Friday, October 24, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Critical Out-of-Cycle Patch from Microsoft (MS08-067) [Sunnet Beskerming Security Advisories]

Posted: 24 Oct 2008 03:17 AM CDT

From first alert on Tuesday, to patch release on Thursday, Microsoft has rushed an out-of-cycle patch out to Windows users, acting on a privately reported problem affecting the core Windows kernel.

In some detail, the vulnerability is a problem with the way that Windows handles Remote Procedure Calls (RPC) and can result in a remote unauthenticated user (i.e. anyone on the Internet) being able to take complete control over your system.

Microsoft acknowledges that the issue is being actively targeted by malicious code, though code samples have yet to appear publicly. It has been reported that Gimmiv.A is a worm which is using this particular vulnerability to attack vulnerable systems, though Microsoft's initial guidance was that it was only being used in targeted attacks.

Already different groups have claimed to have reverse engineered the patch and there are fears that this vulnerability could lead to something like the Blaster worm from 2003, where a patch was available but attacks took down a significant number of systems anyway.

In some of the open analysis that has taken place, there is enough information to point to the NetPathCanonicalize call as being the weakness currently being exploited. The available information also shows a fairly straight forward buffer overflow.

Users who have enabled the builtin Windows firewall (default on systems after XP SP2) will be protected by default against this issue, though it is still urgent to apply the patch. However, if print or file sharing is enabled the system is vulnerable again. This means that many systems that would otherwise be secure are not going to be.

Windows Vista and 2008 systems are vulnerable if the file / print sharing has been enabled for networks of type 'Public'.

According to the Security Vulnerability Research & Defense team at Microsoft, ASLR and DEP should provide some added protection to Windows Vista and Windows 2008, though it is still considered possible that arbitrary code execution could take place. The UAC feature of Vista and 2008 will also limit anonymous attacks, however if "Password Protected Sharing" is disabled, anonymous attacks will be successful. If TCP ports 139 and 445 are blocked at the network perimeter it will mitigate against external attacks, however internal networked systems will remain vulnerable and some services might no longer work as expected, including:

  • Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (File and Print Sharing)
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal Server Licensing
  • Print Spooler
  • Computer Browser
  • Remote Procedure Call Locator
  • Fax Service
  • Indexing Service
  • Performance Logs and Alerts
  • Systems Management Server
  • License Logging Service

Despite Microsoft providing non-patch mitigation options, the criticality of this particular vulnerability, and the fact that it is being targeted in the wild means that users and administrators should apply the patch as soon as possible.

For Windows 2000, XP, and 2003, the vulnerability has been rated as Critical, with Windows Vista and 2008 attracting Important ratings. Microsoft have even acknowledged that the pre-beta versions of Windows 7 are also affected by this particular vulnerability. The ISC have rated their threat indicator to Yellow, as have Symantec.

You can get MS08-067 direct from Microsoft, here.

Analysis of a VoIP Attack [SIPVicious]

Posted: 24 Oct 2008 02:11 AM CDT

Klaus Darilion published an interesting paper explaining what happened to German VoIP users and how to mitigate. I suggest that you read this one. Looks like attacks are becoming more and more widespread / mainstream.

Grecs’s Infosec Ramblings for 2008-10-23 []

Posted: 23 Oct 2008 11:59 PM CDT

  • MICROSOFT EMERGENCY WORM PATCH: Probably seen this but thought I would get it out there given amount of coverage. #

Cisco's reseller contract is not the only one unconscionable [StillSecure, After All These Years]

Posted: 23 Oct 2008 11:15 PM CDT

I first came across this story on Michael Farnum's blog. Michael is talking about a story in in CRN detailing a courts ruling that parts of Cisco's reseller agreement are unconscionable and should be stricken down.  I must say I am not surprised.  But surprisingly I am not bashing Cisco on this. I don't think they are any different than many other vendor contracts.  That includes EULA contracts as well.  The fact is most of the contracts are written by lawyers for companies and they try to carve out as one-sided and advantageous a relationship as possible for their clients.  There is no sense of fair play or win-win.  It is usually just a lawyer trying to show how much he can get for his client.  Sooner or later a court looks at this and the greedy drafting lawyer is rewarded by having his clients agreement thrown out.

Take a look at some of the agreements you are clicking or signing. I am sure you will be amazed at some of the warranties that come with your software and hardware.  This is really something that if people spent more time with it would force some of these greedy lawyers to think twice and make fairer contracts.

Microsoft Releases Out-Of-Band Security Bulletin [Infosecurity.US]

Posted: 23 Oct 2008 07:13 PM CDT

Microsoft Corporation (NasdaqGS: MSFT) has released an out-of-band security bulletin detailing significant vulnerabilities with the software giant’s operating systems ranging from Windows 2000 to Windows Server 2008 (and apparently, everything in-between). The full bulletin appears after the break. UPDATE: Microsoft has released additional webcasts focused on the issues related to this critical, out-of-band update, further information [...]

Why Microsoft's SDL Missed MS08-067 in their own words [CGISecurity - Website and Application Security News]

Posted: 23 Oct 2008 06:20 PM CDT

"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some...

Credit Crunch causing CyberCrime Shift [IT Security Expert]

Posted: 23 Oct 2008 05:29 PM CDT

The "Credit Crunch" is not only fuelling more cyber crime and online fraud, but the latest malware, phishing and fraud trends show the credit crunch is having an affect within the sinister cyber criminal underworld. It seems the bad guys are having trouble opening new fake accounts, obtaining credit cards with stolen identities, and are even having trouble getting store credit using fake identities.

Why? Well it is because the financial industry have been cracking down and fully vetting credit applications (about time). You really have to ask why it has taken the near collapse of the world's financial system to kick financial institutions into properly checking just who they are actually going to provide credit to, after all that's what caused all this credit crunch mess in the first place, right?

So this is good news on the identity theft front, but as always in cyber fraud the bad guys just move onto the next lowest hanging fruit, and so are increasingly going after active bank accounts and active credit cards. Which in itself is kind of interesting due to the consumer credit crunch factor, as I guess everyone will be generally be a lot more careful with their money, and therefore will be checking through their bank and credit card statements more often. A lot fraud simply goes undetected due to a particular technique employed by the bad guys, where they embellish small amounts of cash on a monthly basis directly from people accounts. This goes unnoticed by the victims, simply because the victim isn't scrutinising their statements. According to "ID Theft Protect (Aug07)", 90% of people never check all their transactions on their bank or credit card statements, which underlines why these types of fraud are so successful and can really add up over a long time period.

I mean there are even some legal companies which dupe people into adding a small monthly standing orders on their accounts and credit cards, usually within the small print, or even by illegal means! I had a very popular UK motoring recovery organisation charge a renewal against my credit card without any pre or prior notification recently, even though the account they charged against for was for my wife! I actually had a completely separate account setup with them, they linked the payment details from my account to the other.

So be extra vigilant with those statements, you never know what you might find and save!

Sour Travels with SugarTrip [Security Provoked]

Posted: 23 Oct 2008 04:18 PM CDT

As Web browsers are becoming more like operating systems, and phones are becoming more like computers, there are a host of new web applications that are supposed to enhance our lives, making them more fun and functional. However, there are also a host of security and privacy concerns that come along with these applications. For instance, SugarTrip is an application available through Google's Android platform used with the iPhone. SugarTrip utilizes the GPS units that are integrated into most Android phones to measure street traffic. As users drive their cars, SugarTrip measures how quickly they are traveling and reports their speeds back to a central server. The application will also allow users to view routes taken by other drivers to plan the fastest route. It can also pinpoint cars on a map so when a person parks, it is easy to find the car later.

SugarTrip is being marketed as a green application as it should help drivers plan better driving routes and prevent cars from sitting in traffic. However, it seems to me one should be aware of SugarTrip's privacy concerns before everyone goes out to download the free app.

I mention this because of my recent trip to Connecticut. I found myself stuck at the E-ZPass toll with an increasingly long line of angry New Yorkers just as anxious as me to flee the city for the weekend. Being that the E-ZPass lane is supposed to be faster than cash, and my E-ZPass failed to pay my toll, they expressed their feelings with angry honking and loud expletives in my direction. After being told by a cop to wait in the E-ZPass help lane, (who knew there was such a thing?) and with passing cars showing their appreciation with friendly one-fingered waves, my E-ZPass was revoked.

Revoked? I hadn't the faintest clue as to why. Once safely out of NY, I was told my E-ZPass had been revoked thanks to another driver on my account who sped through an E-ZPass toll at 35 mph instead of the requested 10 mph.

And with that tidbit, I realized the significance of my technological conveniences working against me. My E-ZPass was tracking my every trip, measuring the time it takes me to go from one toll booth to the next, recording how many times I travel to Connecticut or Manhattan or who knows where else.

With the SugarTrip application sending our traveling speeds and locations back to some unbeknownst central server, I would take a lesson from my E-ZPass experience and ask yourself whether the convenience is worth the trouble.

The October Alert is Now Online [Security Provoked]

Posted: 23 Oct 2008 03:30 PM CDT

CSI members can follow the links below or read the PDF of the October Secure Web Browsing Alert:

If you are not yet a member and would like access to these articles, visit our CSI membership page to become a member and receive discounts on conferences, access to the Alert and invitations to our members-only security calls.

Is Secure Browsing in Web 2.0 a Myth?
What should we ask of next-gen browsers, and will it be enough?

Clickjacking, A New Class of Attack, Not Fully Addressed by Next-Gen Browsers
Several attacks mitigated in new Adobe Flash Player 10

Who is Google Chrome's Competition, Really?
Do browsers or operating systems have more to fear?

Should Chrome Users Be Concerned About Privacy?
Chrome may not be an issue, but Google’s ownership of DoubleClick is

Consider Instituting Corporate Use Policies for Web 2.0 Applications and Services

New HP PCs Run Firefox in Virtual Layer

Content Security Policy Gives Developers a Security Boost

Long Ago, in a Company Far, Far Away…Browser Wars

Information gathering with Kismet - Hacker on a plane! [PaulDotCom]

Posted: 23 Oct 2008 02:45 PM CDT

I recently was able to meet up with Bob while he was on the run. He told me that he was on a long flight recently headed in to Boston airplane.JPG
several weeks back (he's gotta keep on the move!), and he decided to fire up Kismet for some passive captures while on the plane. He let it run for an hour or so, and passed the captures to me for analysis. I trimmed them down to just spit out some interesting stuff that we can use for this example.

We'll replay them with tcpdump:

 $ tcpdump -r bobs_intersting_packets 

...and we get a bunch of probe requests. We've talked bout this ad-nauseum before. This is why we love Karma (and Karmetasploit). Windows (and other OSes, even some gaming consoles), automatically tries to connect to wireless networks in the preferred network lists. Kismet can then see those connect requests as the OS cycles through the list.

So, here's the first list from the first capture from the same MAC address:

16:32:04.483854 Probe Request (Free Public WiFi) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:06.763062 Beacon (Free Public WiFi) [1.0* 2.0* 5.5 11.0 Mbit] IBSS CH: 11
16:32:11.977047 Probe Request (Hyatt) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:13.978262 Probe Request (fcc) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:16.071853 Probe Request (Lake) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:18.130698 Probe Request (public1) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:20.099906 Probe Request (The Point) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:22.069924 Probe Request (REDZONE) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:24.085280 Probe Request (belkin54g) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:26.115367 Probe Request (hhonors) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:28.146203 Probe Request (GlobalSuiteWireless) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:30.084600 Probe Request (1811) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:32.092157 Probe Request (Wayport_Access) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:34.118208 Probe Request (guestnet) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:36.123724 Probe Request (FourSeasons) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:38.138125 Probe Request (killington) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:42.153053 Probe Request (Hotel Griffon) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:46.160227 Probe Request (RGPublic) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:50.115316 Probe Request (oakbluffs) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:52.122565 Probe Request (Cuttyhunk) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:54.175486 Probe Request (MARYA) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:56.131065 Probe Request (mattapoisett) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:58.131358 Probe Request (linksys) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:33:00.137978 Probe Request (HBS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

Now, go log in to and search for some of the more unusual SSIDs. What do you want to bet we can figure out where this particular person lives/works/plays based on where they show up on the map. Then add the more common names to the list, and you can bet that they show up in those same two neighborhoods as well. Yes, several of them show up in very close proximitiy spread out over to distinct neighborhoods.

The second capture Bob provided also had more interesting SSIDs, just in case we REALLY wanted to triangulate:

 16:26:51.357853 Probe Request (ibahn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:53.106024 Probe Request (Elysium) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:57.259488 Probe Request (JFKRL) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:59.080305 Probe Request (phspiaguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:03.281251 Probe Request (needadog) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:05.260271 Probe Request (guest_ssid) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:09.408208 Probe Request (NUwave) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:11.080215 Probe Request (SpotOn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:13.233782 Probe Request (holden) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:15.484724 Probe Request (SMC) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:17.131279 Probe Request (Wayport_Access) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:19.183281 Probe Request (Seaport) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:21.182520 Probe Request (Hynes Wireless Network) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:23.146459 Probe Request (iscguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:25.096483 Probe Request (LawLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:27.095193 Probe Request (roofnet) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:29.176267 Probe Request (in4net) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:33.146455 Probe Request (Harvard University) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:35.185946 Probe Request (default) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:37.613369 Probe Request (Back Bay Events Center) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:39.170252 Probe Request (Algonquin Club WiFi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:43.587718 Probe Request (BostonPublicLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:45.285541 Probe Request (loganwifi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:47.388067 Probe Request (CRS WAP) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:49.336783 Probe Request (HCBostonMember) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:51.285535 Probe Request (Linksys Secure) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:53.285419 Probe Request (Warehouse) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 

From Bob's capture, and again from the same MAC address, we also are able to capture some interesting network traffic. We can use this information in conjunction with the wireless info to create an even more detailed picture about the individual:

 16:36:08.526921 IP > broadcasthost.bootps: BOOTP/DHCP, Request from 00:1e:52:b6:19:9b (oui Unknown), length 300 16:36:10.307924 IP > igmp v2 report 16:36:12.949124 IP > 0*- [0q] 1/0/0 (Cache flush) A (40) 16:36:37.923110 arp who-has tell 16:36:43.001662 IP > NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST 16:36:49.532485 IP > NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:46:53.719602 IP > NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:47:21.229266 IP > NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 

For some reason, Wireshark displayed some interesting domain information in the netbios requests. I suspect that I exported the packtes wrong, so the info isn't shown with the tcpdump output, but here they are in Wireshark:

Now, what else can we assume about the individual, and potential network/desktop policies in play?

You know what else I found frightening? While looking for images to be included in this posting, I stumbled across an interesting device from Teledyne Controls; An Aircraft Wireless LAN Unit (AWLU), which the vendor touts as being wireless for the cockpit, as well as the cabin all in one unit. There is also the ability to utilize the unit to upload FMS navigation databases for loading into a Flight Management Computer! While it doesn't state that you can do this over the 802.11 protocol, it also doesn't say you can't. Interesting.

- Larry "haxorthematrix" Pesce

Blue Box #85: Internet phone calls and terrorism, Georgia Tech report on Emerging Cyber Security Threats, phone jamming, 802.1X-REV, 802.1AE, VoIP security news and more [Blue Box: The VoIP Security Podcast]

Posted: 23 Oct 2008 02:42 PM CDT

Synopsis: Blue Box #85: Internet phone calls and terrorism, Georgia Tech report on Emerging Cyber Security Threats, phone jamming, 802.1X-REV, 802.1AE, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #85, a 32-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 15 MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to '' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild [CGISecurity - Website and Application Security News]

Posted: 23 Oct 2008 12:57 PM CDT

The Patch: Microsoft has released the patch to windows update. Details: "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems,...

Finnigan: Oracle APEX Security Advisory [Infosecurity.US]

Posted: 23 Oct 2008 11:59 AM CDT

Noted Oracle Security Researcher Pete Finnigan has announced a significant, easily exploitable, vulnerability resident within Oracle Corporation’s (NasdaqGS: ORCL) APEX product. The announcement simultaneously appeared on FullDisclosure, and The APEX development environment is specifically engineered to develop interweb interfaces and applications that utilize Oracle databases to store data, execute stored procedures, DBMS packages and [...]

StillSecure, After all these years, Podcast 60 - Sam Van Ryder [StillSecure, After All These Years]

Posted: 23 Oct 2008 10:06 AM CDT

sam van ryder Mitchell and I get together in person at Scott Converse's Medioh! Studios again. In addition to Scott, we are joined by long time friend Sam Van Ryder of Alert Logic. We have a great time talking about "NAC of the living dead", the Alert Logic business model, TSA security and Brazilian steakhouses of all things! Be warned the boys get a little bit out of control and I am labeling this episode with a MA rating!

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at Music transitions between segments are by our own Mitchell Ashley! 

Enjoy the podcast!

This posting includes an audio/video/photo media file: Download Now

Recording & Stream Notice - Episode 127 - The "Chris" Interview [PaulDotCom]

Posted: 23 Oct 2008 08:45 AM CDT

The live stream should be active about 6:30 EDT, Thursday, October 23rd. We should begin recording the live show at about 7:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

We several special guests this week:

Chris Rioux (aka Dildog) - Veracode Co-Founder and Chief Scientist,an MIT graduate, was one of the original L0pht members and responsible for projects such as BUTTsniffer and backorifice.

Chris Wysopal (aka Weldpond) - Veracode Co-Founder and Chief Technology Officer, Chris was the co-author of the L0phtcrack application, and other such notible projects that I'm sure many of us have used once or twice, such as netcat.

Chris Eng - Veracode Senior Director, Security Research, Chris was s a Principal Consultant and then Technical Director of @stake, Inc. He led the development of WebProxy, a proprietary web application testing tool in 2002, pre-dating other modern proxy-based web security tools.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at #pauldotcom.

When active, the live stream(s) can be found at:



Please join us, and thanks for listening!


- Larry & Paul

Malware targeting industrial control software(?) [Carnal0wnage Blog]

Posted: 23 Oct 2008 08:10 AM CDT

So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.

Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...

Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.


In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [].

Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?

A quick decode of the ucs2 encoded payload reveals:


The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.

I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.


The Daily Incite - 10/23/08 - Ops as a career [Security Incite Rants]

Posted: 23 Oct 2008 06:31 AM CDT

Today's Daily Incite

October 23, 2008 - Volume 3, #85

Good Morning:
One of the most important skills for anyone is the ability to adapt. Basically you have to understand what is happening around you, figure out the trends and position yourselves for success. The days of loyalty to one company and having the "company" manage your career are over. I get a lot of questions from folks (especially young folks) about what they should focus on. As with everything else, I have some opinions on where they should specialize in order to position for a great career. That's a cool lookin' data center

For the past 18 months I've been pretty consistent in telling folks to learn as much about applications as they can. We are undergoing a huge shift in how applications are built (with SOA-based modular apps) and the ability to protect those apps is an absolutely critical skill. And there is a real gap between the number of folks that know how to do app security and the demand.

I still think app security is a huge growth market over the next 5-7 years and we certainly can't plan for anything past that kind of time horizon. But I'm adding another discipline to my standard response, and that is OPERATIONS. That's right, the data center is becoming much more important in this age of *aaS (everything as a service) and companies both big and small are going to need experts to both build, manage, maintain and protect their data centers. 

As most of the first few waves of the Internet build-out were focused on racking and stacking servers, there wasn't a lot of opportunity to specialize. But now that Google has shown that managing huge data farms with proprietary technical goodies can provide competitive advantage, a lot of other companies will be looking to innovate in not just what they offer, but also how they offer it.

So take that for what it's worth, a longer term trend idea. Part of what I like to do is read between the lines and figure out the longer term impact on what we do and how we do it. It seems to me that most companies will be offering something to their customers as a technology enabled service and that means good operations people and folks that understand how to protect information in this kind of distributed computing-based world will be in high demand.

Have a great day. 

Photo: "Data Center" originally uploaded by Stan
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Incite 4U


  1. According to the Big G (that's Gartner for those of you not familiar with my lingo), there is little change in the top 10 "strategic technologies" for the next year. This is more of an analysis of the most common buzzwords over the next year and as Bill Gates said many years ago, that we overestimate the ability to change [buzzwords] over the short term, but underestimate the [buzzwords] change over the long term. And this just proves it.
  2. Can DLP work? That's the question that Patrick Foley asks on his BlogInfoSec blog and it's a legitimate one. I think it depends on your definition of success. I know of plenty of companies that do some level of egress filtering of content to REDUCE leaks. I think totally preventing leaks (and managing expectations that is what you can do) is not reasonable. But reducing the low hanging fruit like obvious stuff (SS#, account numbers, etc.) is possible. Patrick also makes the point that it may not require a 6 or 7 figure investment either, but there are some simple blocking and tackling things that can be done to address the issue.
  3. In the better late than never camp, Aladdin uses it's second wish on launching a new research team and website to better track "eCrime," whatever that means. Vendors that are in the content business need to have a research team because the types of attacks are very dynamic and without having a dedicated set of folks that are looking at what's going on, it's hard to stay even close to the rate of innovation from the bad guys. So if you're vendors for email or web content security don't have a research team, they aren't going to be able to get it done.
  4. Those pesky internal Government auditors run the risk of tax audits for the next 100 years by pointing out that the IRS launched a bunch of new applications that weren't exactly secure. Or even close to being secure. Security folks know they have sufficient pull in the organization if they can stop deployment of an application because of undue risks. Clearly the IRS security team has some work to do in that respect.
  5. Metasploit swings the pendulum back towards openness with its new licensing approach. First it was open, then it was less open, now it is more open - as they adopt the 3 clause BSD license. I understand the initial reasons for tightening the licensing of the 3.0 version, but can really respect that fact that HD and team now think the project is strong enough to withstand a truly open model. And since testing is one of my critical keys to success for any security team, having a more open platform to use is a good thing.
  6. Gunnar once again beats the drum for integrating security into applications and other processes and he's exactly right. We do spend a lot of time playing defense, but must start devoting some serious cycles to "offense" or really evangelizing the need to consider security as a key part of any initiative. There really shouldn't be a "security" team, per se in the long run - but that kind of evolution will take many years. So in the meantime all we can do is continue to beat the drum for everyone to stay focused on thinking about data protection as early in any project as possible.
  7. Secure Computing figures they have another lucky seven to roll after getting the McAfee deal. There new roll is "seven technologies for advanced mail protection" or STAMP. That's pretty catchy marketing, no? Though then the discussion descends into "next-generation" mail security something or other. Customers don't really care how you do it, but they want to bad mail to stop showing up. If a STAMP works, great.
  8. McAfee is once again on the reinvention trail or at least trying to position their me-too NAC announcement as something that is novel. The idea of integrating an endpoint agent and a network device is not novel. Pretty much every other NAC vendor has done this (as Alan so kindly points out). Evidently the technology is the remains of Lockdown. Good luck with that. Little Red needs to go into the penalty box for offensive marketing. Basically they figure if they say reinvent enough times, maybe you'll even believe they are innovative.

Microsoft Out-of-Band Bulletin [.:Computer Defense:.]

Posted: 23 Oct 2008 12:55 AM CDT

So, for anyone who didn't get the email, or hasn't heard yet... it looks like Microsoft is releasing an Out-of-Band Bulletin tomorrow. I'm excited to find out why there was cause for an emergency patch release.

Side Note: Possibly the shortest blog post ever.

Grecs’s Infosec Ramblings for 2008-10-22 []

Posted: 22 Oct 2008 11:59 PM CDT

"Secure Flight" now part of the Bush Administrations Legacy [Emergent Chaos]

Posted: 22 Oct 2008 11:29 PM CDT

We welcome the Bush administration's continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying:
In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the notice).

The essence of the Secure Flight final rule would be to (1) impose a new, two-stage, requirement for all would-be air travelers to obtain government permisison to fly, first in the form of a discretionary government decision to issue an acceptable form of identification credential and second in the form of a discretionary decision to send the airline a “cleared” message authorizing a specific person to board a specific flight, and (2) require all would-be air travelers to provide identifying information to the airline and the government prior to each flight.

We applaud the government's long-lasting impact on Americans. The Bush presidency, from the price of gasoline to the permission to fly system announced today, to license plate scanners on the Seattle ferries, has left a mark on the Republic like few presidencies in history.

US-CERT: Trend Micro OfficeScan Critical Patch [Infosecurity.US]

Posted: 22 Oct 2008 06:27 PM CDT

US-CERT reports Trend Micro’s release of a Critical Patch to address a serious and easily exploitable vulnerability in OfficeScan, and anti-virus product. More information appears after the break. From US-CERT: “This vulnerability is due to a stack-based buffer overflow condition. By sending a specially crafted HTTP request containing form data to the server CGI module, an [...]

Center for Internet Security Releases Oracle Database 11g Security Benchmark [Infosecurity.US]

Posted: 22 Oct 2008 04:28 PM CDT

The Center for Internet Security (CIS) has released a new security benchmark focused on Oracle Corporations’s (NasdaqGS: ORCL) flagship database product - Oracle Database 11g. The benchmark, along with many Operating System, Network and other Database Engine benchmarks are available for download, at no cost. Links appear, after the break. Hat Tip to DarkReading. Center [...]

What videogames teach us about security [CGISecurity - Website and Application Security News]

Posted: 22 Oct 2008 03:16 PM CDT

Forbes has an interesting interview with Gary McGraw on how computer games provide insight into the motives and mindset of an attacker. "What problem do these trust boundaries pose? In this case, the gamer is the attacker and what they're doing is cheating in the virtual world to generate wealth that...

MCSF talk [IT Security, Windows Scripting and other matters]

Posted: 22 Oct 2008 11:39 AM CDT

I found out on Monday afternoon that a late submission talk for the Midwest Consolidated Security Forum was accepted. Tickets are no longer available, but hopefully some of you are in attendance.
Michael Santarcangelo and I will be talking on podcasting and pop culture and how to use them in your security awareness programs. Our talk will be at 2:45 to 3:30
If you are attending, stop by and say hi

Be safe out there.

Cowtown Computer Congress get together [IT Security, Windows Scripting and other matters]

Posted: 22 Oct 2008 11:36 AM CDT

Any of my readers who are in Kansas City are invited to join Michael Santarcangelo and myself at the next Cowtown Computer Congress get together on Thursday October 23rd, 2008 around 7PM at the JavaNaut - 1615 W. 39th St.Kansas City, MO.
Michael has been invited to give a brief talk
I apologize for the somewhat late notice, I meant to post this last week when I found out about it.

Be safe out there,

XKCD [Infosecurity.US]

Posted: 22 Oct 2008 10:54 AM CDT

ISOC: Ten Year Tribute To Jon Postel, Ph.D. [Infosecurity.US]

Posted: 22 Oct 2008 10:50 AM CDT

The Internet Society has announced a Ten Year Tribute to Jon Postel, a true Internet Visionary and a Humble Genius.  During his lifetime, he was Chief of IANA; his genius can be seen and experienced daily by everyone that utilizes the internet to communicate, work and play. More about Dr. Postel, after the jump. He [...]

No comments: