been greatly exaggerated", showing market growth of 16% in 1Q08 and expected double digit growth for the next five years.

All of this good news was tempered by a warning to smaller NAC vendors in a Network World article this morning. In short, Gartner claims Cisco and Microsoft may marginalize NAC vendors by 2009 because of Cisco’s success in the enterprise switching market (and presumably Microsoft’s domination of desktops).

It’s great to see data from IDC and Infonetics, but I’ve heard the Gartner analysis before. In the late nineties it was enterprise vendors like Cisco and Check Point that were going to crush firewall appliance startups. In reality it took Cisco ten years to get their act together, and meanwhile companies like WatchGuard, Sonicwall and Netscreen grew and prospered in the mid and large enterprise markets. If that is the definition of getting crushed by Cisco, bring it on!

The Gartner hypothesis referenced in Network World doesn’t apply equally to all companies. The problems that large enterprises are solving with NAC technology are equally relevant to the small and medium enterprise customer: guest Internet and printer access, endpoint and identity enforcement, and overall visibility into the security state of computers on the network. But the SME market is very different from large enterprise. Cisco has been less than successful selling into the SME, and much of the Linksys SME product line is not interoperable with Cisco’s enterprise architecture. While SMEs have Microsoft NAP on their computers, few will build out an entire NAC/NAP infrastructure based on Cisco products.

Bihammar at IDC named cost and complexity as the prime barriers to NAC adoption, which gets to the heart of the issue. I’ve posted on this exact issue before. The vast majority of Napera customers haven't heard of NAC, haven't participated in these debates, and primarily care about the practical application of technology and risks in their company to solve a business problem and not the technology itself. They want a solution that helps them take back control of the computers accessing their network and that does so easily and affordably. That’s where the real opportunity is - how do you help that customers solve those problems without complex, expensive large enterprise products? And that’s what Napera is all about.

HOW TO: Use Facebook for intelligence work, Part 1 [Roer.Com Information Security - Your source of Information Security]

Posted: 19 Jun 2008 02:43 PM CDT

This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work!

In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books.

So let's get on with it!

 

1. Set up an email box on Yahoo, Google or similar tool

This is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help.

Get back here and move to step two when you are done!

Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one!

You do not want to use your own name, though, but you knew that, right?

 

2. Get a Facebook (or pick any other social networking site) account

Just register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility.

TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure.

Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!

 

3. Set up a group on Facebook

And yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!!

Give it a winning title - Free gift! Or: Free trip to Dubai!

Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached!

So, now you got a group on Facebook. Time to use it!

 

4. Add a prize!

When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:

Image: The teaser!

Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic.

And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win.

Period.

 

5. Ask for something simple/cheap compared to the prize

By asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.

 

So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:

And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!

 

6. Collect and use

Now you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool.

And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers.

So start selling it to the highest bidder!

And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side!

The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there?

Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim!

MindshaRE: Searching in IDA [DVLabs: Blogs]

Posted: 19 Jun 2008 02:22 PM CDT

Posted by Cody Pierce
MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history. In this weeks installment of MindShaRE we will take a look at some fun uses for searching in IDA even utilizing IDC/IDAPython to automate this.

IDA provides several different search options.  Ranging from immediate values to undefined functions.  Right now we are going to only touch on the byte/text searching options which include.
  1. Immediate value
  2. Text
  3. Sequence of bytes
  4. Regular expressions
As a security researcher, I use the built in methods primarily to locate potential and common problems in assembly, parsing functions, and structure information.  Some simple things I look for are improper sign extension, protocol switch statements, and packet structure offsets.  Each of these can be potentially discovered using the search functionality.  Lets take a look at each one.

Finding Improper Sign Extension  Bugs

What I'm referring to here is the promotion of an integer to a larger size.  In a nutshell, this promotion results in a security vulnerability when a sign extension occurs on user data.  More detailed information regarding sign extension bugs can be found elsewhere such as the very excellent book by Mark Dowd et al The Art of Software Security Assessment. A typical instance of this bug will stem at the assembly level from the instruction "movsx". Using the "Text" search (Alt+T) and entering in "movsx" with "Find all occurrences" checked provides us with a neat little window of all sign extended move operations.



Locating Parsing Functions

If I'm analyzing an application that handles complex data, user input or configuration information I will be sure to track down and audit the various routines responsible for parsing that inbound data into data structures where programmatic logic can be applied to.  Many parsers are implemented with the help of "switch" statements.  At the assembly level, switch statements are actually implemented as jump tables. IDA does a good job of automatically identifying switch statements.  When a switch is identified it will be commented in a form such as:
2B0016DF    jmp    ds:off_2B001716[eax*4] ; switch jump
Utilizing the same search dialogue as before (Alt+T) we can plugin "switch jump" with "Find all Occurrences" enabled to produce a list of all switches within the binary.  Taking it one step further here is a simple IDAPython script that enumerates all switches and additionally each switches number of cases and case addresses:
while curea <= end and curea != BADADDR:
  comment = Comment(curea)
  if comment:
      if 'switch' in comment and 'cases' in comment:
          count = int(comment.split(' ')[1])
      elif 'switch jump' in comment:
          table = curea
          cases = []
          switches.append({'name'  : function_name, \
                           'table' : table,         \
                           'count' : count,         \
                           'cases' : cases})
  else:
      comment = RptCmt(curea)
      if comment:
          if 'jumptable' in comment:
              jt = int(comment.split(' ')[1], 16)
              if jt == table:
                  cases.append({'loc' : curea,
                                'tag' : "cases " + comment.split(' ')[3]})
   
  curea = NextHead(curea, end)
Running this IDAPython script produces the following sample output:
  ICMPv6Receive: 251e7: 10 cases
  ICMPv6Receive: 251ee: cases 128
Following the addresses takes you to the individual switch case:

  000251E7    jmp     ds:off_2523B[eax*4] ; switch jump
  000251EE
  000251EE loc_251EE:
  000251EE    push    esi                 ; jumptable 000251E7 case 128
  000251EF    call    ICMPv6SendEchoReply

This approach is especially effective when symbol information is present.

Searching for Structure References

This example is definitely gimmicky but worthwhile none the less.  IDA does not provide structure cross references.  Without proper symbolic information it's relatively impossible to discern between an [ecx+4] between one function and another.  Such is the nature of static reverse engineering. Sometimes though you have a pretty good idea of a structures use in a binary.  This occurs most often for myself when looking at network code.  Programmers usually create a structure for storing information about a request.  This typically includes a socket descriptor, buffer size, buffer pointer, and any other information associated with that session.

Once again we can use the search functionality to find accesses to a structure.  I know what you're thinking "this will never work", but it will in lots of cases.  Searching for the value "+28h" will likely show you any stores or reads to a structure that might seriously be the one you are concerned with.  Try it, it might be handy.

So there we have it.  We have really only covered one of the search mechanisms IDA provides to its user.  Immediate value searching and Sequence of Bytes searching can be used in very similar cases (movsx instruction can be searched by byte value as well) as the Text search.  I hope this can come in handy at some point for someone out there.  Feel free to leave a comment with some other fun ways of using IDA's searching capabilities.

See you next week,

Cody

I’m Not The Only Blogger Here! [securosis.com]

Posted: 19 Jun 2008 02:07 PM CDT

I’ve been absolutely flattered by some of the positive comments on our posts this week, especially the database posts. But as much as I enjoy the credit for someone else’s work, I’d like to remind everyone that I’m not the only blogger here at Securosis anymore.

Adrian Lane, our new Senior Security Strategist, has been putting up all the meat this week. Once I get back from this conference I’ll increase the font size on the writer tagline for the blog so it’s more obvious.

We also occasionally have contributions from David Mortman and Chris Pepper, both of whom wrote posts I got the credit for. These are all brilliant guys, and I’m honored they contribute here.

They’re probably smarter than I am…

… oh. Never mind. I write it all.

VIA ISN: Two More Soon To Be Disclosed Firefox 3 Vulnerabilities [Infosecurity.US]

Posted: 19 Jun 2008 01:55 PM CDT

ISN (actually SecurityCurmudgeon aka Jericho at attrition.org) is reporting at least two additional (soon-to-be-released pursuant to full disclosure customs) Mozilla Firefox related vulnerbilities. This time, discovered by Neohapsis. Note the following announcements from Neohapsis, the first, an overflow, and the second, protocol related.

Help an analyst get some real data [StillSecure, After All These Years]

Posted: 19 Jun 2008 01:49 PM CDT

With all of my writing this week about lack of truth in much of the data being put on the public whether from vendors or analysts, I thought I would put my money where my mouth is. In order to get some real data to the analysts so that their reports are accurate I am posting a note I received from Aberdeen Group about a new survey they are conducting in vulnerability management.  If you have a few minutes it is an excellent way to contribute.  Remember, the truth shall set you free!

Would you like to learn how Best-in-Class companies successfully maximize their results in IT Security Patch and Vulnerability Management?

By participating in this brief survey, you will be able to see how your experiences in Patch and Vulnerability Management compare with those of your peers, benchmark your performance, and see how you can achieve Best-in-Class results.

My name is Saqib A. Khan, a Senior Research Analyst at Aberdeen Group, and I am conducting a survey that will help companies such as yours determine the Best-in-Class procedures for Vulnerability Management. Your participation is a vital part of the report development, and serves as the foundation of Aberdeen's research. If your company is planning on implementing Vulnerability Management solution, or is simply evaluating the potential benefits, we would appreciate your feedback in this brief, 10-minute survey.

In appreciation for sharing your time and thoughts with us, we will provide complimentary access for you to the full benchmark report as soon as it is published (a $399 value).

Individual responses will be kept strictly confidential, and data will
only be used in aggregate.

We look forward to hearing from you, and greatly appreciate your
time and participation.

Sincerely,

Saqib Khan

Zemanta Pixie

Orchestria revisited [IT Security: The view from here]

Posted: 19 Jun 2008 12:17 PM CDT

I'm used to seeing US businesses struggle in the UK market, I've helped a few now to recover after false starts, or to launch successfully in the first place. I'm currently working with PKWare on a long term contract which I'm really very pleased about. I count myself extremely lucky that much of what I have blogged about as being necessary security over a number of months and years, actually exists as a set of products.

I've commented an awful lot about the dynamics that make this possible over here, the fact that a market has to be built up from scratch, reputation not doing much for a company which is big in the States when it comes to these shores, how the American style of business differs from the slightly more staid version we have over here, etc.

Something I hadn't come across before is the reverse of this process, a company launching over here and trying to break the US. I covered Orchestria a few weeks back, talking about how they seemed to appear from nowhere in the DLP space, and yet kept hearing good things about them. I found it surprising then that I got a slightly different story from some friends the other side of the pond.

I have thoroughly researched Orchestria, spoken at length with their English CTO, Pete Malcolm, and gone into numerous demonstrations of their technology, proofs of their customer base, and have even, surprisingly, been shown a very impressive set of accounts. At this point an NDA prevents me from saying anything more. Needless to say, some of the negative comments that were made after my story last week now look pretty much like sour grapes.

I fear that Orchestria are suffering the reverse of what many small US tech companies experience when trying to enter the EMEA market. I fear that sales and marketing teams in the US are maybe not set up for this type of technology without having it on their doorstep, or a specialist from the industry on their team. I fear that only a handful of people in the country may understand this fully. I fear that analysts in the US have been in touch with the wrong people in the organisation - because this stuff is pretty damn good. I also fear that properly marketing it is going to be a mountain to climb, but whoever takes it on is going to do very well out of it.

I would urge anyone who is looking at DLP to look at Orchestria. If you are in the UK, it's a no brainer, local support, local development, etc. If you are in the US, don't believe the poor marketing and doomsayers from the rest of the industry. If you are in Orchestria, get a good marketing team out there, and beef up the support you already have out there. I think we could see them coming out near the top of the pile in the DLP wars. However, this isn't just what Orchestria does - and here's the only 'issue' that I could find with them - the technology is way more than DLP. You could use a couple of Orchestria devices and some SecureZIP in your entire environment and dispense with 50% of your hardware... if you don't believe me, try it out.

This is in fact the reason that this reasonably large company (and expanding monthly) seemed to appear out of nowhere and hit the DLP market. They had a product in a different sector (compliance) which happened to cover DLP very well, and they decided to market it as such. Good idea, poor execution, to get into a security market you need people who know that market inside out, whether they are in the US, the UK, Norway or Timbuktu. This is unfortunate though, because it has given a good piece of technology a slightly false start in an industry where they could be a shining light.

I haven't been this excited by a product since, well PKWare actually, but before that, Njini with their data classification / de-duplication software (another British company, yeah!). What I'd really like to do is put them all together and make a demo. What makes me feel good about all of this is that this is how I predicted the future of security just a year ago. I just didn't expect it to come so fast.

Nepenthes log correlated with ClamAV and ip2country [Security Data Visualization]

Posted: 19 Jun 2008 12:15 PM CDT

This file is the result of correlating data from Nepenthes, ip2country and ClamAV, the process is described in the paper
An approach to malware collection log visualization by Jaime Blasco

Regards

New Paper - An approach to malware collection log visualization [Security Data Visualization]

Posted: 19 Jun 2008 12:13 PM CDT

I have just published an article related to malware collection log visualization.

The paper focus on visualization of Nepenthes logs using AfterGlow. In the paper you can find information about correlation ips with countries and binary files with ClamAV signatures with the goal of generating interesting graphs.

You can get it at
An approach to malware collection log visualization

Regards

The Last HOPE List of Talks posted… [Liquidmatrix Security Digest]

Posted: 19 Jun 2008 11:10 AM CDT

The 1337 bastards at 2600 have posted the list of talks for The Last HOPE conference being held July 18-20 at the Hotel Pennsylvania in NYC.

List of Scheduled Talks Posted

Posted 18 Jun 2008 22:42:50 UTC

With a record number of 97 scheduled talks to be presented in three different areas, The Last HOPE has posted a list of talks with time and room assignments forthcoming.
We do plan on having an additional track for unscheduled talks so if you missed this deadline, you still have a shot in the somewhat smaller unscheduled track room. Look for the unscheduled track sign up sheet at the conference.

Of course you’ll be able to find Dave and I there. Wouldn’t miss it for the world.

Oh - and you might want to scroll that list of talks down… maybe just to the Featured Speakers section… or maybe just below that.

See you in NYC.

Tags: , , , , ,

Interesting Information Security Bits for June 19th, 2008 [Infosec Ramblings]

Posted: 19 Jun 2008 10:22 AM CDT


Good day all. Got a pretty good bunch o bits to take a look at today. So, without further ado, here we go!

From the Blogosphere.

The Sunbelt blog warns us about some CareerBuilder jobs being emailed out which are scams. Be careful out there. They will get you any way they can.

Finjin came across over half a gigabyte of stolen US Healthcare and airline data. Ouch.

Adam writes that Identity Theft is more than Fraud By Impersonation. He points out than in many cases, the real pain of identity theft is not monetary, but dealing with the tarnishing of you good name as you try to clean things up. He has a good suggestion for trying to help with this issue. Go read about it.

Security4all points us to a couple of white papers that are worth giving a gander. The Extended HTML Form Attack Revisited by Sandro and Enablesecurity and Defeating the Network Security Infrastructure by Philippe at Radarhack.com. They are both on my reading list now.

Irongeek has released a little tool called DecaffeinatID that

“DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games”

Looks pretty nifty.

Rich has another missive that deserves to be read more than once. He talks about Database connections and Trust. I am not going to attempt to summarize what he puts forth. Go read it.

You may have already heard about this, but a vulnerability exploit has been found in FF 3.0. It was reported to Tipping Point and passed on to Mozilla. They are working on a fix.

Amrit and Hoff both are talking about wheither virtualization security is a technical problem or an operational problem. Both are good reads. I won’t spoil it for you by giving away their conclusions.

F-Secure has released version 3.0 of their Rescue CD. Could come in handy.

From the Newsosphere.

Via cjonline.com, some Kansas state equipment that was to be sold to the public contained confidential information. People, please make sure you have data retention, handling and destruction policies and procedures and that they are adhered to.

From Dark Reading, ICSA Labs Forum has advanced a security standard for IPv6.

Pointed to by Hack in the box and reported by Computer World UK, two laptops without encryption have been lost. This time by the HNS trust in the U.K.

Again via Hack in the box and reported by Wired, it looks like Citibank had an intrusion that allowed a couple of men to grab at least $750,000 from atm machines in New York City. Oops.

That’s it for today. Have a good one.

Kevin

Technorati Tags: , , , , , , , ,

Your coffee maker wants identity management [LiveBolt Identity Blog]

Posted: 19 Jun 2008 10:10 AM CDT

Consumer electronics: the next market for Identity and Access Management software?  We just took a giant leap towards that reality with the availability of an “Internet connectivity kit” for the Jura F90 coffee maker.

We take an even larger step towards needing IdM at home when said “Internet connectivity kit” doesn’t require a username or password for remote logins.  Nor does it perform input validation when changing factory parameters.  We even have Bugtraq and Security Focus vuln posts.

To be fair, we are talking about a coffee machine here, so IdM might be overkill.  But if I paid Amazon $1800 for a coffee machine, I wouldn’t want some script kiddie shooting coffee beans at me from across the room, or worse yet — giving me a flat white, when I clearly pressed long black.

I can hear it now…

“Yes, IBM?  Can I get a Tivoli Access Manager license for 2 users?  My wife and I are going to use TAMeb for our coffee machine…”

Source: CrunchGear

Nuovi Documenti per PIX ed ASA su cisco.com [varie // eventuali // sicurezza informatica]

Posted: 19 Jun 2008 08:14 AM CDT

New Firefox 3.0 Vulnerability Discovered [Infosecurity.US]

Posted: 19 Jun 2008 08:03 AM CDT

A new, currently unpatched, vulnerability has been discovered in the recently released Mozilla browser, Firefox 3.0 (apparently, this issue also affects the previous 2.x series releases as well). The vulnerability, announced by the ZDI (the Zero Day Initiative at TippingPoint), is still confidential in scope, while Mozilla continues the work to mitigate the issue. [...]

No comments: