Spliced feed for Security Bloggers Network |
NoScript ClearClick Warning (aka Clickjacking) [Nicholson Security] Posted: 11 Oct 2008 01:04 AM CDT I was on Google Video just now checking out the OWASP.TV videos from the conference in NYC, when I got a “ClearClick Warning” from NoScript. I know that NoScript added Clickjacking support but this was the first time I had seen a warning. I checked the page with Firebug and didn’t anything wrong. I am guessing it was a false positive but now I’m just curious. Has anyone else seen the “ClearClick Warning” and if so was it a correct or a false positive? Post your feedback in the comments. Random Posts |
Grecs’s Infosec Ramblings for 2008-10-10 [NovaInfosecPortal.com] Posted: 10 Oct 2008 11:59 PM CDT
|
Posted: 10 Oct 2008 10:08 PM CDT Panel: Palin abused power in trooper caseANCHORAGE, Alaska (CNN) — Republican vice presidential nominee Sarah Palin abused her power as Alaska’s governor and violated state ethics law by trying to get her ex-brother-in-law fired from the state police, a state investigator’s report concluded Friday. “Gov. Palin knowingly permitted a situation to continue where impermissible pressure was placed on several subordinates in order to advance a personal agenda,” the report states. Public Safety Commissioner Walt Monegan’s refusal to fire State Trooper Mike Wooten from the state police force was “likely a contributing factor” to Monegan’s July dismissal, but Palin had the authority as governor to fire him, the report by former Anchorage prosecutor Stephen Branchflower states. |
VMware Acquires BlueLane: Further Differentiation Through Security [Rational Survivability] Posted: 10 Oct 2008 05:00 PM CDT From Virtualization.com comes the news that VMware has acquired BlueLane Technologies BlueLane is the maker of solutions that protect both physical and logical infrastructure which includes ServerShield and VirtualShield. The company has of late focused wisely on Coupled with the introspection capabilities provided by VMware's vNetwork/VMsafe API's natively, the integration of BlueLane's solution sets will add to the basal capabilities of the platform itself and will allow customers the flexibility to construct more secure virtualized operating environments. The notion of enabling in-line patch-proxying as well as the "IPS-like" in-line vulnerability mitigation capabilities for VM's and additional VMM protection make this very interesting indeed. You can read more about BlueLane's approach on their website. I also interviewed Allwyn Sequeira on my blog. VMware's acquisition of Blue Lane comes as no surprise as it became clear to me that in order to continue to strengthen the underlying platform of the hypervisor itself, I wrote earlier this month prior to rumors of Blue Lane's acquisition by other bloggers that as part of a successful differentiation strategy: VMware will make additional acquitisions in the security space. Yes, I know this sounds heretical given the delicate balance most "platform" providers keep with their ecosystem partners, but VMware have already shown that they are ready to buy as well as build and ally with prior acquisitions and security will continue to be a key differentiator for them. They've done it once already with Determina, they'll do it again.
This point was at the heart of my debate with Simon Crosby, Citrix Systems' CTO (see here and here); We need a unified secure ecosystem to start with instead of worrying about securing the ecosystem's products. Form a business perspective it takes a mixture of resolve, market dominance, and confidence to cannibalize a section of your ecosystem, but it's the right thing to do in this case in order to offset competitive forces and help customers solve some really nasty issues. I made mention of this point with emerging security ISV's at Vmworld, and was asked several times whether I really thought VMware would do this. The odd question that inevitably came next was "were does that leave security ISV's like us?" You can guess my answer. Honestly, I'm sure most of them were hoping to be bought for the same reason. So, will this cause a run on alignment to support Hyper-V over VMware? I don't think so. ISV's who were hinging their hopes for success solely on VMware understand this risk. Microsoft has no API facility like vNetwork/VMsafe, so the options for reasonable and rational installation of their products are limited. Citrix is in the same boat. This is the reason my next set of VirtSec presentations will focus on Hyper-V. On a side note, I was one of Blue Lane's first customers for their patch proxy product and have been an ardent supporter of their approach for many years, despite taking quite a bit of crap for it from purists and pundits who had difficulty rectifying the approach in comparison to traditional IPS'. This is a good thing for VMware, VMware's customers and Blue Lane. Congratulations to the BlueLane team. |
Chinese hackers gain access to World Bank [The Dark Visitor] Posted: 10 Oct 2008 04:53 PM CDT At least there seems to be evidence that two of the six major attacks originated from IP addresses inside of China:
|
Closing thoughts for a Friday [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 10 Oct 2008 04:47 PM CDT Hey folks - just some closing thoughts for a Friday. Hope everyone's had a decent week, and by now you've got a cold one in hand. Here are some thoughts I had as this week tails off into another weekend.
|
What the hell?!? [The Dark Visitor] Posted: 10 Oct 2008 04:15 PM CDT Dr. Antonio Nucci, Chief Technology Officer at Narus writes:
Just CRAP!!! Filed under: Evil and/or Stupid (for the latter) |
Interesting Information Security Bits for 10/10/2008 [Infosec Ramblings] Posted: 10 Oct 2008 03:03 PM CDT Good afternoon everybody! I hope your day is going well.
That’s it for today. Have fun! |
Twibble — The holy grail of Twitter mobile [Srcasm] Posted: 10 Oct 2008 01:12 PM CDT If you’ve known me for more than about, oh 5 minutes, you’ll know that I’m always connected to the internet. I live, breath and eat bits (not my cat) and bytes for breakfast and I love to chew on the latest and greatest Web 2.0 awesome-taffy that I find every day. That’s why I was so excited when I found the greatest Twitter app for Blackberry (or Nokia, Sony Ericsson or any Java-capable mobile device) AND a great Twitter desktop app too boot. Twibble (by spider labs GmbH in Hamburg, Germany) brings simplicity, convenience, power and control all into one tiny mobile application. Not only does it work properly (auto updates, vibrate/alert on direct messages and @replies) but it also provides some pretty awesome additional features that I haven’t seen in the mobile Twitter application realm (at least not for Blackberry):
There are a bunch of other neat features that Twibble mobile provides and you can check them out on the product page. What I was surprised to learn was that Twibble also made a desktop Adobe AIR client as well. This client is cleanly designed, supports multiple accounts and follows some of the same shortcuts and features that Twibble mobile has. This makes the transition from desktop easy and fun. Personally, I would pay for this app (maybe $10-$20) becuase it’s that good. What do you think of Twibble? What are some other clients that you have used? |
Why MSSPs are going to rule the SMB/SME roost [StillSecure, After All These Years] Posted: 10 Oct 2008 11:54 AM CDT I don't think there are too many people who disagree agree that the MSSP model of providing security is a valid and growing segment of the security business. Recently, I have been giving a lot of thought as to whether this is just a pendulum type of swing that will soon swing the other way or if it is more fundamental. I am coming to the conclusion that it is more fundamental. To be clear I am not talking about SaaS. I think there is a big difference between what a company like Qualys does in SaaS and what a true MSSP does. When I say MSSP, I mean actively managing the security, not just providing software over the web. Here is a great illustration of why I think the MSSP model is fundamentally here to stay and right for a certain segments of the market. Last night we went over a friends house for a social gathering. I was speaking to one of the guys there who I see maybe once or twice a year. He again asked me what it is I do for a living (how many security people get that question often). That brought up the whole topic of computer security. This gentleman runs a business that signs up people for satellite TV services among other things and than is certified installer for these services. Some of us I am sure have received spam from some of the less scrupulous in that field. This guy has been at it for many years and has a very successful business. He told me because he "takes credit cards and all that" he was told he needed to have security. "You know firewall and intrusion prevention and all that", was what he told me. He looked into using open source security tools that were "free". His tech people couldn't make that work. He looked at commercial products too. Besides the cost of buying the product, the time and expertise needed to make them run was beyond his IT people and not really what he wanted them working on. Through the data center where he hosted his web servers he was turned onto an MSSP. For between 500 and 1000 dollars a month "they protect him 24/7 and he doesn't have to worry about it". For this businessman, it was a no brainer. You know what, given this set of facts, it is a no-brainer. Unless or until something fundamental changes in that equation, the MSSP model is here to stay. Related articles by Zemanta |
Appearance on Bill Brenner's CSO Online Podcast [StillSecure, After All These Years] Posted: 10 Oct 2008 09:44 AM CDT As you may know Bill Brenner, senior editor for CSO Online was our guest on a recent StillSecure, after all these years podcast. I also recorded a podcast with Bill for CSO Online on P2P, LimeWire, Facebook, etc. It was posted this week on CSO Online and you can listen to it here. Bill is guy who besides reporting and writing on security, actually lives it. Always good to speak with him! |
A comment on the Google energy plan worthy of your time [StillSecure, After All These Years] Posted: 10 Oct 2008 09:16 AM CDT One of the best things about blogging is the feedback I receive from people who comment. For those of you reading this, reading blogs without commenting deprives the blog from a vital piece of the equation they need to be robust. I try to answer most comments to continue the dialogue. Every once in a while a comment is I think so important I will give its own post. Such is the case with a comment that fellow security blogger, Bill Gross made on my post around Google's energy plan. So without further adieu, here is Bill's comment:
If like me you are interested in the energy problems we face as a country and "drill, baby, drill" is not a sound enough policy for you, Bill recommends this blog: neinuclearnotes.blogspot.com from the folks over at Nuclear Energy Institute. |
Apple Security Update 2008-007 [Random Thoughts from Joel's World] Posted: 10 Oct 2008 08:40 AM CDT I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001. Introducing Apple Security Update 2008-007. Just released last night: Security Update 2008-007
CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364 Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Multiple vulnerabilities in Apache 2.2.8 Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Root certificates have been updated Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5 Impact: Multiple vulnerabilities in ClamAV 0.93.3 Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems. Further information is available via the ClamAV website at http://www.clamav.net/
CVE-ID: CVE-2008-3642 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. Credit: Apple.
CVE-ID: CVE-2008-3641 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user Description: A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges. This update addresses the issue by performing additional bounds checking. Credit to regenrecht working with TippingPoint's Zero Day Initiative for reporting this issue.
CVE-ID: CVE-2008-3643 Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: A file on the Desktop may lead to a denial of service Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Applications may fail to enter a sandbox when requested Description: This update addresses an issue introduced in Mac OS X v10.5.5. An implementation issue in launchd may cause an application's request to enter a sandbox to fail. This issue does not affect programs that use the documented sandbox_init API. This update addresses the issue by providing an updated version of launchd. This issue does not affect systems prior to Mac OS X v10.5.5.
CVE-ID: CVE-2008-1767 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.
CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079 Available for: Mac OS X Server v10.5.5 Impact: Multiple vulnerabilities in MySQL 5.0.45 Description: MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html
CVE-ID: CVE-2008-3645 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: A local user may obtain system privileges Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.
CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5 Impact: Multiple vulnerabilities in PHP 4.4.8 Description: PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.
CVE-ID: CVE-2008-3646 Available for: Mac OS X v10.5.5 Impact: A remote attacker may be able to send mail directly to local users Description: An issue exists in the Postfix configuration files. For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network. During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol. This issue does not cause the system to be an open mail relay. This issue is addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines. This issue does not affect systems prior to Mac OS X v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson for reporting this issue.
CVE-ID: CVE-2008-3647 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PostScript files. Credit: Apple.
CVE-ID: CVE-2008-4211 Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Microsoft Excel files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.
CVE-ID: CVE-2008-4212 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login Description: The manpage for the configuration file hosts.equiv indicates that entries do not apply to root. However, an implementation issue in rlogind causes these entries to also apply to root. This update addresses the issue by properly disallowing rlogin from the root user if the remote system is in hosts.equiv. The rlogin service is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. Credit to Ralf Meyer for reporting this issue.
CVE-ID: CVE-2008-4214 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: A local user may gain the privileges of another user that is using Script Editor Description: An insecure file operation issue exists in the Script Editor application when opening application scripting dictionaries. A local user can cause the scripting dictionary to be written to an arbitrary path accessible by the user that is running the application. This update addresses the issue by creating the temporary file in a secure location. Credit: Apple.
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: The sso_util command now accepts passwords from a file Description: The sso_util command now accepts passwords from a file named in the SSO_PASSWD_PATH environment variable. This enables automated scripts to use sso_util more securely.
CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461 Available for: Mac OS X Server v10.5.5 Impact: Multiple vulnerabilities in Tomcat 6.0.14 Description: Tomcat on Mac OS X v10.5 systems is updated to version 6.0.18 to address several vulnerabilities, the most serious of which may lead to a cross site scripting attack. These issues only affect Mac OS X Server systems. Further information is available via the Tomcat site at http://tomcat.apache.org/
CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294 Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5 Impact: Multiple vulnerabilities in vim 7.0 Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/
CVE-ID: CVE-2008-4215 Available for: Mac OS X Server v10.4.11 Impact: Access control on weblog postings may not be enforced Description: An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X Server v10.4. Credit: Apple. |
The psychology of access control [Kees Leune] Posted: 10 Oct 2008 08:37 AM CDT Most businesses that are serious about identity management and logical access control have adopted Role-Based Access Control (RBAC) as a model to govern who has access to what. In its most simple form, RBAC is extremely simple: an individual should be assigned permissions not based on who he is, but based on which role he plays. The role-based access control model has been extensively researched (including by me) and the mechanics of the approach are fairly well understood. However, paying attention to how a technology is used is just as important as having that same technology available in the first place. In other words, the psychological factors surrounding the adoption and use of an access control model deserves as much attention as the model itself. I wish I had realized this when I was doing my PhD research. Shrdlu wrote a post that can reveals that she "gets it": "When you assume a role, you're putting in a layer of separation between yourself as an individual and the entity you're interacting with." This observation is extremely true. As soon as that separation between "Jane" and "Receptionist at my doctor's office" is made explicit, Jane (who is normally presumed to be a very friendly lady) may turn into someone on wheels. The ability to hide behind a facade is well-known, judges do it by robing and/or wigging, military and policy do it by donning uniforms, and there are many more examples of separating person from role. RBAC, or any other access control model for that matter, do not explicitly acknowledge that. "So as the use of roles increases, and as the distance increases between you and your user (geographically, organizationally and sociologically), the less likely it becomes that your system security will rest in the hands of individuals. The perimeter isn't just wider; it's diffused to the point where it really is gone." Go read the post. Even better, subscribe to the rss feed. |
WiFi is no longer a viable secure connection [Vincent Arnold] Posted: 10 Oct 2008 08:31 AM CDT Dan Raywood WiFi is no longer secure enough to protect wireless data. Global Secure Systems has said that a Russian’s firm’s use of the latest NVidia graphics cards to accelerate WiFi 'password recovery’ times by up to an astonishing 10,000 per cent proves that WiFi’s WPA and WPA2 encryption systems are no longer enough to protect wireless data. David Hobson, managing director of GSS, claimed that companies can no longer view standards-based WiFi transmission as sufficiently secure against eavesdropping to be used with impunity. He also said that the use of VPNs is arguably now mandatory for companies wanting to comply with the Data Protection Act. He said: "This breakthrough in brute force decryption of WiFi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data. As a result, we now advise clients using WiFi in their offices to move on up to a VPN encryption system as well. "Brute force decryption of the WPA and WPA2 systems using parallel processing has been on the theoretical possibilities horizon for some time - and presumably employed by relevant government agencies in extreme situations - but the use of the latest NVidia cards to speedup decryption on a standard PC is extremely worrying. "The $64,000 question, of course, is what happens when hackers secure a pecuniary advantage by gaining access to company data flowing across a WPA or WPA2-encrypted wireless connection. Will the Information Commissioner take action against the company concerned for an effective breach of the Data Protection Act." |
Metasploit 3.2 drops commercial license restriction [Nicholson Security] Posted: 10 Oct 2008 01:58 AM CDT It seems that Metasploit 3.2 will be sporting a BSD 3-Class license. That basically means that MSF can be forked or modified and repackaged and sold by commercial entities. The 3-Class license basically means that the source code and binaries keeps the copyright but they can’t say the mutant product is endorsed by HD. DarkReading has an article about it and one of the ideas tossed around is Core Impact integrating MSF into their tool. Aside from the thousands of dollars that Core cost, the lack of reporting functionality is one of the reasons MSF is kept in the shadows with researchers and pen-testers. MSF is awesome and I’m a big fan of it and look forward to all it’s bastard children. But, if someone can take MSF and create some awesome reporting tools that would rock. I have always thought someone should build some reporting plug-in’s for MSF maybe someone will now. I would like to know what you think about the MSF license change in the comments. Random Posts |
Data Security in Financial Crisis [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 10 Oct 2008 12:40 AM CDT If you've not looked up from your screen in a while - there is a major world-wide recession underway. When you look around and see a company like Lehman Brothers basically out of business, the first instinct is to panic because the financial markets are clearly crumbling. Rich Mogull's write up on securosis.com entitled "Impact of the Economic Crisis on Security" was definitely worth a read, if you've not gotten a chance to read it yet. After you read Rich's blog entry... think about this: what's happening with all the data that's being "liquidated"? Scary isn't it. Those behemoths of Wall Street hold terabytes of information - PIA (personally identifiable information) of all types. Once again I think we're right to rant and rave about how those CEOs should be behind bars, or worse - but let's consider the data. The data, or what's happening (or going to happen) to it is what's scarring me to death. I actually have data, my personal information, at some of those failed firms all over the place. When they're liquidated, or parted off and sold... is there a governing body somewhere that's keeping track and making sure disks are wiped clean, digitally shredded so they can't be used in fraud or identity thefts? All the government oversight we're proposing today, and the $700Bn (that number boggles my mind) "bailout" and not a single mention of information management anywhere in there. I think there is a much deeper crisis here than just collapsing financials - because like it or not that ship will list and right itself, eventually (likely at the expense of you and I, the taxpayers) but the data that's mis-handled, lost, stolen and forgotten about... who's going to bail ME out when my identity is stolen as a result? Anyway... thought I'd just share what's on my mind. Feel free to reply, comment and rant with me. |
Grecs’s Infosec Ramblings for 2008-10-09 [NovaInfosecPortal.com] Posted: 09 Oct 2008 11:59 PM CDT
|
Interesting Information Security Bits for 10/09/2008 [Infosec Ramblings] Posted: 09 Oct 2008 07:16 PM CDT Good afternoon everybody! I hope your day is going well.
That’s it for today. Have fun! |
BA-Con and Ekoparty 2008 [DVLabs: Blogs] Posted: 09 Oct 2008 01:43 PM CDT Posted by Aaron Portnoy Having sufficiently recovered from my week-long trip to Buenos Aires its time to spread the word about some of the innovative research presented at Argentina's two most prominent security conferences. My coworker Ali and I first attended BA-Con, the newest conference venture from Dragos Ruiu (of CanSecWest, PacSec, and EUSecWest fame). Some of the highlights included an entertaining (and at the same time depressing) talk from Harri Hursti regarding the current and past state of eVoting procedures and architecture. Harri described such design flaws as global master keys, poor encryption, default passwords, methods by which one can simply obtain administrative access to some of the machines, and even what he referred to as--if memory serves--101 class bugs in the software. We also attended an informative talk by Hendrik Scholz entitled "All the Crap Aircrafts Receive and Send". Hendrik's presentation discussed the structure of the plaintext protocol airplanes use to communicate to ground crew and airports. From the audience Cedric Blanchard voiced a hilarious example of how this could be abused by spoofing a request for 20 new seats for the incoming airplane. The results being a ground crew with the necessary equipment awaiting the plane's arrival on the tarmac. Following this talk was Jose Orlicki with his presentation about social networks. Jose implemented a library that enables one to scrape social networking sites and search engines to profile individuals and map out their relationships with others. You may remember Maltego which does similar data gathering. Jose showcased his implementation by demonstrating a chat bot that impersonated one of his target individuals by utilizing vocabulary similar to their own using his gathered data. His entertaining case example was an Ivan Arce bot chatting with characters from the Matrix movie. I wasn't able to attend Julien Vanegue's talk, "Hacking PXE without reboot (using the BIOS network stack for other purposes)", as I was preparing for our talk that immediately followed it. I was told the slides will be available on the BA-Con website some time soon. Following BA-Con was ekoparty which is now in its 2nd (public) year. Ekoparty talks were hosted on a theater stage and were packed with somewhere around 300 attendees. The conference also ran a wargame called Packetwars and a lockpicking competition which was won by Hugo Fortier, one of the organizers of Recon. We originally had trouble locating the conference so we missed out on some of the talks we would have liked to have seen. One such talk was Julien Vanegue's presentation on Evarista, a piece of software based on the ERESI framework. The ERESI framework implements an intermediate representation that enables one to more easily perform runtime and static analysis. Julien's Evarista is focused on static analysis and is the same research as documented in Phrack issue 64, article 8. We did catch some good presentations on day two, including a talk from Nelson Murilo and Luiz Eduardo on a new wifi monitoring tool dubbed Beholder. Following their talk was Hugo Scolnik a mathematics professor who talked about a possible new method of factoring numbers in an attempt to attack RSA encryption. His talk was in Spanish but math is universal and so his slides conveyed some aspects of his approach. However I'll wait until someone translates his work before attempting to comment on it's validity. Following the conference lightning talks were given at a local pub. Most were in Spanish and I am far from fluent. However, Andrew Cushman from Microsoft's Research Center did give a quick rundown of some of the new Microsoft initiatives first announced at Blackhat this year. Both events had a great turnout and interesting presentations. The security community in Argentina is definitely thriving with such companies as Core and Cybsec headquartered there. Hopefully these conferences will continue to put the spotlight on the region and we personally look forward to attending both conferences next year. |
Passpack and Twitter at last. Rejoice! [Srcasm] Posted: 09 Oct 2008 01:21 PM CDT Passpack rolled out with a great new feature… Now everyone with a Twitter (or FriendFeed) account can log right into Passpack in under 25 seconds! (Check out the nifty 24 second screen cast.) How awesome is that? Today seems like a great day to start securing your online accounts with stronger, longer and better passwords with Passpack’s help. |
MindshaRE: First Things First [DVLabs: Blogs] Posted: 09 Oct 2008 12:59 PM CDT Posted by Cody Pierce This week on MindshaRE we want to share some of the things we do when beginning a reversing project. Some of these are obvious, and some may be new. It all serves the purposes of creating a solid foundation for the hard work to follow. MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history. It is important to know as much about your target as humanly possible before you start reverse engineering anything. By doing this we have a better understanding of how things "probably" work. Getting insight through available documentation on the net or included with the product is our first stop. We often scour the vendors site, focusing on any technical documents available. This can give us solid ideas about what we are attempting to reverse. Especially when doing vulnerability analysis it is imperative to dig into the setup and use of a product. Also keeping in mind support forums and general problems people may have. If bugs exist in normal day to day operation, exploitable security bugs may not be too far behind. We must also first understand how all the components work together before we can break down a single binary. This again can be gleaned from installation or operation documentation. More often than not a vendor will have an "Administration Guide" or "Installation Guide" that will help us get a feeling for the larger picture. Once we have established a good understanding of how the binary works in its respective environment we open the binary in IDA and take a deep breath. After letting IDA do its auto-analysis we begin to navigate the binary. During this time we are not trying to read any of the assembly, but instead make sure IDA did its job well by looking for unidentified functions, ambiguous blocks of unidentified data, and various other common analysis mistakes. Spending some time making sure IDA has done its job again gives us a solid foundation to work from. If we are trying to actually reverse a binary, and have to stop every ten seconds to fix a function, or cross reference, it tends to slow us down more than investing the time in an initial fix-up stage. Once we feel comfortable with the disassembly we check out each section, looking to see how much code exists, how much data exists, what the read only section looks like, and most importantly the import section. The import section is often the first time we really pay attention to the information in the binary, and not just the disassembly. By looking at the library calls that occur in the binary you can get a great idea of what the binary does. For instance seeing the library call InternetOpenUrl tells us in an instant that at some point this binary will access an outside resource (most likely an HTTP URL). Some of the interesting family of imports we tend to look out for are sockets, files, windowing, debugging, and often misused string libraries. After we get a feel for the libraries being used we'll typically jump over to IDA's strings window. Like the imported libraries, the strings being referenced can tell a story about the binaries inner workings. It's prudent to always keep an eye out for descriptive strings like debugging messages or verbose logging options. Finding strings like this, as we have discussed in previous MindshaRE articles, can be a boon for a reverse engineer. The idea is to constantly be getting a feel for the binary as a whole, and how it works on a level just above the actual assembly code. Next, we typically quickly move through the data section looking for vtables or other important data structures that may catch our eye. For instance, if we see a vtable with a large number of code cross references we can make a mental note for when we encounter these while reversing their use. We also spend some time fixing up the data types. IDA tries to correctly identify type information in the data section, but it always errs on the side of caution. We will create dwords where seen fit, and define any other obvious structures, always making mental notes. Now that we have gained a little understanding from a higher level we will dig into the actual assembly. It is of the utmost importance that we set a goal, or a set of questions we want to answer, before really diving into the assembly. Our goal must be well defined and outlined. Sticking to this goal will always keep us moving forward and not get distracted. Here are some of the common goals our team is specifically interested in when performing binary audits:
With that said, one of the first things we do is look at the most cross referenced functions. By doing so, our efforts will always help future endeavors. Let's say we have a function that is called 4000 times throughout the binary. If we identify that it is a memory allocation routine, we have just made those other 4000 functions that much easier to understand. These common functions are the building blocks for more complex code we may encounter later. So we are finally at our "starting" point. This is where a generic approach can no longer be described. Each goal, or question we try and answer will need special attention and may rely on varying techniques. For things like auditing network protocols we like to start at the reception of a packet. For RPC functions we begin by identifying the registration of client and server interfaces. It really depends on what we are trying to achieve, but the idea is to use the information we spent time in the beginning gathering. Hopefully by now you have a good understanding of the playing field. If you notice we tend to work from the top down. High level documentation all the way down to the actually assembly code being executed by the processor. In our experience this is the best way for the human mind to actually understand what we are looking at. It also has proved the easiest, and most rewarding for us. As reverse engineers we take all the information we can get. This lessens our need to extract each and every clue from the assembly level, which is often very time consuming. To summarize it all, learn everything you can about the process before you start. Make sure you have a solid base to work from. And finally, outline a goal so that you can stay focused and make progress. Leave a comment with some additional ideas. We would love to add to our repertoire. -Cody |
Social Engineering Challenges Back [Room362.com] Posted: 09 Oct 2008 12:34 PM CDT I got an overwhelming response to me stopping the social engineering challenges, which far out-shadows the large response I got against the challenges. In other words, the “AYE”s have it. As soon as my Maltego series comes to a close I will be starting the challenges back up again. Thank you for your support and I look forward to the continuation of the challenges, I really had fun with the first one. |
Jasager - Past - Present and Future [Room362.com] Posted: 09 Oct 2008 10:32 AM CDT If you haven’t heard already about Jasager.. well you probably don’t read this blog, but for those who want to know a bit more about the history of Jasager - Karma on the Fon, where the project is now, and where it’s headed, then buckle up, and hang on while we first travel down memory lane. What was the point of this history lesson? If you have idea, and someone else has done it. Take it to the next level, and if you don’t have the time, find a partner who does. Enough history, lets get some information. |
You’ve organized your passwords, now on to your projects [Srcasm] Posted: 09 Oct 2008 10:31 AM CDT
While talking with a friend the other day about his current dilemma. He’s trying to roll out a difficult project with multiple people interacting and he has a very short time line. His question to me was simple, “How would you organize the project?” I had to take a minute to think about this as it’s not as simple as I had originally thought.
On one hand, the ‘ol pencil and paper method (or the digital form of it) could be a great solution. Draw out the designs, flows and write out the text on a digital whiteboard of sorts. Everyone can put their hand into the virtual jar and pull out a piece to work on and update that central repository when they get through their step. The one major flaw in this model that I see is that there is no organization of ideas. It’s too easy to flip from one piece to another without ever actually completing any of the steps properly. The advantage to this method is it’s visually appealing and it allows for people to get the whole picture of what the project contains. On the other hand, a tool like Google Spreadsheets or Basecamp could come in handy. It’s organized by project, then to-dos and finally has milestones and whiteboards to keep even more info on the project. This is great but also has it’s ups and downs. The disadvantage is this format can be too structured. Some people can’t comprehend the number of levels of information that are available in a site like Basecamp. Combine this listing of info with the whiteboards, attachments and even multiple projects and you could be in over your head in stuff. The advantage to this method is its pure organizational structure. Everything can be nested, linked and individually displayed. This means that if I assign task A to you and task B to me, we won’t be drawn away by the shiny pieces of task C as easily. Both of these methods make for great solutions to project management but I’m sure that there are a million and one ways out there to accomplish this. How would you do it? What do you see as some of the pitfalls to tools like Basecamp or things like pencil and paper? |
China Internet Security Forum 2008 [Telecom,Security & P2P] Posted: 09 Oct 2008 08:55 AM CDT The debut of China Internet Security Forum was made at Shanghai at September 20, 2008. It was a two-day workshop, hosted by CISRG (China Information Security Research Group) and Antiy Labs. CISRG is an active China-based security organization. It has a very lovely logo - a little footprint. Antiy Labs is famous of its capability of virus research and anti-virus products. Unlike most of other security conferences and forums that were organized by government or their agencies, ISF 2008 is mostly a workshop of security practitioners and advocates. So the air and topics are very fresh and technological. It’s pity that I didn’t find opportunity to attend this workshop. However, fortunately, Billy shared to me his vivid and absorbing whole-view report about this event. Here it is. This workshop had a wide range of topics, covering from Vista security, wireless security, antivirus, to security operations, security penetration testing, and etc. It’s great that CISRG shared out the presentation of this forum. The documents are downloadable at this link. |
STOCK MARKET TERMS [Telecom,Security & P2P] Posted: 09 Oct 2008 08:10 AM CDT The below terms are from my friend - Jason. Very funny. Enjoy… BULL MARKET — A random market movement causing an investor to mistake himself for a financial genius. |
Book Review: Fuzzing | Brute Force Vulnerability Discovery [Nicholson Security] Posted: 09 Oct 2008 01:24 AM CDT I really enjoyed reading Fuzzing. The book has a ton of really great information. The majority of the content I was interested in pertained to the application and web application fuzzing. The book starts with a background on vulnerability discovery methods. It then covers the different methods and types of fuzzer's. The good stuff starts in the second part of the book on, “targets and automation.” The chapter on “web application and server fuzzing automation” has some interesting ideas I hadn't considered. I also liked the chapters on network protocol fuzzing on Windows and UNIX. Throughout the book it shares tools, code and examples available for download from the fuzzing.org website. I have been working a lot recently with Samurai Web Testing Framework Live-CD creating some video tutorials, that I hope to release soon, and I used some of the examples in the book. I also played with a little C# and created the generic fuzzing tool that was given in the book. I am adding some features to work in a few class activates I would like to implement. Overall I think the book is great for anyone that is in development, system administration or pen-testing. I learned a lot and I think others would to, but be warned this book is intense. I spent about 8 or 9 weeks with this book because every time I learned something new I wanted to try it out. If you have read this book or others like it I would like to read your comments. Random Posts |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
1 comment:
Absolutely wonderful post! What a perfect concept. Thank you NativeReviewBlog
Post a Comment