Saturday, October 11, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

NoScript ClearClick Warning (aka Clickjacking) [Nicholson Security]

Posted: 11 Oct 2008 01:04 AM CDT

I was on Google Video just now checking out the OWASP.TV videos from the conference in NYC, when I got a “ClearClick Warning” from NoScript.  I know that NoScript added Clickjacking support but this was the first time I had seen a warning.  I checked the page with Firebug and didn’t anything wrong.  I am guessing it was a false positive but now I’m just curious.  Has anyone else seen the “ClearClick Warning” and if so was it a correct or a false positive?  Post your feedback in the comments.


Random Posts

Grecs’s Infosec Ramblings for 2008-10-10 [NovaInfosecPortal.com]

Posted: 10 Oct 2008 11:59 PM CDT

Say It Ain’t So Sarah! “People Who Live In Glass Houses Shouldn’t Throw Stones, You Betcha” [Vincent Arnold]

Posted: 10 Oct 2008 10:08 PM CDT

Panel: Palin abused power in trooper case

ANCHORAGE, Alaska (CNN) — Republican vice presidential nominee Sarah Palin abused her power as Alaska’s governor and violated state ethics law by trying to get her ex-brother-in-law fired from the state police, a state investigator’s report concluded Friday.

“Gov. Palin knowingly permitted a situation to continue where impermissible pressure was placed on several subordinates in order to advance a personal agenda,” the report states.

Public Safety Commissioner Walt Monegan’s refusal to fire State Trooper Mike Wooten from the state police force was “likely a contributing factor” to Monegan’s July dismissal, but Palin had the authority as governor to fire him, the report by former Anchorage prosecutor Stephen Branchflower states.

Source

VMware Acquires BlueLane: Further Differentiation Through Security [Rational Survivability]

Posted: 10 Oct 2008 05:00 PM CDT

Bluelane_vs From Virtualization.com comes the news that VMware has acquired BlueLane Technologies

BlueLane is the maker of solutions that protect both physical and logical infrastructure which includes ServerShield and VirtualShield.  The company has of late focused wisely on
the latter which provides application-aware firewalling, inter-VM flow visibility and analytics, application policy control, and intrusion prevention capabilities.

Coupled with the introspection capabilities provided by VMware's vNetwork/VMsafe API's natively, the integration of BlueLane's solution sets will add to the basal capabilities of the platform itself and will allow customers the flexibility to construct more secure virtualized operating environments.

The notion of enabling in-line patch-proxying as well as the "IPS-like" in-line vulnerability mitigation capabilities for VM's and additional VMM protection make this very interesting indeed.  You can read more about BlueLane's approach on their website.  I also interviewed Allwyn Sequeira on my blog.

VMware's acquisition of Blue Lane comes as no surprise as it became clear to me that in order to continue to strengthen the underlying platform of the hypervisor itself, I wrote earlier this month prior to rumors of Blue Lane's acquisition by other bloggers that as part of a successful differentiation strategy:

    VMware will make additional acquitisions in the security space.  Yes, I know this sounds
    heretical given the delicate balance most "platform" providers keep with their ecosystem
    partners, but VMware have already shown that they are ready to buy as well as build and
    ally with prior acquisitions and security will continue to be a key differentiator for them. 
    They've done it once already with Determina, they'll do it again.


I think it's actually an excellent move as it continues on the path of not only helping to ensure that not only is the underlying virtualization platform more secure, but the elements that ride atop on it are equally "security enabled" also. 

This point was at the heart of my debate with Simon Crosby, Citrix Systems' CTO (see here and here);
focusing solely on VMM resilience and leaving the ISVs to sort out security was a bad idea.  It  leads to more siloes, less integration, more complexity and overall a less secure environment.

We need a unified secure ecosystem to start with instead of worrying about securing the ecosystem's products.

Form a business perspective it takes a mixture of resolve, market dominance, and confidence to cannibalize a section of your ecosystem, but it's the right thing to do in this case in order to offset competitive forces and help customers solve some really nasty issues.

I made mention of this point with emerging security ISV's at Vmworld, and was asked several times whether I really thought VMware would do this.  The odd question that inevitably came next was "were does that leave security ISV's like us?"  You can guess my answer.  Honestly, I'm sure most of them were hoping to be bought for the same reason.

So, will this cause a run on alignment to support Hyper-V over VMware?  I don't think so.  ISV's who were hinging their hopes for success solely on VMware understand this risk.  Microsoft has no API facility like vNetwork/VMsafe, so the options for reasonable and rational installation of their products are limited.  Citrix is in the same boat.

This is the reason my next set of VirtSec presentations will focus on Hyper-V.

On a side note, I was one of Blue Lane's first customers for their patch proxy product and have been an ardent supporter of their approach for many years, despite taking quite a bit of crap for it from purists and pundits who had difficulty rectifying the approach in comparison to traditional IPS'.

This is a good thing for VMware, VMware's customers and Blue Lane. Congratulations to the BlueLane team.

Chinese hackers gain access to World Bank [The Dark Visitor]

Posted: 10 Oct 2008 04:53 PM CDT

At least there seems to be evidence that two of the six major attacks originated from IP addresses inside of China:

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

Share/Save/Bookmark

Closing thoughts for a Friday [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 10 Oct 2008 04:47 PM CDT

Hey folks - just some closing thoughts for a Friday. Hope everyone's had a decent week, and by now you've got a cold one in hand. Here are some thoughts I had as this week tails off into another weekend.
  1. Has anyone paid attention to the sheer stupidity of public services lately with regard to data loss/theft? I mean, seriously! I have a Google Alerts "as it happens" notification set up for "security breach" +data and if you haven't paid attention there have been an absolutely stupifyingly overwhelming amount of data breaches that involve our government or its entities in some way. Foreign governments, schools, social services - all losing laptops, getting hacked and the toll is mounting. Last count we're somewhere in the 2MM+ records lost in the past few weeks. When will the carnage stop? (More on this in a future post as I have some serious research to do. If you'd like to help ping me directly.)
  2. Cloud computing... so I was talking to a colleague and friend over at PureWire, and he is absolutely religiously convinced that in a short period of time (and I quote) ... "Everyone will be doing it [in-the-cloud security], it's inevitable". I tend to disagree, in fact - I think "In the Cloud" security is a bit of a scary proposition - but I'm hoping to have a 20-questions type of interview posted here on this blog with the folks that are running the gears over at PureWire.
  3. I'm finally going to get around to posting that interview I did with a "semi-ehtical-DarkSEO dude" in the next few weeks when thing settle down at the ranch a little. It's been sitting on my desktop, and everyone's been killing me to publish it - problem is - it's huge (10+ pages of good info, I think). Does anyone know where I can post it? I'll post part of the interview to the blog here as a teaser, and the rest to a site somewhere, as a PDF/paper. Your suggestions are welcome.

What the hell?!? [The Dark Visitor]

Posted: 10 Oct 2008 04:15 PM CDT

Dr. Antonio Nucci, Chief Technology Officer at Narus writes:

Last April, a politically motivated Chinese blog called "The Dark Visitor” rallied hackers to launch a DDoS attack on CNN.com for its coverage of the relationship between China and Tibet.

Just CRAP!!!

Filed under: Evil and/or Stupid (for the latter)

Share/Save/Bookmark

Interesting Information Security Bits for 10/10/2008 [Infosec Ramblings]

Posted: 10 Oct 2008 03:03 PM CDT


Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. The Ethical Hacker Network - Scooby Doo and the Crypto Caper
    Ed Skoudis has another hacker challenge up.
  2. Frame Injection Fun | GNUCITIZEN
    Interesting article about frame injection along with some toys to play with.
  3. Event Registration (EVENT: 115053)
    The next Blackhat Webinar is next week. Sign up now.
  4. Turbo-charged wireless hacks threaten networks * The Register
    It’s getting easier and cheaper to build machines that can more quickly break Wi-Fi encryption.
  5. Metasploit Hacking Tool Now Open for Licensing - Desktop Security News Analysis - Dark Reading
    Metasploit is now as open source as it can be.

That’s it for today. Have fun!
Kevin

Posted in Interesting Bits      

Twibble — The holy grail of Twitter mobile [Srcasm]

Posted: 10 Oct 2008 01:12 PM CDT

Twibble Phone PicturesIf you’ve known me for more than about, oh 5 minutes, you’ll know that I’m always connected to the internet.  I live, breath and eat bits (not my cat) and bytes for breakfast and I love to chew on the latest and greatest Web 2.0 awesome-taffy that I find every day.  That’s why I was so excited when I found the greatest Twitter app for Blackberry (or Nokia, Sony Ericsson or any Java-capable mobile device) AND a great Twitter desktop app too boot.

Twibble (by spider labs GmbH in Hamburg, Germany) brings simplicity, convenience, power and control all into one tiny mobile application.  Not only does it work properly (auto updates, vibrate/alert on direct messages and @replies) but it also provides some pretty awesome additional features that I haven’t seen in the mobile Twitter application realm (at least not for Blackberry):
 

  1. Send a tweet via your data plan or SMS! — Why is this important?  Well, sending a tweet takes data.  For many people, they don’t have unlimited data plans so being able to send via SMS could save some moolah.
  2. GPS/Location awareness — Twibble can not only update your status or your location based on your GPS coordiantes but it also has built in support to map where your Twitter friends are.  Simple click on a user and choose to locate them on a map and off it goes.
  3. Auto-refresh — This feature sounds simple but I have yet to find a Blackberry Twitter app that properly refreshed both tweets, DMs and @replies automatically in the background.
  4. Hotkey support — While using Twibble, you could navigate the large and comprehensive menu structure or you could use some of their hot keys.  Press 2 or “R” and you’ll form an @reply to the person, 3 or “D” will direct message the current user you’re highlighting and 1 or “T” starts a brand new tweet (which can then be sent via SMS or data)!
  5. Data savings — Not only does Twibble help to save data by Tweeting via SMS, it also only retrieves the latest tweets.  Some applications refresh all three timelines (making 3 API calls) to get your DMs, @replies and latest updates.  Twibble doesn’t.
  6. Integrated twitpic support — While posting a tweet, you can select an image off of your phone and upload/refrence it automatically in your tweet.  Nice for the on-the-go web reporter.

There are a bunch of other neat features that Twibble mobile provides and you can check them out on the product page.  What I was surprised to learn was that Twibble also made a desktop Adobe AIR client as well.  This client is cleanly designed, supports multiple accounts and follows some of the same shortcuts and features that Twibble mobile has.  This makes the transition from desktop easy and fun.

Personally, I would pay for this app (maybe $10-$20) becuase it’s that good.  What do you think of Twibble?  What are some other clients that you have used?

Why MSSPs are going to rule the SMB/SME roost [StillSecure, After All These Years]

Posted: 10 Oct 2008 11:54 AM CDT

I don't think there are too many people who disagree agree that the MSSP model of providing security is a valid and growing segment of the security business.  Recently, I have been giving a lot of thought as to whether this is just a pendulum type of swing that will soon swing the other way or if it is more fundamental. I am coming to the conclusion that it is more fundamental.  To be clear I am not talking about SaaS.  I think there is a big difference between what a company like Qualys does in SaaS and what a true MSSP does.  When I say MSSP, I mean actively managing the security, not just providing software over the web.

Here is a great illustration of why I think the MSSP model is fundamentally here to stay and right for a certain segments of the market. Last night we went over a friends house for a social gathering. I was speaking to one of the guys there who I see maybe once or twice a year.  He again asked me what it is I do for a living (how many security people get that question often).  That brought up the whole topic of computer security. 

This gentleman runs a business that signs up people for satellite TV services among other things and than is certified installer for these services.  Some of us I am sure have received spam from some of the less scrupulous in that field.  This guy has been at it for many years and has a very successful business. He told me because he "takes credit cards and all that" he was told he needed to have security.  "You know firewall and intrusion prevention and all that", was what he told me. He looked into using open source security tools that were "free".  His tech people couldn't make that work.  He looked at commercial products too.  Besides the cost of buying the product, the time and expertise needed to make them run was beyond his IT people and not really what he wanted them working on.  Through the data center where he hosted his web servers he was turned onto an MSSP.  For between 500 and 1000 dollars a month "they protect him 24/7 and he doesn't have to worry about it".  For this businessman, it was a no brainer.  You know what, given this set of facts, it is a no-brainer. Unless or until something fundamental changes in that equation, the MSSP model is here to stay.

Reblog this post [with Zemanta]

Appearance on Bill Brenner's CSO Online Podcast [StillSecure, After All These Years]

Posted: 10 Oct 2008 09:44 AM CDT

As you may know Bill Brenner, senior editor for CSO Online was our guest on a recent StillSecure, after all these years podcast.  I also recorded a podcast with Bill for CSO Online on P2P, LimeWire, Facebook, etc.   It was posted this week on CSO Online and you can listen to it here.

Bill is guy who besides reporting and writing on security, actually lives it.  Always good to speak with him!

A comment on the Google energy plan worthy of your time [StillSecure, After All These Years]

Posted: 10 Oct 2008 09:16 AM CDT

One of the best things about blogging is the feedback I receive from people who comment.  For those of you reading this, reading blogs without commenting deprives the blog from a vital piece of the equation they need to be robust.  I try to answer most comments to continue the dialogue. Every once in a while a comment is I think so important I will give its own post.  Such is the case with a comment that fellow security blogger, Bill Gross made on my post around Google's energy plan.

So without further adieu, here is Bill's comment:

This is a perspective piece -


Though I'm all for green electricity, I think that we need to put production in perspective.


Coal currently produces something like 45% our our electricity, and to IAEA, by 2050 it's target to produce close to 60%.
We can change this, but the role of wind and solar will will take a great deal of careful reworking of our "energy system".
Background:


Bulk Energy Production falls into two categories:
1) Base load energy - this is the minimum amount of energy needed on the grid over a period of time. If you charted a day's energy consumption, you will see peaks and valleys. Anything below the valley's is generally produced by bulk-load generators - nuclear, large scale coal, etc.


2) Peak load energy - provides the energy needed to meet the fluctuating demand on the grid. When someone turns on a light, there is a plant someplace generating 60 wats more electricity.
Base load plants generally cannot be peak load. It's hard to quickly change the power output of large facilities. Base load plants also produce the bulk of power, and hence tend to be plants with the lowest fuel costs. Base load plants operate at very high "capacity factors" - they run as hard as they can, for as long as they can - hence the desire to use low-cost fuel.
Peak load is generally provided by plants with higher fuel costs. They run at fairly low capacity factors - and hence they are not as hurt by high fuel costs.


That's all well and good, but how do wind and solar fit into the mix?


Good question. Both "fuel sources" are "intermittent" and cannot be relied on to provide a reliable source of energy. This is a byproduct of the fuel source reliability and the demand curve. Is the fuel source available when the demand is there?
Since we currently have no way to store bulk electricity, wind and solar cannot replace our current energy production capacity, per-se. IE, if you build 1MW of wind, you need to build 1MW of reliable production - because - what happens if the wind ain't blowing?


That said, most peak load in the US is produced by high carbon emitting production. To the extent that wind and solar can reduce the power requirements on these plants, we can reduce CO2 emissions, but we cannot eliminate the production capacity.
The last issue that needs to be addressed with wind and solar - moving the electricity from production to consumption - building high voltage is a tough problem, and very expensive. We'd need to solve that problem.


In general, wind is more reliable at night. What would be cool - charge your hybrids at night - we can increase the capacity factors of wind by using it while it's most abundant.

 

If like me you are interested in the energy problems we face as a country and "drill, baby, drill" is not a sound enough policy for you, Bill recommends this blog: neinuclearnotes.blogspot.com from the folks over at Nuclear Energy Institute.

Apple Security Update 2008-007 [Random Thoughts from Joel's World]

Posted: 10 Oct 2008 08:40 AM CDT

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.


Introducing Apple Security Update 2008-007. Just released last night:

Security Update 2008-007
  • Apache

CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Apache 2.2.8

Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

  • Certificates

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Root certificates have been updated

Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

  • ClamAV

CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914

Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in ClamAV 0.93.3

Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems. Further information is available via the ClamAV website at http://www.clamav.net/

  • ColorSync

CVE-ID: CVE-2008-3642

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. Credit: Apple.

  • CUPS

CVE-ID: CVE-2008-3641

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user

Description: A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges. This update addresses the issue by performing additional bounds checking. Credit to regenrecht working with TippingPoint's Zero Day Initiative for reporting this issue.

  • Finder

CVE-ID: CVE-2008-3643

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A file on the Desktop may lead to a denial of service

Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

  • launchd

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Applications may fail to enter a sandbox when requested

Description: This update addresses an issue introduced in Mac OS X v10.5.5. An implementation issue in launchd may cause an application's request to enter a sandbox to fail. This issue does not affect programs that use the documented sandbox_init API. This update addresses the issue by providing an updated version of launchd. This issue does not affect systems prior to Mac OS X v10.5.5.

  • libxslt

CVE-ID: CVE-2008-1767

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.

  • MySQL Server

CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in MySQL 5.0.45

Description: MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html

  • Networking

CVE-ID: CVE-2008-3645

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may obtain system privileges

Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.

  • PHP

CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in PHP 4.4.8

Description: PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

  • Postfix

CVE-ID: CVE-2008-3646

Available for: Mac OS X v10.5.5

Impact: A remote attacker may be able to send mail directly to local users

Description: An issue exists in the Postfix configuration files. For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network. During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol. This issue does not cause the system to be an open mail relay. This issue is addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines. This issue does not affect systems prior to Mac OS X v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson for reporting this issue.

  • PSNormalizer

CVE-ID: CVE-2008-3647

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PostScript files. Credit: Apple.

  • QuickLook

CVE-ID: CVE-2008-4211

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution

Description: A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Microsoft Excel files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

  • rlogin

CVE-ID: CVE-2008-4212

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login

Description: The manpage for the configuration file hosts.equiv indicates that entries do not apply to root. However, an implementation issue in rlogind causes these entries to also apply to root. This update addresses the issue by properly disallowing rlogin from the root user if the remote system is in hosts.equiv. The rlogin service is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. Credit to Ralf Meyer for reporting this issue.

  • Script Editor

CVE-ID: CVE-2008-4214

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may gain the privileges of another user that is using Script Editor

Description: An insecure file operation issue exists in the Script Editor application when opening application scripting dictionaries. A local user can cause the scripting dictionary to be written to an arbitrary path accessible by the user that is running the application. This update addresses the issue by creating the temporary file in a secure location. Credit: Apple.

  • Single Sign-On

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: The sso_util command now accepts passwords from a file

Description: The sso_util command now accepts passwords from a file named in the SSO_PASSWD_PATH environment variable. This enables automated scripts to use sso_util more securely.

  • Tomcat

CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Tomcat 6.0.14

Description: Tomcat on Mac OS X v10.5 systems is updated to version 6.0.18 to address several vulnerabilities, the most serious of which may lead to a cross site scripting attack. These issues only affect Mac OS X Server systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

  • vim

CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in vim 7.0

Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/

  • Weblog

CVE-ID: CVE-2008-4215

Available for: Mac OS X Server v10.4.11

Impact: Access control on weblog postings may not be enforced

Description: An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X Server v10.4. Credit: Apple.

Subscribe in a reader

The psychology of access control [Kees Leune]

Posted: 10 Oct 2008 08:37 AM CDT

Most businesses that are serious about identity management and logical access control have adopted Role-Based Access Control (RBAC) as a model to govern who has access to what.

In its most simple form, RBAC is extremely simple: an individual should be assigned permissions not based on who he is, but based on which role he plays. The role-based access control model has been extensively researched (including by me) and the mechanics of the approach are fairly well understood.

However, paying attention to how a technology is used is just as important as having that same technology available in the first place. In other words, the psychological factors surrounding the adoption and use of an access control model deserves as much attention as the model itself. I wish I had realized this when I was doing my PhD research.

Shrdlu wrote a post that can reveals that she "gets it":

"When you assume a role, you're putting in a layer of separation between yourself as an individual and the entity you're interacting with."

This observation is extremely true.

As soon as that separation between "Jane" and "Receptionist at my doctor's office" is made explicit, Jane (who is normally presumed to be a very friendly lady) may turn into someone on wheels.

The ability to hide behind a facade is well-known, judges do it by robing and/or wigging, military and policy do it by donning uniforms, and there are many more examples of separating person from role.

RBAC, or any other access control model for that matter, do not explicitly acknowledge that.

"So as the use of roles increases, and as the distance increases between you and your user (geographically, organizationally and sociologically), the less likely it becomes that your system security will rest in the hands of individuals.  The perimeter isn't just wider; it's diffused to the point where it really is gone."

Go read the post. Even better, subscribe to the rss feed.

WiFi is no longer a viable secure connection [Vincent Arnold]

Posted: 10 Oct 2008 08:31 AM CDT

Dan Raywood
October 10, 2008

Metasploit 3.2 drops commercial license restriction [Nicholson Security]

Posted: 10 Oct 2008 01:58 AM CDT

It seems that Metasploit 3.2 will be sporting a BSD 3-Class license.  That basically means that MSF can be forked or modified and repackaged and sold by commercial entities.  The 3-Class license basically means that the source code and binaries keeps the copyright but they can’t say the mutant product is endorsed by HD.

DarkReading has an article about it and one of the ideas tossed around is Core Impact integrating MSF into their tool.  Aside from the thousands of dollars that Core cost,  the lack of reporting functionality is one of the reasons MSF is kept in the shadows with researchers and pen-testers.  MSF is awesome and I’m a big fan of it and look forward to all it’s bastard children.  But, if someone can take MSF and create some awesome reporting tools that would rock.  I have always thought someone should build some reporting plug-in’s for MSF maybe someone will now.

I would like to know what you think about the MSF license change in the comments.

Random Posts

Data Security in Financial Crisis [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 10 Oct 2008 12:40 AM CDT

If you've not looked up from your screen in a while - there is a major world-wide recession underway. When you look around and see a company like Lehman Brothers basically out of business, the first instinct is to panic because the financial markets are clearly crumbling.

Rich Mogull's write up on securosis.com entitled "Impact of the Economic Crisis on Security" was definitely worth a read, if you've not gotten a chance to read it yet. After you read Rich's blog entry... think about this: what's happening with all the data that's being "liquidated"? Scary isn't it. Those behemoths of Wall Street hold terabytes of information - PIA (personally identifiable information) of all types.

Once again I think we're right to rant and rave about how those CEOs should be behind bars, or worse - but let's consider the data. The data, or what's happening (or going to happen) to it is what's scarring me to death. I actually have data, my personal information, at some of those failed firms all over the place. When they're liquidated, or parted off and sold... is there a governing body somewhere that's keeping track and making sure disks are wiped clean, digitally shredded so they can't be used in fraud or identity thefts? All the government oversight we're proposing today, and the $700Bn (that number boggles my mind) "bailout" and not a single mention of information management anywhere in there.

I think there is a much deeper crisis here than just collapsing financials - because like it or not that ship will list and right itself, eventually (likely at the expense of you and I, the taxpayers) but the data that's mis-handled, lost, stolen and forgotten about... who's going to bail ME out when my identity is stolen as a result?

Anyway... thought I'd just share what's on my mind. Feel free to reply, comment and rant with me.

Grecs’s Infosec Ramblings for 2008-10-09 [NovaInfosecPortal.com]

Posted: 09 Oct 2008 11:59 PM CDT

Interesting Information Security Bits for 10/09/2008 [Infosec Ramblings]

Posted: 09 Oct 2008 07:16 PM CDT


Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Network Security Blog >> Step by step guide to the DNS vulnerability
    Martin points us to a good walk-through of the DNS vulnerability that Dan Kaminsky discovered. As he says, it is very complete.
  2. Matasano Chargen >> Blog Archive >> I broke Opera
    Looks like it’s time to patch Opera.
  3. Firefox add-on blocks ‘clickjacking’ attacks
    The latest version of Noscript protects against at least some clickjacking attacks.
  4. How botnets use ‘bullet-proof’ domains | News - Security - CNET News
    Article pointing to a new study that digs into why it is getting harder and harder to shut down botnets.

That’s it for today. Have fun!
Kevin

Posted in Interesting Bits      

BA-Con and Ekoparty 2008 [DVLabs: Blogs]

Posted: 09 Oct 2008 01:43 PM CDT

Posted by Aaron Portnoy

Having sufficiently recovered from my week-long trip to Buenos Aires its time to spread the word about some of the innovative research presented at Argentina's two most prominent security conferences. My coworker Ali and I first attended BA-Con, the newest conference venture from Dragos Ruiu (of CanSecWest, PacSec, and EUSecWest fame). Some of the highlights included an entertaining (and at the same time depressing) talk from Harri Hursti regarding the current and past state of eVoting procedures and architecture. Harri described such design flaws as global master keys, poor encryption, default passwords, methods by which one can simply obtain administrative access to some of the machines, and even what he referred to as--if memory serves--101 class bugs in the software.

We also attended an informative talk by Hendrik Scholz entitled "All the Crap Aircrafts Receive and Send". Hendrik's presentation discussed the structure of the plaintext protocol airplanes use to communicate to ground crew and airports. From the audience Cedric Blanchard voiced a hilarious example of how this could be abused by spoofing a request for 20 new seats for the incoming airplane. The results being a ground crew with the necessary equipment awaiting the plane's arrival on the tarmac.

Following this talk was Jose Orlicki with his presentation about social networks. Jose implemented a library that enables one to scrape social networking sites and search engines to profile individuals and map out their relationships with others. You may remember Maltego which does similar data gathering. Jose showcased his implementation by demonstrating a chat bot that impersonated one of his target individuals by utilizing vocabulary similar to their own using his gathered data. His entertaining case example was an Ivan Arce bot chatting with characters from the Matrix movie.

I wasn't able to attend Julien Vanegue's talk, "Hacking PXE without reboot (using the BIOS network stack for other purposes)", as I was preparing for our talk that immediately followed it. I was told the slides will be available on the BA-Con website some time soon.

Following BA-Con was ekoparty which is now in its 2nd (public) year. Ekoparty talks were hosted on a theater stage and were packed with somewhere around 300 attendees. The conference also ran a wargame called Packetwars and a lockpicking competition which was won by Hugo Fortier, one of the organizers of Recon.

We originally had trouble locating the conference so we missed out on some of the talks we would have liked to have seen. One such talk was Julien Vanegue's presentation on Evarista, a piece of software based on the ERESI framework. The ERESI framework implements an intermediate representation that enables one to more easily perform runtime and static analysis. Julien's Evarista is focused on static analysis and is the same research as documented in Phrack issue 64, article 8.

We did catch some good presentations on day two, including a talk from Nelson Murilo and Luiz Eduardo on a new wifi monitoring tool dubbed Beholder. Following their talk was Hugo Scolnik a mathematics professor who talked about a possible new method of factoring numbers in an attempt to attack RSA encryption. His talk was in Spanish but math is universal and so his slides conveyed some aspects of his approach. However I'll wait until someone translates his work before attempting to comment on it's validity.

Following the conference lightning talks were given at a local pub. Most were in Spanish and I am far from fluent. However, Andrew Cushman from Microsoft's Research Center did give a quick rundown of some of the new Microsoft initiatives first announced at Blackhat this year.

Both events had a great turnout and interesting presentations. The security community in Argentina is definitely thriving with such companies as Core and Cybsec headquartered there. Hopefully these conferences will continue to put the spotlight on the region and we personally look forward to attending both conferences next year.

Passpack and Twitter at last. Rejoice! [Srcasm]

Posted: 09 Oct 2008 01:21 PM CDT

Passpack rolled out with a great new feature…  Now everyone with a Twitter (or FriendFeed) account can log right into Passpack in under 25 seconds!  (Check out the nifty 24 second screen cast.)  How awesome is that?  Today seems like a great day to start securing your online accounts with stronger, longer and better passwords with Passpack’s help.

MindshaRE: First Things First [DVLabs: Blogs]

Posted: 09 Oct 2008 12:59 PM CDT

Posted by Cody Pierce
This week on MindshaRE we want to share some of the things we do when beginning a reversing project. Some of these are obvious, and some may be new. It all serves the purposes of creating a solid foundation for the hard work to follow.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.

It is important to know as much about your target as humanly possible before you start reverse engineering anything. By doing this we have a better understanding of how things "probably" work. Getting insight through available documentation on the net or included with the product is our first stop.

We often scour the vendors site, focusing on any technical documents available. This can give us solid ideas about what we are attempting to reverse. Especially when doing vulnerability analysis it is imperative to dig into the setup and use of a product. Also keeping in mind support forums and general problems people may have. If bugs exist in normal day to day operation, exploitable security bugs may not be too far behind.

We must also first understand how all the components work together before we can break down a single binary. This again can be gleaned from installation or operation documentation. More often than not a vendor will have an "Administration Guide" or "Installation Guide" that will help us get a feeling for the larger picture.

Once we have established a good understanding of how the binary works in its respective environment we open the binary in IDA and take a deep breath. After letting IDA do its auto-analysis we begin to navigate the binary. During this time we are not trying to read any of the assembly, but instead make sure IDA did its job well by looking for unidentified functions, ambiguous blocks of unidentified data, and various other common analysis mistakes.

Spending some time making sure IDA has done its job again gives us a solid foundation to work from. If we are trying to actually reverse a binary, and have to stop every ten seconds to fix a function, or cross reference, it tends to slow us down more than investing the time in an initial fix-up stage.

Once we feel comfortable with the disassembly we check out each section, looking to see how much code exists, how much data exists, what the read only section looks like, and most importantly the import section.

The import section is often the first time we really pay attention to the information in the binary, and not just the disassembly. By looking at the library calls that occur in the binary you can get a great idea of what the binary does. For instance seeing the library call InternetOpenUrl tells us in an instant that at some point this binary will access an outside resource (most likely an HTTP URL). Some of the interesting family of imports we tend to look out for are sockets, files, windowing, debugging, and often misused string libraries.

After we get a feel for the libraries being used we'll typically jump over to IDA's strings window. Like the imported libraries, the strings being referenced can tell a story about the binaries inner workings. It's prudent to always keep an eye out for descriptive strings like debugging messages or verbose logging options. Finding strings like this, as we have discussed in previous MindshaRE articles, can be a boon for a reverse engineer. The idea is to constantly be getting a feel for the binary as a whole, and how it works on a level just above the actual assembly code.

Next, we typically quickly move through the data section looking for vtables or other important data structures that may catch our eye. For instance, if we see a vtable with a large number of code cross references we can make a mental note for when we encounter these while reversing their use. We also spend some time fixing up the data types. IDA tries to correctly identify type information in the data section, but it always errs on the side of caution. We will create dwords where seen fit, and define any other obvious structures, always making mental notes.

Now that we have gained a little understanding from a higher level we will dig into the actual assembly. It is of the utmost importance that we set a goal, or a set of questions we want to answer, before really diving into the assembly. Our goal must be well defined and outlined. Sticking to this goal will always keep us moving forward and not get distracted. Here are some of the common goals our team is specifically interested in when performing binary audits:
  • How does this process receive network data?
  • How does this process parse network data?
  • How does this process interact with the user?
  • Does this process use a database?
  • Does this process use RPC or any other remoting method?
  • Does this process contain encryption routines?
Some of these goals can be easily answered. The point is to make sure you know why we are reverse engineering this particular piece of code. It will help us locate the interesting functions, and drive us towards that answer.

With that said, one of the first things we do is look at the most cross referenced functions. By doing so, our efforts will always help future endeavors. Let's say we have a function that is called 4000 times throughout the binary. If we identify that it is a memory allocation routine, we have just made those other 4000 functions that much easier to understand. These common functions are the building blocks for more complex code we may encounter later.

So we are finally at our "starting" point. This is where a generic approach can no longer be described. Each goal, or question we try and answer will need special attention and may rely on varying techniques. For things like auditing network protocols we like to start at the reception of a packet. For RPC functions we begin by identifying the registration of client and server interfaces. It really depends on what we are trying to achieve, but the idea is to use the information we spent time in the beginning gathering. Hopefully by now you have a good understanding of the playing field.

If you notice we tend to work from the top down. High level documentation all the way down to the actually assembly code being executed by the processor. In our experience this is the best way for the human mind to actually understand what we are looking at. It also has proved the easiest, and most rewarding for us. As reverse engineers we take all the information we can get. This lessens our need to extract each and every clue from the assembly level, which is often very time consuming.

To summarize it all, learn everything you can about the process before you start. Make sure you have a solid base to work from. And finally, outline a goal so that you can stay focused and make progress.

Leave a comment with some additional ideas. We would love to add to our repertoire.

-Cody

Social Engineering Challenges Back [Room362.com]

Posted: 09 Oct 2008 12:34 PM CDT

I got an overwhelming response to me stopping the social engineering challenges, which far out-shadows the large response I got against the challenges. In other words, the “AYE”s have it. As soon as my Maltego series comes to a close I will be starting the challenges back up again. Thank you for your support and I look forward to the continuation of the challenges, I really had fun with the first one.

Also, if you have ideas for scenarios, please email me or hit me up on twitter. Include as much detail as possible, especially with the answer. Or, if you want to, leave the answer out, and we’ll see what we come up with.

Thanks again,
mubix

Jasager - Past - Present and Future [Room362.com]

Posted: 09 Oct 2008 10:32 AM CDT

If you haven’t heard already about Jasager.. well you probably don’t read this blog, but for those who want to know a bit more about the history of Jasager - Karma on the Fon, where the project is now, and where it’s headed, then buckle up, and hang on while we first travel down memory lane.

History:
The time was ShmooCon 2006. It was my very first “HACKER” convention. I was there with my buddies from Hak5 and SploitCast. I just so happened to sit in a talk by Dino (A. Dai Zovi). He was talking about Karma, his project that basically sat in the middle of wireless connections and instead of picking out the special bits directed his way, Karma accepted and responded to them all. I was in love, no not with Dino, but the project. I wrote theta44.org in my notebook (the site Dino noted to find out more) and continued on with the craziness that is any con. Having no money to invest in a wireless card that could handle Karma that page with theta44.org kept hounding me.

In early 2007, boxgamex (a gentlemen from the Hak5 community) sold me a little Fonera router. What’s the first thing I did? Hack it, put OpenWRT and DD-WRT on it. But one day that page in my notebook showed up again and reminded me of Karma. I looked on Dino’s page and was appalled to find that the project hadn’t gone anywhere. Did no one see the potential that this project had? Putting 2 + 2 (=5) I decided to put Karma on the Fon for an ultra portable wifi attack tool. Well, I am by no means the Killer Coding Ninja Monkey that either Dino or Robin Wood are. I scripted my way into it working for one target at a time. The problem? I did all the work on the Fon. You can see where this is going. At DEFCON 15, I brought my scripted up Fon to test it out in the shark infested waters (Wall of Sheep addition?). Got excited to be there, booted the Fon up in my room, connected to the Fon and change a setting. The Fon bricked. No proof that I had done anything, didn’t even get the chance to test it out.

I explained what had happened to my friend Darren Kitchen, and the project really sparked in him. He talked to the Killer Coding Ninja Monkey that I mentioned before, Robin Wood, and before you know it, the project was renewed under a new name “Jasager”, and this time with a better hand at the wheel.

What was the point of this history lesson? If you have idea, and someone else has done it. Take it to the next level, and if you don’t have the time, find a partner who does. Enough history, lets get some information.

Here is the home page of Jasager: http://www.digininja.org/jasager/index.php
HINT: Robin Wood’s main site, while lacking style has some things that you also want to check out. (digininja.org)

If you like reading, here is Darren’s blog post on how to get Jasager going
If you are more of a visual person, check out episode 405 of Hak5

And if you have problems or want to discuss options and configurations with other Jasager users, check out the Jasager Forum

Back to the Furture:
MITM (Man-In-The-Middle) attacks on computer systems have been around since the dawn of time. The natural (rapid) progression of security attacks made it guaranteed that MITM would hit Wireless just as hard.  If you have ever talked on a CB Radio, you know the frustration when the kids with the high powered antenna start playing the Mortal Kombat soundtrack over the CB without letting up the talk button. This is a simple example of how Jasager works. It gets in the middle of wireless communications. How do you protect against something like that? I don’t know. I don’t believe that there is a protection for Jasager or Karma (again, released in 2006). Where is Jasager heading? I think that adding the functionality of Karmetasploit (H.D. Moore’s project) to a portable device and then maybe shipping that device like the guys over at Errata Security did with an iPhone, would be one dangerous route. Or putting it in a box like Richard Mogull did. Or in a wall like Larry Pesce did.

To the future? What if I could put this whole project on a USB stick that didn’t do anything but draw power so it could run Jasager + Karmetasploit? Maybe running it on the NeoPwn? The possibilities are endless with this project. For all those feed readers out there, you can keep up with the latest and greatest form Robin Wood and the Jasager project via their RSS feed.

You’ve organized your passwords, now on to your projects [Srcasm]

Posted: 09 Oct 2008 10:31 AM CDT

 

Time - Project management

While talking with a friend the other day about his current dilemma.  He’s trying to roll out a difficult project with multiple people interacting and he has a very short time line.  His question to me was simple, “How would you organize the project?”  I had to take a minute to think about this as it’s not as simple as I had originally thought.

 

On one hand, the ‘ol pencil and paper method (or the digital form of it) could be a great solution.  Draw out the designs, flows and write out the text on a digital whiteboard of sorts.  Everyone can put their hand into the virtual jar and pull out a piece to work on and update that central repository when they get through their step.  The one major flaw in this model that I see is that there is no organization of ideas.  It’s too easy to flip from one piece to another without ever actually completing any of the steps properly.  The advantage to this method is it’s visually appealing and it allows for people to get the whole picture of what the project contains.

On the other hand, a tool like Google Spreadsheets or Basecamp could come in handy.  It’s organized by project, then to-dos and finally has milestones and whiteboards to keep even more info on the project.  This is great but also has it’s ups and downs.  The disadvantage is this format can be too structured.  Some people can’t comprehend the number of levels of information that are available in a site like Basecamp.  Combine this listing of info with the whiteboards, attachments and even multiple projects and you could be in over your head in stuff.  The advantage to this method is its pure organizational structure.  Everything can be nested, linked and individually displayed.  This means that if I assign task A to you and task B to me, we won’t be drawn away by the shiny pieces of task C as easily.

Both of these methods make for great solutions to project management but I’m sure that there are a million and one ways out there to accomplish this.  How would you do it?  What do you see as some of the pitfalls to tools like Basecamp or things like pencil and paper?

China Internet Security Forum 2008 [Telecom,Security & P2P]

Posted: 09 Oct 2008 08:55 AM CDT

The debut of China Internet Security Forum was made at Shanghai at September 20, 2008. It was a two-day workshop, hosted by CISRG (China Information Security Research Group) and Antiy Labs. CISRG is an active China-based security organization. It has a very lovely logo - a little footprint. Antiy Labs is famous of its capability of virus research and anti-virus products.

Unlike most of other security conferences and forums that were organized by government or their agencies, ISF 2008 is mostly a workshop of security practitioners and advocates. So the air and topics are very fresh and technological.

It’s pity that I didn’t find opportunity to attend this workshop. However, fortunately, Billy shared to me his vivid and absorbing whole-view report about this event. Here it is.

This workshop had a wide range of topics, covering from Vista security, wireless security, antivirus, to security operations, security penetration testing, and etc.

It’s great that CISRG shared out the presentation of this forum. The documents are downloadable at this link.

STOCK MARKET TERMS [Telecom,Security & P2P]

Posted: 09 Oct 2008 08:10 AM CDT

The below terms are from my friend - Jason. Very funny. Enjoy…

BULL MARKET — A random market movement causing an investor to mistake himself for a financial genius.
BEAR MARKET — A 6 to 18 month period when the kids get no allowance, the wife gets no jewelry, and the husband gets no sex.VALUE INVESTING — The art of buying low and selling lower.
P/E RATIO — The percentage of investors wetting their pants as the market keeps crashing.
BROKER — What my broker has made me.
STANDARD & POOR — Your life in a nutshell.
STOCK ANALYST — Idiot who just downgraded your stock.
STOCK SPLIT — When your ex-wife and her lawyer split your assets equally between themselves.
FINANCIAL PLANNER — A guy whose phone has been disconnected.
MARKET CORRECTION — The day after you buy stocks.
CASH FLOW– The movement your money makes as it disappears down the toilet.
YAHOO — What you yell after selling it to some poor sucker for $240 per share.
WINDOWS — What you jump out of when you’re the sucker who bought Yahoo @ $240 per share.
INSTITUTIONAL INVESTOR — Past year investor who’s now locked up in a nuthouse.
PROFIT — An archaic word no longer in use.

Book Review: Fuzzing | Brute Force Vulnerability Discovery [Nicholson Security]

Posted: 09 Oct 2008 01:24 AM CDT

I really enjoyed reading Fuzzing. The book has a ton of really great information.  The majority of the content I was interested in pertained to the application and web application fuzzing.  The book starts with a background on vulnerability discovery methods.  It then covers the different methods and types of fuzzer's.

The good stuff starts in the second part of the book on, “targets and automation.”  The chapter on “web application and server fuzzing automation” has some interesting ideas I hadn't considered.  I also liked the chapters on network protocol fuzzing on Windows and UNIX.

Throughout the book it shares tools, code and examples available for download from the fuzzing.org website.  I have been working a lot recently with Samurai Web Testing Framework Live-CD creating some video tutorials, that I hope to release soon, and I used some of the examples in the book.  I also played with a little C# and created the generic fuzzing tool that was given in the book.  I am adding some features to work in a few class activates I would like to implement.

Overall I think the book is great for anyone that is in development, system administration or pen-testing.  I learned a lot and I think others would to, but be warned this book is intense.  I spent about 8 or 9 weeks with this book because every time I learned something new I wanted to try it out.

If you have read this book or others like it I would like to read your comments.

Random Posts

No comments: