Posted: 24 Oct 2008 03:17 AM CDT
In some detail, the vulnerability is a problem with the way that Windows handles Remote Procedure Calls (RPC) and can result in a remote unauthenticated user (i.e. anyone on the Internet) being able to take complete control over your system.
Microsoft acknowledges that the issue is being actively targeted by malicious code, though code samples have yet to appear publicly. It has been reported that Gimmiv.A is a worm which is using this particular vulnerability to attack vulnerable systems, though Microsoft's initial guidance was that it was only being used in targeted attacks.
Already different groups have claimed to have reverse engineered the patch and there are fears that this vulnerability could lead to something like the Blaster worm from 2003, where a patch was available but attacks took down a significant number of systems anyway.
In some of the open analysis that has taken place, there is enough information to point to the NetPathCanonicalize call as being the weakness currently being exploited. The available information also shows a fairly straight forward buffer overflow.
Users who have enabled the builtin Windows firewall (default on systems after XP SP2) will be protected by default against this issue, though it is still urgent to apply the patch. However, if print or file sharing is enabled the system is vulnerable again. This means that many systems that would otherwise be secure are not going to be.
Windows Vista and 2008 systems are vulnerable if the file / print sharing has been enabled for networks of type 'Public'.
According to the Security Vulnerability Research & Defense team at Microsoft, ASLR and DEP should provide some added protection to Windows Vista and Windows 2008, though it is still considered possible that arbitrary code execution could take place. The UAC feature of Vista and 2008 will also limit anonymous attacks, however if "Password Protected Sharing" is disabled, anonymous attacks will be successful. If TCP ports 139 and 445 are blocked at the network perimeter it will mitigate against external attacks, however internal networked systems will remain vulnerable and some services might no longer work as expected, including:
Despite Microsoft providing non-patch mitigation options, the criticality of this particular vulnerability, and the fact that it is being targeted in the wild means that users and administrators should apply the patch as soon as possible.
For Windows 2000, XP, and 2003, the vulnerability has been rated as Critical, with Windows Vista and 2008 attracting Important ratings. Microsoft have even acknowledged that the pre-beta versions of Windows 7 are also affected by this particular vulnerability. The ISC have rated their threat indicator to Yellow, as have Symantec.
Posted: 24 Oct 2008 02:11 AM CDT
Klaus Darilion published an interesting paper explaining what happened to German VoIP users and how to mitigate. I suggest that you read this one. Looks like attacks are becoming more and more widespread / mainstream.
Posted: 23 Oct 2008 11:59 PM CDT
Posted: 23 Oct 2008 11:15 PM CDT
I first came across this story on Michael Farnum's blog. Michael is talking about a story in in CRN detailing a courts ruling that parts of Cisco's reseller agreement are unconscionable and should be stricken down. I must say I am not surprised. But surprisingly I am not bashing Cisco on this. I don't think they are any different than many other vendor contracts. That includes EULA contracts as well. The fact is most of the contracts are written by lawyers for companies and they try to carve out as one-sided and advantageous a relationship as possible for their clients. There is no sense of fair play or win-win. It is usually just a lawyer trying to show how much he can get for his client. Sooner or later a court looks at this and the greedy drafting lawyer is rewarded by having his clients agreement thrown out.
Take a look at some of the agreements you are clicking or signing. I am sure you will be amazed at some of the warranties that come with your software and hardware. This is really something that if people spent more time with it would force some of these greedy lawyers to think twice and make fairer contracts.
Posted: 23 Oct 2008 07:13 PM CDT
Posted: 23 Oct 2008 06:20 PM CDT
"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some...
Posted: 23 Oct 2008 05:29 PM CDT
The "Credit Crunch" is not only fuelling more cyber crime and online fraud, but the latest malware, phishing and fraud trends show the credit crunch is having an affect within the sinister cyber criminal underworld. It seems the bad guys are having trouble opening new fake accounts, obtaining credit cards with stolen identities, and are even having trouble getting store credit using fake identities.
Why? Well it is because the financial industry have been cracking down and fully vetting credit applications (about time). You really have to ask why it has taken the near collapse of the world's financial system to kick financial institutions into properly checking just who they are actually going to provide credit to, after all that's what caused all this credit crunch mess in the first place, right?
So this is good news on the identity theft front, but as always in cyber fraud the bad guys just move onto the next lowest hanging fruit, and so are increasingly going after active bank accounts and active credit cards. Which in itself is kind of interesting due to the consumer credit crunch factor, as I guess everyone will be generally be a lot more careful with their money, and therefore will be checking through their bank and credit card statements more often. A lot fraud simply goes undetected due to a particular technique employed by the bad guys, where they embellish small amounts of cash on a monthly basis directly from people accounts. This goes unnoticed by the victims, simply because the victim isn't scrutinising their statements. According to "ID Theft Protect (Aug07)", 90% of people never check all their transactions on their bank or credit card statements, which underlines why these types of fraud are so successful and can really add up over a long time period.
I mean there are even some legal companies which dupe people into adding a small monthly standing orders on their accounts and credit cards, usually within the small print, or even by illegal means! I had a very popular UK motoring recovery organisation charge a renewal against my credit card without any pre or prior notification recently, even though the account they charged against for was for my wife! I actually had a completely separate account setup with them, they linked the payment details from my account to the other.
So be extra vigilant with those statements, you never know what you might find and save!
Posted: 23 Oct 2008 04:18 PM CDT
As Web browsers are becoming more like operating systems, and phones are becoming more like computers, there are a host of new web applications that are supposed to enhance our lives, making them more fun and functional. However, there are also a host of security and privacy concerns that come along with these applications. For instance, SugarTrip is an application available through Google's Android platform used with the iPhone. SugarTrip utilizes the GPS units that are integrated into most Android phones to measure street traffic. As users drive their cars, SugarTrip measures how quickly they are traveling and reports their speeds back to a central server. The application will also allow users to view routes taken by other drivers to plan the fastest route. It can also pinpoint cars on a map so when a person parks, it is easy to find the car later.
SugarTrip is being marketed as a green application as it should help drivers plan better driving routes and prevent cars from sitting in traffic. However, it seems to me one should be aware of SugarTrip's privacy concerns before everyone goes out to download the free app.
I mention this because of my recent trip to Connecticut. I found myself stuck at the E-ZPass toll with an increasingly long line of angry New Yorkers just as anxious as me to flee the city for the weekend. Being that the E-ZPass lane is supposed to be faster than cash, and my E-ZPass failed to pay my toll, they expressed their feelings with angry honking and loud expletives in my direction. After being told by a cop to wait in the E-ZPass help lane, (who knew there was such a thing?) and with passing cars showing their appreciation with friendly one-fingered waves, my E-ZPass was revoked.
Revoked? I hadn't the faintest clue as to why. Once safely out of NY, I was told my E-ZPass had been revoked thanks to another driver on my account who sped through an E-ZPass toll at 35 mph instead of the requested 10 mph.
And with that tidbit, I realized the significance of my technological conveniences working against me. My E-ZPass was tracking my every trip, measuring the time it takes me to go from one toll booth to the next, recording how many times I travel to Connecticut or Manhattan or who knows where else.
With the SugarTrip application sending our traveling speeds and locations back to some unbeknownst central server, I would take a lesson from my E-ZPass experience and ask yourself whether the convenience is worth the trouble.
Posted: 23 Oct 2008 03:30 PM CDT
CSI members can follow the links below or read the PDF of the October Secure Web Browsing Alert: http://gocsi.com/membersonly/showArticle.jhtml?articleID=211600271&catID=14144
If you are not yet a member and would like access to these articles, visit our CSI membership page to become a member and receive discounts on conferences, access to the Alert and invitations to our members-only security calls.
Is Secure Browsing in Web 2.0 a Myth?
Clickjacking, A New Class of Attack, Not Fully Addressed by Next-Gen Browsers
Who is Google Chrome's Competition, Really?
Should Chrome Users Be Concerned About Privacy?
Posted: 23 Oct 2008 02:45 PM CDT
I recently was able to meet up with Bob while he was on the run. He told me that he was on a long flight recently headed in to Boston
We'll replay them with tcpdump:
$ tcpdump -r bobs_intersting_packets
...and we get a bunch of probe requests. We've talked bout this ad-nauseum before. This is why we love Karma (and Karmetasploit). Windows (and other OSes, even some gaming consoles), automatically tries to connect to wireless networks in the preferred network lists. Kismet can then see those connect requests as the OS cycles through the list.
So, here's the first list from the first capture from the same MAC address:
Now, go log in to wigle.net and search for some of the more unusual SSIDs. What do you want to bet we can figure out where this particular person lives/works/plays based on where they show up on the map. Then add the more common names to the list, and you can bet that they show up in those same two neighborhoods as well. Yes, several of them show up in very close proximitiy spread out over to distinct neighborhoods.
The second capture Bob provided also had more interesting SSIDs, just in case we REALLY wanted to triangulate:
16:26:51.357853 Probe Request (ibahn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:53.106024 Probe Request (Elysium) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:57.259488 Probe Request (JFKRL) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:59.080305 Probe Request (phspiaguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:03.281251 Probe Request (needadog) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:05.260271 Probe Request (guest_ssid) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:09.408208 Probe Request (NUwave) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:11.080215 Probe Request (SpotOn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:13.233782 Probe Request (holden) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:15.484724 Probe Request (SMC) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:17.131279 Probe Request (Wayport_Access) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:19.183281 Probe Request (Seaport) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:21.182520 Probe Request (Hynes Wireless Network) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:23.146459 Probe Request (iscguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:25.096483 Probe Request (LawLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:27.095193 Probe Request (roofnet) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:29.176267 Probe Request (in4net) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:33.146455 Probe Request (Harvard University) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:35.185946 Probe Request (default) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:37.613369 Probe Request (Back Bay Events Center) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:39.170252 Probe Request (Algonquin Club WiFi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:43.587718 Probe Request (BostonPublicLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:45.285541 Probe Request (loganwifi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:47.388067 Probe Request (CRS WAP) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:49.336783 Probe Request (HCBostonMember) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:51.285535 Probe Request (Linksys Secure) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:53.285419 Probe Request (Warehouse) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
From Bob's capture, and again from the same MAC address, we also are able to capture some interesting network traffic. We can use this information in conjunction with the wireless info to create an even more detailed picture about the individual:
16:36:08.526921 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from 00:1e:52:b6:19:9b (oui Unknown), length 300 16:36:10.307924 IP 169.254.140.137 > 18.104.22.168: igmp v2 report 22.214.171.124 16:36:12.949124 IP 169.254.140.137.mdns > 126.96.36.199.mdns: 0*- [0q] 1/0/0 (Cache flush) A 169.254.140.137 (40) 16:36:37.923110 arp who-has 10.71.0.123 tell 10.71.0.123 16:36:43.001662 IP 10.71.0.123.netbios-ns > 10.71.15.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST 16:36:49.532485 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:46:53.719602 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:47:21.229266 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
For some reason, Wireshark displayed some interesting domain information in the netbios requests. I suspect that I exported the packtes wrong, so the info isn't shown with the tcpdump output, but here they are in Wireshark:
Now, what else can we assume about the individual, and potential network/desktop policies in play?
You know what else I found frightening? While looking for images to be included in this posting, I stumbled across an interesting device from Teledyne Controls; An Aircraft Wireless LAN Unit (AWLU), which the vendor touts as being wireless for the cockpit, as well as the cabin all in one unit. There is also the ability to utilize the unit to upload FMS navigation databases for loading into a Flight Management Computer! While it doesn't state that you can do this over the 802.11 protocol, it also doesn't say you can't. Interesting.
- Larry "haxorthematrix" Pesce
Blue Box #85: Internet phone calls and terrorism, Georgia Tech report on Emerging Cyber Security Threats, phone jamming, 802.1X-REV, 802.1AE, VoIP security news and more [Blue Box: The VoIP Security Podcast]
Posted: 23 Oct 2008 02:42 PM CDT
Synopsis: Blue Box #85: Internet phone calls and terrorism, Georgia Tech report on Emerging Cyber Security Threats, phone jamming, 802.1X-REV, 802.1AE, VoIP security news and more
Welcome to Blue Box: The VoIP Security Podcast #85, a 32-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.
You may also listen to this podcast right now:
Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to firstname.lastname@example.org. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'email@example.com' to leave a comment there.
Thank you for listening and please do let us know what you think of the show.
This posting includes an audio/video/photo media file: Download Now
Posted: 23 Oct 2008 12:57 PM CDT
The Patch: Microsoft has released the patch to windows update. Details: "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems,...
Posted: 23 Oct 2008 11:59 AM CDT
Posted: 23 Oct 2008 10:06 AM CDT
Mitchell and I get together in person at Scott Converse's Medioh! Studios again. In addition to Scott, we are joined by long time friend Sam Van Ryder of Alert Logic. We have a great time talking about "NAC of the living dead", the Alert Logic business model, TSA security and Brazilian steakhouses of all things! Be warned the boys get a little bit out of control and I am labeling this episode with a MA rating!
Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!
Enjoy the podcast!
This posting includes an audio/video/photo media file: Download Now
Posted: 23 Oct 2008 08:45 AM CDT
The live stream should be active about 6:30 EDT, Thursday, October 23rd. We should begin recording the live show at about 7:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
We several special guests this week:
Chris Rioux (aka Dildog) - Veracode Co-Founder and Chief Scientist,an MIT graduate, was one of the original L0pht members and responsible for projects such as BUTTsniffer and backorifice.
Chris Wysopal (aka Weldpond) - Veracode Co-Founder and Chief Technology Officer, Chris was the co-author of the L0phtcrack application, and other such notible projects that I'm sure many of us have used once or twice, such as netcat.
Chris Eng - Veracode Senior Director, Security Research, Chris was s a Principal Consultant and then Technical Director of @stake, Inc. He led the development of WebProxy, a proprietary web application testing tool in 2002, pre-dating other modern proxy-based web security tools.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Please join us, and thanks for listening!
Posted: 23 Oct 2008 08:10 AM CDT
So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.
Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...
Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.
In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].
Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?
A quick decode of the ucs2 encoded payload reveals:
The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.
I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.
Posted: 23 Oct 2008 06:31 AM CDT
October 23, 2008 - Volume 3, #85
For the past 18 months I've been pretty consistent in telling folks to learn as much about applications as they can. We are undergoing a huge shift in how applications are built (with SOA-based modular apps) and the ability to protect those apps is an absolutely critical skill. And there is a real gap between the number of folks that know how to do app security and the demand.
Posted: 23 Oct 2008 12:55 AM CDT
So, for anyone who didn't get the email, or hasn't heard yet... it looks like Microsoft is releasing an Out-of-Band Bulletin tomorrow. I'm excited to find out why there was cause for an emergency patch release.
Side Note: Possibly the shortest blog post ever.
Posted: 22 Oct 2008 11:59 PM CDT
Posted: 22 Oct 2008 11:29 PM CDT
We welcome the Bush administration's continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying:
In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the notice).We applaud the government's long-lasting impact on Americans. The Bush presidency, from the price of gasoline to the permission to fly system announced today, to license plate scanners on the Seattle ferries, has left a mark on the Republic like few presidencies in history.
Posted: 22 Oct 2008 06:27 PM CDT
Posted: 22 Oct 2008 04:28 PM CDT
Posted: 22 Oct 2008 03:16 PM CDT
Forbes has an interesting interview with Gary McGraw on how computer games provide insight into the motives and mindset of an attacker. "What problem do these trust boundaries pose? In this case, the gamer is the attacker and what they're doing is cheating in the virtual world to generate wealth that...
Posted: 22 Oct 2008 11:39 AM CDT
I found out on Monday afternoon that a late submission talk for the Midwest Consolidated Security Forum was accepted. Tickets are no longer available, but hopefully some of you are in attendance.
Michael Santarcangelo and I will be talking on podcasting and pop culture and how to use them in your security awareness programs. Our talk will be at 2:45 to 3:30
If you are attending, stop by and say hi
Be safe out there.
Posted: 22 Oct 2008 11:36 AM CDT
Any of my readers who are in Kansas City are invited to join Michael Santarcangelo and myself at the next Cowtown Computer Congress get together on Thursday October 23rd, 2008 around 7PM at the JavaNaut - 1615 W. 39th St.Kansas City, MO.
Michael has been invited to give a brief talk
I apologize for the somewhat late notice, I meant to post this last week when I found out about it.
Be safe out there,
Posted: 22 Oct 2008 10:54 AM CDT
Posted: 22 Oct 2008 10:50 AM CDT
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|