Spliced feed for Security Bloggers Network

Joomla hacking still goes on and on [belsec] [Belgian Security Blognetwork] Posted: 13 Oct 2008 04:57 AM CDT and on and on and on untill the latest unpatched Joomla server is found and hacked http://www.prof-its.be/joomla/  something professional I suppose, :)

Nice Hack psychologischebegeleiding.be [belsec] [Belgian Security Blognetwork] Posted: 13 Oct 2008 04:55 AM CDT Their server needs some more analysis :) Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/4.4.4-8+etch4 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at psychologischebegeleiding.be Port 80

the effects of anonimization on log usability when looking for attacks [belsec] [Belgian Security Blognetwork] Posted: 13 Oct 2008 04:50 AM CDT Evaluating the Utility of Anonymized Network Traces for Intrusion Detection Kiran Lakkaraju  and Adam Slagell We have provided a thorough evaluation of single field anonymization polices upon pcap formatted network traces. We found that the primary impact on the utility of a log is not the particular anonymization algorithm, but rather the field that was anonymized. In addition, we were able to empirically show a range of utilities for a log based on the field that was anonymized. The loss of utility was largest for ports and IP addresses. There was some loss of utility for the fields of ID, sequence number, flags, timestamp, and ACK number. However, for many of the fields there was no change in utility when anonymized. This empirical evaluation provides the basis for further work on studying the impact of more complex anonymization schemes on the utility of a log.  source This means that to have some utility log anonimization has to keep the IP address and the port. THis poses a problem with dynamic addresses but keeps the possibility to trace attacks back to networks and fixed servers (with some exceptions I know). It also means that Non Disclosure Agreements and privacy guarantees have to be built in for whoever is working with these logs.

Security and ITmailinglists : some are spam havens [belsec] [Belgian Security Blognetwork] Posted: 13 Oct 2008 04:01 AM CDT It is a pitty to see mailinglists that were used by security specialists be abused by spammers because nobody cared to clean them out or filter them out. Security is a permanent job.

Belgian Bank with bad SSL certificates (Antwerps beroepskrediet) [belsec] [Belgian Security Blognetwork] Posted: 13 Oct 2008 03:12 AM CDT https://www.abk.be another way to trust your banker ..... not No regulation without independent outside controls. No controls without punishment.

Security ideas for your mom revisited [Security For All] Posted: 13 Oct 2008 12:39 AM CDT Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me. I read an article from PC Magazine recently. It was titled "Day in the Life of A Web 2.0 Hacker." Because many of my days consist of repairing damage done by viruses and hackers to people's computers, this article was of interest to me. I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life. There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials. While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist. Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way. Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect? A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution. The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want. Why am I writing this column? There is no fun in this column. I don't feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open. Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don't use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web. All of these precautions may not protect you completely but they will help. So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado: Security Ideas for Mom - Revisited Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors - transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors through the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the investment. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that may be running Vista Ultimate on their mobile workstations, you should definitely contact the IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer when the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is by far less valuable than your data and personal information. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords - i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or a social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Firefox or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a del.icio.us account. With your public email from #4. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have person email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Actually, ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said. I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note - blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.

Security Bloggers meeting at Hack.lu 2008 (#hacklu) [Security4all] [Belgian Security Blognetwork] Posted: 12 Oct 2008 07:10 PM CDT Well, all good thing come threefold. After a recent security bloggers meeting in Belgium, an upcoming one in London, I'm trying to organize one at Hack.lu. So all security bloggers and securitytwits are welcome to join me Wednesday 22.10.2008 at 18u in the bar of Parc Hotel (the location of the Hack.lu conference) and we'll see where we go from there. If you are coming, drop me a note (email or tweet) so I'll more or less have a view on the number of people that will come and I can provide you further updates directly. Previous posts: Follow Hack.lu 2008 on Twitter or IRC (updated) CTF competition at Hack.lu 2008 Presentation overview from Hack.lu 2008 is now online Hack.lu 2008 registrations are open. Register now to get a low entrance fee. Call for Papers Hack.lu 2008 (update) Hack.lu 2008 conference coming on the 22nd - 24th of October Hack.lu was pwned in 15 minutes and a small review of the event MITMing a room full of security people @ Hack.lu Capture The Flag @ Hack.lu 2007 Hack.lu day 1: honeypots, voip pentesting and exploiting anti-virus Hack.lu: start of day 1 (Photo under creative commons from mil8's photostream)

Apocalyptic Vulnerability Percentages - FUD 101 [Kees Leune] Posted: 12 Oct 2008 07:06 PM CDT While reading RSnake's latest post, I cannot escape the feeling that he's in a very gloomy mood today. His advice: "The truth is, if you have something interactive connected to the Internet, it's probably exploitable in some way, and really, it's not that terrible of a thought considering it's pretty much always been that way." As gloomy as that may sound, it is something that I run into regularly. Too many people assume that the next new (web) app that is getting deployed 1) is absolutely essential for the continuity of the company and 2) must run on an internet-facing web server. Air-gapping  a system is probably not that feasible in this day and age (although I still see self-contained networks with only a dial-out modem that gets unplugged when not in use), but using common sense when deciding on the visibility of a system can never hurt!

Security Bloggers Meeting at RSA Europe 2008 [Security4all] [Belgian Security Blognetwork] Posted: 12 Oct 2008 06:33 PM CDT Kevin Riggins from Infosecramblings proposed a Security Bloggers/Twits meeting during the RSA Europe 2008 conference on Tuesday the 28th of October at 8 PM. The location hasn't been set yet. If you are interested in joining us, drop a message with Kevin (email/twitter) or alternatively with me. If you know a good location to meet, ditto. Updates on the meeting as well as coverage of the event will follow soon. Previous post: RSA Europe 2008 soon to come (Photo under creative commons from ggee's photostream)

Belgian Security Bloggers Meeting 1st Edition [Security4all] [Belgian Security Blognetwork] Posted: 12 Oct 2008 06:18 PM CDT Last Saturday, the Belgian Security Bloggers organized a small get together. It was really fun and interesting to meet some of the other bloggers in real life. No presentations, no workshops, just something nice to eat with a good Leffe and some interesting conversations. It was a more relaxed atmosphere then a security conference. Although not all of the Belgian bloggers were present, the first edition was a success. Something tells me that there will be another edition in the future. Related posts: Upcoming Security Event: "A Day in the Life of the SANS Internet Storm Center" Belgian Information Security Professionals call for a Belgian Strategy on Information Security Holiday is over. New security events in and around Belgium. The BELNET CERT newletters and patched DNS servers in Belgium Cybercrime statistics released by Belgian Government Details on the iPhone 3G release in Belgium and some security news Upcoming Security events in Belgium Another 2 new members for the Belgian Security Blognetwork New ISSA-BE event: IPv6 Security (Photo under creative commons from gr0uch0's photostream)

Bank of America SafePass Authorization [Last In - First Out] Posted: 12 Oct 2008 05:28 PM CDT Unlike American Express, Bank of America seems to have pretty decent account claiming, user id and password requirements. Additionally, BofA allows account holders to set up SMS alerts on various types of account activity. The login process can be tied to SafePass® SMS based authentication. To complete the login process, BofA sends a six digit code to your cell phone. The code and your normal password are both required for access to your on line account. Additionally, BofA automatically uses the SMS based SafePass® for changes to the account, including alerts, e-mail address changes, account claiming etc. You also can set up your account to send SMS alerts on significant account activity and any/all changes to account profiles, including on line charges, charges greater than a specific amount and international charges. The user id and passwords are also allowed to be significantly more complex than American Express, allowing more than 8 characters and permitting various non-alphanumeric characters. Your Online ID: Must be 6 to 32 characters. Can also contain these characters: @ # % * ( ) + = { } / ? ~ ; , . – _ Can contain all letters, otherwise must be a combination of 2 character types (Alpha, numeric & special) Cannot contain spaces. Cannot be the same or contain your Social Security number or Check Card number. Your Passcode: Must be between 8 - 20 characters Must include at least 1 number and 1 letter Can include uppercase and lowercase letters Can contain the following characters: @ # % * ( ) + = { } /\ ? ~ ; : " ' , . - _ | Cannot contain any spaces Cannot contain the following characters: $ < > & ^ ! [ ] Cannot be the same as your Online ID These features, plus the availability of merchant specific temporary credit card numbers (ShopSafe®) makes the banking experience appear to be much closer to what one would think was needed for 21st century banking.

7 Information Security Lessons You Can Learn By Watching The Movie JAWS [Writing Secure Software] Posted: 12 Oct 2008 02:59 PM CDT If your are a security practitioner involved in risk analysis and incident response processes I strongly recommend watching the movie Jaws since this movie has all the elements to understand how human behaviour and business factors play in information security risk management and incident response decision making. One thing you realize is that risk awareness never comes first. We are humans and as humans we respond to risk in stages such as: (1) denial, (2) awareness, (3) responsibility, (4) action. Risk denial probably comes from the fact that till we (as people or as business) are not impacted directly or till we witnessed that we could be impacted we most likely minimize risks. Awareness is probably driven by the fact that we had experienced a loss directly before that caused to raise our level of attention to new and incoming risks. Responsibility comes from feelings (fear) or by duty (role). As human we feel responsible to react to protect our assets such as people, business, family for example. The action is trigger by the need to react to the risk to prevent further sure loss and damage. If you watch the movie from the perspective of a risk manager you can see all these elements, in particular the major information security lessons that I think can be learn from the movie are: Lesson #1: The first approach toward risk is to either ignore it or minimize it. For example, the movie jaws is about the risk of being killed by a shark attack. So there is a shark out there in the ocean and has already made a victim (a girl student during a skin-dipping swim after a college party). This is the opening scene of the movie. The police finds the remains of the girl body. The remains are a clear indication of a shark attack. The policeman knows for sure is a shark attack but while filing the report on the incident is advised by the major of the city to not report about the shark as the cause of the incident and rather something else. This is required for not scaring off coming tourists to the town beaches. How this lesson applies to IS risk? A company had a security incident and corporate customer data was compromised as a result. The attack indicates that a fraudster got customer data by breaking into the database through a web application. The business decides to file a defect report that the web site application has some functional defects that need to be fixed. The customers are notified that customer data where compromised but that this was a functional problem that is now under control. Lesson #2: When security vulnerabilities are found and fixed you also gain a false sense of security.The shark attack again and makes another victim: a young kid swimming. The incident cannot be ignored since happens in complete daylight with a lot of witnesses. The mother of the kid is devastated and demands an investigation. In the mean time a shark is caught by fisherman. The shark is shown to the public as proof that the beaches are no-longer at risk of shark attacks. How this applies to IS risk? The company did not fix the web application vulnerability that is the cause of the exploit so we had another attack. Since now the information about the vulnerability is public, the company needs to do something. The company releases information to the public that the publicly disclosed vulnerability has been fixed and customers can come to the site securely business as usual. Lesson #3: When internal security solutions do not mitigate the risks, you most likely ask for help from outside such as by hiring a security expert/consulting company. This might point to solutions that you are hesitant to implement since can be very costly The policeman of the city where the shark attack takes place asks a researcher of the US Oceanic Institute for help. The researcher comes to town and starts the investigation about the shark attack. He soon realizes that this is a case of a white-giant tiger shark attack. The shark that was believed to be the one killing the two swimmers and shown to public is identified not to be the one that made the killings. This is based upon the fact that there are different teeth marks between the jaw of the shark and the ones in the victims body. The researcher explains the results of his analysis to the policemen and recommends an action for fishing the killer tiger shark. After meeting with the policemen and the major it still decided not to. How applies to IS risk? The company declares that knows what the security holes are, a security consulting company is asked to identify the web application vulnerabilities and run some security tests. Security researchers look at the web application scan reports and results of the security tests and conclude that even if some of the identified vulnerabilities can be exploited for the attacks, other potential security flaws can be exploitable too. Fixing these security flaws might actually require to re-engineer the application. The business is still undecided whether to pursuit this recommendations since require very expensive changes. Lesson #4: When the security problem gets bigger and noticed by senior management it cannot be ignored and it is decided to act The shark attacks again and this time even more deadly, the people are now scared and demand prompt action to the major of the city and the policeman to kill the shark. After the major of the city and the policemen hear complains at a public hearing, they decide to finance a mission to kill the shark. How applies to IS risk? Fraudsters break again to the site and this time the losses get noticed by seniot management. The company now decides to put resources and spend money to identify the root cause of these attacks and ask engineering to provide proved risk mitigation solutions. Lesson #5: The first approach to deal with information security attacks from the defensive perspective is to detect the intrusions and pinpoint the threat sources. The policemen, the shark hunter and the researcher use different techniques to locate the shark such as by hooking it with floating devices. For a moment the shark is located and traced and is within reach for being killed. How applies to IS risk? The company installs intrusion detection systems and intrusion prevention systems. Once an alert from the IDS is triggered, it is decided to block the IP address of the source. Lesson #6: If your deal only with the symptoms instead of the root causes the risk is not mitigated.The shark outsmarts the fisherman, the oceanographer and the policeman by breaking the hooks where the floating devices where attached and attacking the boat unnoticed. The shark attacks the boat directly causing it to sink. How applies to IS risk? The fraudster bypasses the IDS with signature evasion techniques and continues the attack undetected, a device that pinpoints the IP address for blocking it does not stop the attack since the attacker uses fast-flux botnet techniques where the source IP is dynamically changed in real time. Lesson #7: By tackling the attack root causes finally the risk is mitigated During the wrestling with the shark, the policemen is able to throw a gas tank on the shark jaw and by shooting it with a rifle finally causes the tank to explode and kills the shark. How applies to IS risk? Finally is is decided to go after the root causes of the attack identified with an attack tree analysis where all probable attack patterns are simulated. By threat modeling the application, the attack surface of the application is identified as well as the entry points. The entry point that is most likely used by fraudster is blocked access and the possible transactions that can be performed through this entry point are disabled. Web application logging and tracing are enabled to detect and trace and correlate possible threat events. These web application changes finally prevents the attack to occur. The logs collected during the attacks are provided to law enforcement. These logs provide enough information to catch the fraudster.

IDApython - Sort imported functions by xrefs count [Francois Ropert weblog] Posted: 12 Oct 2008 10:24 AM CDT A good understanding of a binary starts with reconnaissance. The goal of this article is to help the binary reverser during his first analysis. I haven’t found IDA function or script which can tell “the most used imported function is blabla”. That’s why I wrote an IDApython snippet that browse the IAT through the .idata section and sort imported functions by cross-references count. Let’s take an example by running the script over omg.exe. We took a grasp (after auto-analysis) about which imported functions the binary call the most and the least: printf => 15 Sleep => 8 IsDebuggerPresent => 5 _encode_pointer => 4 _decode_pointer => 3 SetUnhandledExceptionFilter => 2 scanf => 2 __p__fmode => 1 QueryPerformanceCounter => 1 GetTickCount => 1 _getch => 1 _cexit => 1 GetCurrentProcess => 1 GetCurrentProcessId => 1 _onexit => 1 UnhandledExceptionFilter => 1 sprintf => 1 exit => 1 __setusermatherr => 1 __p__commode => 1 InterlockedExchange => 1 GetSystemTimeAsFileTime => 1 __getmainargs => 1 GetCurrentThreadId => 1 TerminateProcess => 1 InterlockedCompareExchange => 1 _configthreadlocale => 1 _exit => 1 __set_app_type => 1 Job done. The analysis inform the reverser that printf, sleep and isdebuggerpresent are the most imported functions used. Lots of printf() and sleep() for user interaction. isDebuggerPresent talk for himself :-) Here’s the IDApython script: ''' Sort imported functions by cross references count Francois Ropert http://blog.packetfault.org ''' from idautils import * from operator import * def find_xrefs (name,address):     count=0     for ref in CodeRefsTo(address,1):         count+=1     return count def find_imports (start_address,end_address):     imports_list = {}     import_ea = start_address     while import_ea < end_address:         import_name = Name(import_ea)         if len(import_name) > 1:             occurence = find_xrefs (import_name,import_ea)             if occurence >= 1:                 imports_list[import_name] = occurence         import_ea += 4     return imports_list seg_start = SegByName(”.idata”) seg_end = SegEnd(seg_start) imported = find_imports(seg_start,seg_end) imported = sorted(imported.items(), key=itemgetter(1), reverse=True) for name,occurence in imported:     print “%s => %d” % (name,occurence) print “Job done.” Copy-Paste then save under “%IDADIR%\python” then execute it with ALT-9. Enjoy!

New Features in User Provisioning Products [The IT Security Guy] Posted: 12 Oct 2008 12:19 AM CDT My article on TechTarget's SearchSecurity web site about new features in user provisioning products came out this week. User provisioning is a pretty basic technology but expect advances in the future with the growth of technologies like virtualization and Software as a Service (SaaS). Both of these present challenges to traditional identity and access management systems overall but to user provisioning, in particular.

WPA Enterprise made easy with the Napera N24 [Napera Networks] Posted: 11 Oct 2008 07:19 PM CDT Wi-Fi security has been a challenge since the technology first came on the market. In 2001 the WEP protocol was shown to be fatally flawed, and was replaced by WPA in 2003. In 2004 the 802.11i standard for WPA2 became available and WEP was officially laid to rest. With revelations this week of a Russian firm selling a GPU accelerated key cracker for WPA Pre-shared key mode (WPA-PSK, also known as personal mode) Wi-Fi security is in the headlines again. Brute force cracking is not new, but the speed of this attack checking hundreds of millions of passwords per second combined with the typical simplicity of shared WPA-PSK passwords supports the argument that WPA-PSK is now insufficient to protect commercial wireless networks. Results of the Napera Network Test showed nearly half the respondents still relying on weak WEP or WPA-PSK security. Poor wireless security was one of the root causes of the TJX hack which remains the largest security breach in the United States, and wireless flaws are an easy way for hackers to gain access to a target network. An IT manager using WPA-PSK to protect a wireless network would have to be lucky to detect such an intrusion. With our recent 1.2 release for the Napera N24, we’ve enabled IT managers to easily deploy the most robust Wi-Fi security by using WPA Enterprise authentication with their existing Active Directory installation. The advantages of using WPA Enterprise with the Napera N24 are as follows. (i) Wireless users provide their Active Directory username and password to log on to the network. No shared passwords are used, and when a user is removed from Active Directory, their wireless network access is automatically revoked. (ii) Wireless network logins can be tracked to each user, which removes the need for shared passwords common to WPA-PSK. (iii) Guest usernames can be created on the Napera N24 and are automatically granted wireless access to the Internet while protecting the rest of your network. (iv) WPA Enterprise provides far more robust security than WPA-PSK and is not vulnerable to any known attacks or the brute force cracking tools released this week. (v) The Napera N24 uses NAP to check the health of each device when it connects, ensuring vulnerable laptops are current with operating system, antivirus and antispyware updates before connecting to the corporate network. Using the Napera N24 to deploy WPA Enterprise doesn’t require knowledge of RADIUS, EAP, 802.1X or self signed certificates. Previously WPA Enterprise deployments included all of these components plus the need to deploy certificates to end user PC’s. The Napera N24 was designed with a RADIUS server and a valid certificate built in so the pain involved with deploying new servers and home grown certificates can be bypassed entirely. Once your Napera N24 is installed with a static IP and joined to your Active Directory domain, configuring WPA Enterprise is as simple as the following four steps. 1. Plug your wireless access point into a switched Ethernet port on the Napera N24. We’ve successfully deployed Cisco, HP, D-Link, Linksys and Netgear WAP’s with the Napera N24. Any WAP that was Wi-Fi certified after March 2006 will support WPA Enterprise. 2. Login to MyNapera.com and select the Configuration panel. Under the Authentication tab, enable the Wi-Fi RADIUS authentication option and enter a shared secret, which can be a password of your choice. 3. Log into your wireless access point’s administration page and enable WPA Enterprise. Enter the static IP address of the Napera N24, and the shared secret you defined in step 2. Any additional options such as timeouts and port selections can usually be left as the defaults. 4.  You are ready to connect! Most operating systems support WPA Enterprise automatically, including Windows XP SP2 or later, all flavors of Vista, and Mac OS X 10.3 or later. The iPhone and BlackBerry also support WPA Enterprise with recent firmware. Anyone connecting to the wireless network will now be prompted for a username and password. Employees with Active Directory credentials will be granted full access to the network. Guest users created on the Napera N24 will automatically be recognized. The MyNapera.com dashboard displays a summary of recent authentications, and provides a full audit trail of users and devices. Now that WPA-PSK has finally been put out to pasture, WPA Enterprise provides the most robust security for wireless networks. The Napera N24 enables you to deploy WPA Enterprise painlessly with your existing access points, enjoying the best possible security and unmatched visibility across your wireless network.

belsec in top 10 most popular skynetblogs [belsec] [Belgian Security Blognetwork] Posted: 11 Oct 2008 06:42 PM CDT Klik hier

Late 2008: ICANN Still Broken [Infosecurity.US] Posted: 11 Oct 2008 03:41 PM CDT Further proof that ICANN is broken comes from The Industry Standard’s Cyndy Aleo-Carreira insightful write-up of a recent ICANN wrist slap (…don’t forget the ICANN ‘At-Large Members’ that contribute to the incompetence exhibited by the organization). From the post: “In what KnujOn claims is a “victory,” ICANN sent two breach notices to domain registrars Joker.com and [...]

GNUCITIZEN - Advanced Clickjacking Explained [Infosecurity.US] Posted: 11 Oct 2008 03:40 PM CDT As usual, GNUCITIZEN, and  Security Bloggers Network Member posts a superb analysis of advanced clickjacking. The GNUCITIZEN blog is today’s Infosecurity.US MustRead!

Security week reading [Francois Ropert weblog] Posted: 11 Oct 2008 03:55 AM CDT This past week I felt the need to learn other stuff than networking related topics. As you may know (or not), I’m not only a TCP/IP fanatic. Too, you can speak me about everything tricky and hacky, reverse engineering, operating systems internals or all sort of stuff including MicroVAX exploits development and shellcodes :-) If I had to made a mix of my week’s reading, here it is: Hacking the art of exploitation 2nd edition The IDA pro book Those books comes from No Starch Press. Not very surprisingly for humans like you, like me :) For the web exploration, Google Chrome helps me building this “classic” list: http://www.dumpanalysis.org/ (Congrats to Dmitry who is now Windows Internals certified) http://www.openrce.org/ http://dvlabs.tippingpoint.com/blog/ Woodmann RCE tools (Looks like Lutz Roedl .NET reflector is not free anymore… so sad) and Shoesbox (but this website still in beta mode so I’ll don’t disclose the URL. Tyop? ?) Off-topic: - My FON wireless access has been disabled for no signal since three weeks. Since yesterday, beacons are sent over the air. - In past weeks discussions I had with peers, I try to understand SDR Software Defined Radio but I lack fundamentals.

Holiday Weekend Off… [Infosecurity.US] Posted: 10 Oct 2008 07:18 PM CDT Time to enjoy a holiday weekend with the family. Celebrate Columbus Day and Canadian Thanksgiving Day…WooHoo! Posting will resume on Tuesday morning. Enjoy your weekend!

World Bank Denies Fox News Reports of Multiple Breaches [Infosecurity.US] Posted: 10 Oct 2008 07:17 PM CDT UPDATE: InformationWeek’s Thomas Claburn reports the World Banks’ apparent denial of all allegations and reports of penetrations to their secured infrastructure. Download further supporting documents from the Infosecurity.US Public Documents Repository via the links after the jump. From the post: “The World Bank’s computer network has been repeatedly raided by hackers for over a year, according to [...]

Happy Columbus Day 2008 [Infosecurity.US] Posted: 10 Oct 2008 07:14 PM CDT Happy Columbus Day. Hopefully you have a long weekend planned. Be safe and enjoy!

Maui Vacation 2008 [Jeremiah Grossman] Posted: 10 Oct 2008 07:02 PM CDT Some people are busy and then some people have my schedule. Typically my time is spent in thirds -- a third public facing (conferences, presentations, writing, media, etc.), a third speaking with customers, and the remaining third performing R&D. Oh, and a whole lot of time in spent in the air, check out the wall of fame. ;) Fortunately now that the whole clickjacking craziness has died down a bit and the quarter is over, time for a much needed break. Starting this weekend I'll be heading back home to Maui for a couple of weeks of R&R. Beach, surfing, BJJ, play with the kids, sleeping, checking out my dad's home built hydrogen powered jeep and whatever else I can fit in. From there I'll be off to Malaysia for a couple of days attending Hack in the Box Malaysia and delivering a keynote speech. Emails and blog comments are unlikely going to be responded to during that time. Unplug and unwind. See you all in November. WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company's flagship service, provides continuous web applications vulnerability assessment and management.

A great weekend for Napera at SMB Nation [Napera Networks] Posted: 10 Oct 2008 04:06 PM CDT Last weekend was the annual West Coast conference for SMB Nation. We were excited to get out there and talk to people about the Napera approach to solving security challenges in SMB and SME networks. Our ideas resonated well with SMB Nation attendees, and well known SMB security blogger and speaker Amy Babinchak thought Napera was best of show, which was very gratifying. This was my second SMB Nation, and there was a great mix of people from around the US and around the world. One of the things I love about SMB Nation is that it’s a very friendly show. Pretty much everyone has a down to earth approach to solving IT challenges that you don’t always see at larger conferences. Attendees also appreciate the difference between a product like ours that was designed to work in smaller networks and products from large enterprise vendors that are shoehorned into the SMB and SME market. Thanks to Harry Brelsford and Chris Bangs for a successful conference and thanks to everyone who stopped by the Napera booth. See you next year! Bryan, Harry and Liz with Dean Wake of Gaeltek Technology Solutions who won our iPod raffle

links for 2008-10-10 [Andrew Hay] Posted: 10 Oct 2008 04:02 PM CDT SANS Institute - Expanding Response: Deeper Analysis for Incident Handlers (tags: analysis incident handlers) TippingPoint | DVLabs | MindshaRE: First Things First Might as well start at the beginning (tags: reverse engineering reversing tippingpoint dvlabs) SANS Institute - Tips for Making Security Intelligence More Useful (tags: tips security sans institute) SANS Institute - Fibre Channel Storage Area Networks: An Analysis From A Security Perspective (tags: sans institute analysis fibre san) .:[ packet storm ]:. - scapy-2.0.0.10.tar.gz released Tool to cook up some packets. (tags: scapy packet generation) Anton Chuvakin Blog - "Security Warrior": Change!!! Looks like Anton is leaving Log Logic. Rumor has it that he's going to try his hand at being a Barista at Starbucks. (tags: chuvakin loglogic) Shadow Forensics « SANS Computer Forensics, Investigation, and Response How to examine data, at different time snapshots during a forensic examination, using Shadow Copy Volume forensics. (tags: forensic analysis snapshot examination shadow examine)

Happy Thanksgiving To Our Canadian Friends and Relatives [Infosecurity.US] Posted: 10 Oct 2008 03:59 PM CDT Happy Thanksgiving to our Canadian Friends, Families and Relatives. Have a Safe. Healthy and Peaceful  Thanksgiving! Canadian Thanksgiving (EN) Globe and Mail Vegan Recipes for a Canadian Thanksgiving!

Security Provoked (Episode 12) [Security Provoked] Posted: 10 Oct 2008 03:25 PM CDT Part 2 of a conversation with Dr. Peter Tippett of Verizon Business. ….ah, well, seems someone’s reconfigured the blog so that the old approach to embedding isn’t working. While we get that figured out, you can link to the episode here. Gah!

World Bank Network Penetrated [Infosecurity.US] Posted: 10 Oct 2008 12:12 PM CDT Fox News’ Richard Behar reports significant exploits perpetrated against the World Bank have come to light (issues have been evident since 2007). Via an email from a senior information technology resource at the bank (View the email image after the jump or download it from the Infosecurity.US Public Documents Repository). Report excerpts follow, after the jump. [...]

You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now.	Email Delivery powered by FeedBurner
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610