Posted: 29 Aug 2008 07:44 AM CDT
Posted: 29 Aug 2008 07:27 AM CDT
Posted: 29 Aug 2008 05:00 AM CDT
Reverse engineering techniques to find security bugs: A case study of the ANI - 61 mn - 22 mai 2007
Google Tech Talks May 21, 2007 ABSTRACT Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques in reverse engineering software to find vulnerabilities. Particularly, he'll discuss his technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista). Alex will describe the tools he uses for reverse engineering and show how he reverse engineered ANI Bug. He will continue to discussed Windows security mechanisms (ASLR, /GS) and describe how ANI exploit bypasses them.«
Posted: 29 Aug 2008 04:00 AM CDT
well if there is no reason for this, than you should clean your reputation, especially if you say that your clients do not need the in the law foreseen free antivirus because you protect them enough on your network and servers ;
It is not because you are not on any blacklists (yet) that you are safe and clean and secure (and responsable)
Posted: 29 Aug 2008 03:43 AM CDT
the ads don't bring in any money (you don't click)
the books don't sell (maybe on christmas or maybe if you are a school or enterprise, buy them through me, thanx)
the free magz and whitepapers aren't read (too boring ?)
so why do you do it ?
To serve my public
which I thank because being among the 30th popular blogs (the 13th last week 8th yesterday) between hundreds of other blogs that write about so many other popular things that is just feeling so good. Makes you feel good.
First in september a few things will change around here, maybe some big things but that I can't tell you right now. For the readers here a few new things will be added.
Tips and information can still be send to my mailaddress.
We are looking here for project sponsers, to sponser some projects and ideas we have. It isn't that much so if you are interested as a project sponser, you can contact me.
If you are interested to write - effectively write on some regular basis here - you can contact me also. There are also some stupid but interesting things to do and if you would like to take those on your shoulders, you are welcome (the weekly update freeware list for example or the belsectv section or any other interesting daily or weekly segment..... ). There are also other things you can do - correct my english :) or get a weekly summary out. You are welcome.
We are soon to be one year, on november the 11th. And we have passed 100.000 pageviews for thid blog and more than 300.00 on the blogfeed of the Belgian Security Bloggers of which we are part. If you have a security blog in Belgium contact us and maybe you can become part of our family. Our family is meeting soon around a big meal, contact us if you would like to be invited.
And if you have a site or a blog you can use our feed and some parts of our articles if you respect the copyright and aren't just a made for adsense site.
Posted: 29 Aug 2008 03:15 AM CDT
Posted: 29 Aug 2008 02:39 AM CDT
Posted: 29 Aug 2008 02:33 AM CDT
So here the hacker changed the page to which an external link would lead. It doesn't lead to the external site but to his page. Well this is quite interesting because imagine if you could do this with a phished page on the website for paypal for example. I am sure that it would be even more effective than all those mails and that few people would even notice it (and I am sure many admins would have no clue whatsoever).
This is what the hacker did in his defacements, he changed the link to an external site with his own page. But that proof of concept could be used for anything. Who said that hackers weren't dangerous ? That defacement is just kiddie game ?
HACKED BY AdReNaLin ...
www.belgian-international.be/index. php?option=com_banners&task=click&bid=12 - 2k - Cached - Similar pages - Note this
Posted: 29 Aug 2008 12:11 AM CDT
From the initial reports, more than 8 million Best Western customers may have had their details captured following unauthorised system access. Best Western's assertions that only one hotel and 13 records being affected didn't attract many supporters, and their assertion that their adherence to PCI DSS requirements ensured customer safety was even less well received.
At the moment all that is happening is that the Glasgow Sunday Herald (and their source at Prevx) and Best Western have made contrasting claims on the incident and neither has provided much more by way of evidence of their claims. Claims that it is the World's biggest cyber heist, when it isn't by a long way, would put the burden of proof on the Sunday Herald.
The difference between 13 records and 8 million is significant, but is does raise the question as to how Best Western knew that it was only those few records that had been accessed. 13 just isn't the sort of number that people tend to make up when they are making vague claims about quantities. As reported by Best Western, it was antivirus software that managed to identify the trojan horse that had been installed to try and capture credentials at a single European Best Western hotel.
There are questions being asked about Best Western's claims that recorded credit card details are destroyed after a period of time and whether this claimed breach indicates a failure to adhere to Level One PCI DSS requirements (assuming they are top level PCI DSS), particularly the requirements for a Data Security Assessment and Quarterly Network Scan. Perhaps the rapid discovery of the breach and limited account access claimed by Best Western was achieved through adherence to this requirement, but there are not many who place much faith in this idea, or in the PCI DSS auditing requirements.
There is also the possibility that any breach was targeted at Identity Theft first, financial theft second, so the PCI DSS requirements aren't going to do much to stop that from happening.
How can Best Western ease a lot of concerned observers fears? If they re-issued their press release (or even a new one) identifying when and how the compromised system was identified and taken offline, and then acknowledged that the PCI DSS is only one means to protect sensitive data and forms part of a layered defence strategy then it would go a long way to achieving this goal.
It isn't often that the benefit of the doubt is given to a company involved in a data breach, but in this case it is leaning slightly towards Best Western. At the end of the day, Best Western has been tarnished by their response to this issue and if they can not adequately address the concerns identified above, then there is little else to do but assume that he worst outcome reported by the Sunday Herald is what happened. Of course, if the evidence of the attack is released by other means, then that, too, would validate the claims of one side.
Posted: 28 Aug 2008 10:50 PM CDT
RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won't use globally. They get used for private networks, NAT ranges and so on. There are three ranges:
10.0.0.0 to 10.255.255.255
They are thus the Internet equivalent of the American phone system not using the exchange 555, only more useful. If you need to give an example IP address, you can use one of those without causing anyone consternation or irritation.
An example of why you want to use one of these addresses can be found (at least for the next few minutes) at Microsoft's site for the IE 8 beta. One of the IE 8 features is the "SmartScreen Filter" which can tell you IP addresses you're best not going to. An example is the picture accompanying my post.
If you check out that address, 188.8.131.52, at ARIN Whois, you find out that it's owned by Microsoft themselves.
I suppose that using one of your own addresses as a hazardous address is better than using someone else's, but immature people like Your Friendly Author will titter over it and point it out to other people as well.
There's a reason RFC 1918 exists, and this is one of them. Oh, by the way, be sure to look at RFC 2606, which reserves the domains example.com, example.net, and example.org. It also reserves the top-level domains .test, .example, .invalid, and .localhost. Remember them.
Posted: 28 Aug 2008 05:26 PM CDT
UPDATE: 6:30PM, Dale
PCSF is not perfect, but it is my favorite event in the control system security space by far. One main reason is the number, variety and quality of attendees. The lunch, evening, break discussions were highly interesting and even three days had me scrambling to talk with all the people I’d like to. The venue and schedule helped maximize opportunities for these discussions.
The program was mixed. I was not a big fan of the all day plenary session on Tuesday. Some of the panels had format challenges. The quality of the sessions may have been down slightly, but that is subjective. There were some very strong sessions, and I even missed some of the more highly reviewed sessions, and the days when there were 3 or 4 tracks usually meant something interesting was going on. There may be a need to spice up the next events, more shorter presentations, perhaps PCSF classic presentations for newcomers, more livelier debate and discussion sessions, etc.
I believe it is essential that PCSF continue and grow mainly because there isn’t a good alternative and starting over would be difficult. The information exchange and education at PCSF is needed. 200 people from 17 countries with little notice the week before Labor Day is impressive. Four tracks on Wednesday; three tracks on Thursday that were easily filled as submissions exceeded time. Hopefully whatever issue prevented DHS from attending will be resolved, and whatever format PCSF ends up in the future can focus on how to make this annual event and other events even stronger.
The Vulnerability Disclosure Workshop followed up the panel. There is never a shortage of opinions on this subject. Not sure we made any progress. It was interesting that Daniel and I from Digital Bond were the only ones in the room that would disclose a vuln to anyone besides the vendor [we disclose to US-CERT and Core had left].
Back to the Plenary to wrap up. A report by PCSF Brazil - - not directly affiliated with PCSF, but there have been interesting discussions about PCSF Europe and other international locations.
Jason Holcomb, Bandolier
I started the morning going to Jason’s Bandolier presentation at 8AM for support. Nice job and the presentation will be posted on our site shortly.
Included in the presentation is the updated list of planned Bandolier security audit files. It is great that we were able to add Areva, Emerson Ovation and others to the list. We will update the SCADApedia page shortly.
I moved over to the vendor panel in progress, interesting group with smart guys and gals from ABB, Emerson, Honeywell, Invensys, Siemens, Telvent, and Yokogawa. Doing a little liveblogging during the Q&A
- Love the point of needing to move by Secure by Default from the ABB rep
Posted: 28 Aug 2008 04:47 PM CDT
As a flurry of emails (about an as of yet not officially released control system vulnerability) show this morning, once a document goes online the damage is done. It is eternal, and it is virtually impossible to stop the dissemination of the document, or put the genie back into the bottle. This applies to any critical document be it vulnerability disclosures, network topologies, control system diagrams etc.
Google hacking is a powerful tool. Some interesting results:
FOUO filetype:pdf shows the number of FOUO documents (pdf only try it on doc and see what you find) available via google.
scada filetype:doc shows just how easy it is to find critical control system information. Such a document can be seen at:
And don’t even get me started on what you can find when you start drilling down into a specific asset owner via google.
Why do I bring this up? Well, it serves as a reminder that we need to exercise discretion in who we share documents with, and how we make them available. Share a document with someone who is not as responsible as they ought to be and you might as well put it up on the internet yourself. Even if there isn’t a direct link to a document it still may be available to the world if the web server’s directory permissions are permissive.
The sheer amount of information available succinctly defining and diagraming critical infrastructure both here in the US and abroad is staggering. I have seen entire power distributions and generation systems’ scada, and topology diagrams available online.
Posted: 28 Aug 2008 11:49 AM CDT
There are a couple of blog posts that I've read lately that link together for me, and I'm still working through the reasons why. I'd love your feedback or thoughts.
I think the futility of these systems involves a poor understanding of how people interact. The systems I like and use (LinkedIn, Dopplr) are very purpose specific. I really like how Dopplr doesn't even bother with a friend concept--feel free to tell me where you're going, I don't have to reciprocate. It's useful because it doesn't try to replace a real, complex relationship ("friendship") with a narrowly defined shadow of the world. (In this vein, Austin Hill links a great video in his Facebook in Reality post.)
In information technology, we often replace these rich, nuanced concepts with much more narrow, focused replacements which serve some business purpose. Credit granting has gone from an assessment of the person to an assessment of data about the person to an assessment of the person's data shadow. There are some benefits to this: race is less of a factor than it was. There are also downsides, as data shadows, blurry things, get confused after fraud. (Speaking of credit scoring, BusinessWeek's "Your lifestyle may hurt credit score" is not to be missed.)
We've replaced the idea of 'identity' with 'account.' (I'll once again plug Gelfman's Presentation of Self for one understanding of how people fluidly and easily manage their personas, and why federated identity will never take off.) Cryptographers model people as Alice and Bob, universal turing machines. But as Adi Shamir says, "If there's one thing Alice and Bob are not, it's universal turing machines." Many people have stopped Understanding Privacy and talk only about identity theft, or, if we're lucky, about fair information practices.
So the key lesson is that the world is a complex, confusing, emergent and chaotic system. Simplifications all come at a cost. Without an understanding of those costs, we risk creating more security systems as frustrating as those "social networks."
[Update: It turns out Bruce Schneier has a closely related essay in today's LA Times, "The TSA's useless photo ID rules" in which he talks about the dangers of simplifying identity into intent. Had I seen it earlier, I'd have integrated it in.]
Posted: 28 Aug 2008 11:00 AM CDT
UPDATE: Next day, Dale Peterson
I missed the Waterfall Solutions Unidirectional Connectivity presentation but caught up with them at the evening exhibit. They have a product that through hardware, I heard the term diode and optical communications, only allows one way communication. Hence they use the term unidirectional. It is an interesting concept that could be useful if you are pushing data from a more secure zone to a less secure zone, such as control center to DMZ. It is purely one way, so there are no acks, resend, recovery, etc. Where is this a good option?
UPDATE: 4PM, Dale Peterson
I also attended the RISI / incident database talk. I’m convinced it can work, because it has worked. The question is whether there is enough interest to do this pro bono or receive funding. Interestingly, I was thinking why would a business want to go through the effort to collect and maintain this database. Maybe one with a portal strategy??? Maybe we should talk to Mark Fabro and Eric Byres.
Bryan Singer of Wurldtech had the long slot after lunch to talk about Achilles inside. [Full disclosure: Wurldtech is a past client and current advertiser]. Actually have a few comments about this. After the 1:30 presentation I still can’t tell you what Achilles Inside is. I asked a few others, and they couldn’t either. Perhaps it was to avoid commercialism, and it could be the greatest thing ever, but the message needs some work.
There were some interesting parts of the presentation such as “Safety does not deal with intentional actions” and the impact of bridging the traffic for monitoring. Wurldtech had to be specify their own hardware to minimize the impact of monitoring during testing.
A bit of discussion on vulnerability disclosure as well. Wurldtech will not release vulnerability information and is very sympathetic to the problems of patching.
UPDATE : Morning Recap, Jason Holcomb
Several good presentations and side conversations so far today.
I attended the first one “Are You Compliant or Liable? Industrial Security and Compliance Using the Holistic Lifecycle Model” with a bit of a personal agenda. I assumed those attending might also be interested in our Bandolier project so I wanted to listen any issues that may be relevant.
(Side Note: This was presented by Clint Bodungen of CIDG, Chris Paul of Joyce and Paul, and Jeff Whitney of Berkana Resources Corporation). I do appreciate the holistic approach to compliance (CIDG’s model). In fact, I have worked on something very similar for another organization only we called it the “security framework”.
Not sure if I’m convinced on all the legal arguments made by attorney Chris Paul but IANAL, as they say. He talked a lot about potential criminal or civil liabilities based on security negligence. I’m just not sure if avoiding a lawsuit is the right motivation for control system security but I suppose it can help get the attention of some.
Next up for me was Eric Byres’ and Mark Fabro’s presentation about the Repository for Industrial Security Incidents (RISI). This is a spinoff of the work Eric did at BCIT with ISID (Industrial Security Incident Database). Here’s the overview:
They are actively gathering input on if and how to carry out this project so I’m sure they would love to hear from you if you have an opinion. There will be some challenges for them but I am definitely curious to see what this looks like in final form.
I rounded out the morning with “Control Systems Threat Awareness” by Robert Huber and Sean McBride of INL. These guys have used various data collection points to help understand the current threat and trends over time. It was a good follow-up to yesterday’s presentation by Stephen Gill of Team Cymru. It was a well-organized compilation of threat data. They’ve taken many of the things you’ve heard, such as control system presentations at hacker conferences, and plotted them in a measurable way that illustrates an increasing “adversary interest”.
One of the really interesting slides did a comparison of how control system application vendors make their security contact information available versus that of the big traditional IT software companies. It measured the percentage of the two groups that had a /security web page and a dedicated e-mail address for security issues, a standard of sorts for interfacing with the security research community. As you might imagine, the results showed tat only a very small minority of the control system application vendors followed the practice.
Thinking back on day one, the highlights for me were Phyliss Schneck’s keynote and Mark Fabro’s closed to press presentation. Plenary sessions are tough because it is hard to calibrate the presentation to a large audience with very different experience and interest levels.
Day two is called solution day. There are four tracks going on and then an exhibit tonight. I find these sessions more interesting than the plenary event. There are more details and more focused.
When Good Traffic Goes Bad: When is Application Traffic Too Much?
Daniel Peck from Digital Bond joined Tom Maufer of Mu Dynamics and Kevin McGrath of ABB in this presentation. Interesting denial of service examples from Brown’s Ferry Unit 3 Scram [too much traffic to a PLC], Amazon S3 [too many logins], and Ralph Langner’s OPC DoS paper from S4. Ralph showed how very long group names and too many client connections could exhaust all resources and cause a DoS. The OPC applications did not have any limits.
Vendors can improve the situation through rate limiting, syn cookies and source filtering, as well as beefing up their logging. Asset owners should consider quality of service measures, and maybe there is a case for looking at load balancing rather than purely redundancy?
Lots of good talk on the importance and methods for vendor testing, followed now by Mu doing a demo of some testing options with their product.
Guess what - - the demo didn’t work - - may have been for the best as the Q&A was more interesting.
Posted: 28 Aug 2008 10:47 AM CDT
Knujon has released a report detailing the illicit activities of a rogue internet domain registrar (sanctioned by ICANN no less) that is apparently responsible for a statistically significant amount of illicit internet traffic. The registrar in question is monikered Directi Group.
Posted: 28 Aug 2008 10:00 AM CDT
ICSA Labs Network IPS testing is not a once-and-done test. Instead products must maintain their certification once attained. There is an annual test as well as testing after the vulnerability set is updated. Fortinet's annual testing recently completed and they retained their certification for their FortiGate models. They are now in the midst of testing against the latest vulnerability set. See the report from annual testing.
Posted: 28 Aug 2008 09:41 AM CDT
So yet again we have a round of press concern about the security of the Internet infrastructure. This time the concern is BGP.
Posted: 28 Aug 2008 09:06 AM CDT
After my two posts on Tuesday explaining how Aircell was probably blocking VoIP and then why the Phweet/Tringme worked (temporarily), there have been a number of other posts that should be mentioned here:
Speaking of Aircell’s position, I did receive a nice note from someone with Aircell’s PR firm that stated this:
To a certain degree, this statement reminds you that at the end of the day Aircell is simply the service provider implementing the policy of the customer. So it’s really the American Airlines policy that has the VoIP prohibition….. but….
I could go along with that except for one minor little detail. The
If it was only created for American Airlines and will only be used by American flights, then sure, the Gogo ToS line up with the customer’s policy. If this is intended to be a generic service and American just happens to be the first customer then I think it’s a bit unfair for Aircell only to be pointing to American. It is, after all, Aircell’s ToS.
But perhaps that’s getting too far down in the semantic weeds…
Posted: 28 Aug 2008 09:03 AM CDT
Posted: 28 Aug 2008 08:17 AM CDT
After a long hiatus, I’m finally starting to get Blue Box episodes flowing again. I’ve just put up two in the past two days:
And I have some more special editions I’m looking to put out soon. This summer was a bit chaotic for me with a physical move from Vermont to New Hampshire, but I’m hoping things are now settled down enough that I can get back into regular production of these episodes….
Posted: 27 Aug 2008 10:45 PM CDT
Well that didn’t take long…
Enabling your passcode lock and setting up a certain home key shortcut could expose your iPhone if you’ve upgraded to version 2.0.2
Posted: 27 Aug 2008 06:14 PM CDT
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|