Sunday, November 2, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Stuck Payment Terminal [/dev/random] [Belgian Security Blognetwork]

Posted: 02 Nov 2008 04:42 AM CST

I’ll not trust this terminal anymore! (Picture taken in the Louvain-La-Neuve shopping center last Friday) Fail!

Stuck Payment Terminal

Stuck Payment Terminal

Some random hackers @hack.lu [Flickr] [Security4all] [Belgian Security Blognetwork]

Posted: 02 Nov 2008 01:09 AM CDT

Security4all posted a photo:

Some random hackers @hack.lu

These people looked very suspicious as they didn't wanted to have their picture taken.

*just kidding* These were some fellow Belgian security professionals who were attending the conference. I had a great time with them.

More about the event on security4all.blogspot.com/2008/10/coverage-of-hacklu-2008...

Quickpost: “An Old IE Trick” Revisited [Didier Stevens] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 05:30 PM CDT


One year ago I blogged about an old IE trick still being used by malware. What can be said now that I resubmitted my test files to Virustotal (VT)? Not much, because VT is not an anti-virus test tool (it’s a virus test tool).

More AV products detect my test files now; and test files with longer zero byte sequences, that weren’t detected a year ago, are getting detected now. So I’m not really going out on a limb here when I say that the detection has improved. But there’s no way to quantify this improvement with VT results alone.

My test file with 255 contiguous zero bytes, which wasn’t detected by VT one year ago, is being detected by 6 AV products now. But it must be clear that I can’t conclude from this that only 6 AV products have been improved in the past year.

First of all, we can’t know if all AV products that have been improved in the past year, have been upgraded on the VT site. It’s very likely that some new engines have not been installed on VT yet.

Second, this improvement might not come to expression on VT. VT uses command-line scanners, and many AV protection features are not present in the command-line versions.

Third, the improved detection could just be the result of new signatures for the very same test files I submitted. Just out of curiosity, I created a new file with 543 contiguous zero bytes. It gets detected by some AV products.

If you’re interested in the detailed detections, here are the links to the VT results:


Quickpost info
      

Don't Stay at the Renaissance Amsterdam Hotel [Emergent Chaos]

Posted: 01 Nov 2008 05:17 PM CDT

Renaissance Amsterdam.jpg

The night of September 29th, I had a room at the Renaissance Amsterdam hotel on Kattengat street. Actually I had two rooms, not that I slept in either of them. The first had too much street noise, and windows that didn't block out the sound. The second, well, I woke up at 7.30 AM from construction noise inside the hotel.

I want to be clear: this was not construction near the hotel, this was work being done on the hotel itself. In other words, management had made the call that starting construction at 7.30 in the morning was ok.

After 4 emails, first to my travel agency, then to the Marriott guest experience manager, then twice with Horst Wittrich, the hotel manager, they have failed to satisfy my request to have my bill cancelled, much like my sleep was cancelled.

Over those 4 emails, they offered me 30,000 Marriott points (roughly a one night stay at one of their hotels) and a 50% reduction in the billed rate for the room. They apparently didn't care about my satisfaction when they decided to have construction come in at 7.30 AM, and they have failed to ask once "would this satisfy you?" when emailing back and forth.

I suppose I could continue to state and re-state my request, but it is obvious that their management doesn't care about customer satisfaction.

So do yourself a favor: stay anywhere else. And while we're being all consumerist: read Halvar's story before buying a Volkswagen.

Photo: earplugs provided by the management of the Renaissance Amsterdam hotel. (I'd meant to post this a few weeks ago.)

Implementing NAP and NAC Security Technologies Book Review [Carnal0wnage Blog]

Posted: 01 Nov 2008 04:46 PM CDT

Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control

Dan Hoffman

4 stars

Witty Title for Amazon: Clear and Actionable Advice on Choosing the Right NAC Solution

Disclaimer:
I was asked to read a pre-release copy of the book, my quote made it onto the book, and I was given a review copy.

I found myself in a position to learn about the different types of NAC appliances as well as Mobile NAC. The problem is that I don't work for a NAC vendor or install NACs for a living. Googling left me with tons of vendor hype on NAC but not a lot of good information to help me understand the different type of NACs, how they work, and why I would would choose one type over the other. Dan Hoffman's book is the only NAC book I know of that is (mostly) vendor neutral. The only other NAC/NAP books I know of are Cisco Press book which obviously tout Cisco products as the best way to go. Dan Hoffman breaks down the functionality of NAC and they different types of NAC solutions into simple easy to understand language, just like he did for Blackjacking on mobile threats. He has a great knack for explaining technical systems and topics in an easy to understand way.

Here is a list of what he covers in the book:

CH1 Understanding Terms and Technologies
CH2 The Technical Components of NAC Solutions
CH3 What Are You Trying to Protect?
CH4 Understanding the Need for LAN-Based NAC/NAP
CH5 Understanding the Need for Mobile NAC
CH6 Understanding Cisco Clean Access
CH7 Understanding Cisco Network Admission Control Framework
CH8 Understanding Fiberlink Mobile NAC
CH9 Understanding Microsoft NAP Solutions
CH10 Understanding NAC and NAP in Other Products

My favorite chapters are CH3 "What Are You Trying to Protect?", CH4 "Understanding the Need for LAN-Based NAC/NAP", and CH5 "Understanding the Need for Mobile NAC."

By far the most important chapter is chapter three where Dan walks through the questions an organization needs to ask itself before it purchases a NAC solution. The company needs to know if they are trying to protect LAN based or Mobile assets and they need to know exactly what they are trying to protect the answer from the first question against. Dan discusses the various scenarios that come about from those two questions and the two follow on chapters provide even more detail on how the two types of solutions (LAN based and Mobile NAC) work and how they differ from one another. Chapter two covers the details of the different parts of NAC and Chapters 6-10 give some of the specifics about different NAC vendor's solutions (not a complete list).

The only thing I didn't like about the book was that it really didn't cover bypassing NAC. It would have been nice to see some content on how NAC is currently being bypassed or what NAC doesn't protect against and how to mitigate against it.



Browser Security – bolt it on, then build it in [Jeremiah Grossman]

Posted: 01 Nov 2008 12:46 PM CDT

Originally published in (in)-secure magazine #18.

Whether improving ease-of-use, adding new developer APIs, or enhancing security – Web browser features are driven by market share. That's all there is to it. Product managers perform a delicate balancing act of attracting new users while trying not to "break the Web" or negatively impact their experience. Some vendors attempt an ├╝ber secure design - Opus Palladianum as an example, but few use it. Others opt for usability over security, such as Internet Explorer 6, which almost everyone used and was exploited as a result. Then, somewhere in the middle, is fan-favorite Firefox. The bottom line is that any highly necessary and desirable security feature that inhibits market adoption likely won't go into a release candidate of a major vendor. Better to be insecure and adopted instead of secure and obscure.

Fortunately, the major browser vendors have had security on the brain lately, which is a welcome change. Their new attitude might reflect the realization that a more secure product could in fact increase market share. The online environment is clearly more hostile than ever, as attackers mercilessly target browsers with exploits requiring no user intervention. One need only to look at this year's massive SQL Injection attacks that infected more than one million Web pages, including those belonging to DHS, U.N., Sony, and others. The drive-by-download malware had just one goal - compromise the browser - with no interest in looting the potentially valuable data on the sites. Of course, we still have the garden-variety phishing sites out there. This leads to questions regarding the benefits of end-user education. Users are fed up. So let's analyze what the Mozilla and Microsoft camps have done in response.

Buffer overflows and other memory corruption issues in the most recent browsers are declining, plus the disclosure-to-patch timeline is trending properly. Firefox 3 and Internet Explorer 7 now offer URL blacklists that block phishing sites and other pages known to be delivering malware. These features are reportedly a little shaky, but it's clearly better considering there was nothing in place before. Firefox 3 provides additional visibility into the owners of SSL certificates and make it more challenging to blindly accept those that are invalid or self-signed. IE 7 offers a nice red/green anti-phishing toolbar that works with EV-SSL to help users steer clear of dangerous websites. Overall, excellent progress has been made from where we were just a couple years ago, but before the vendors start patting themselves on the back, there's also some bad news.

If you ask the average Web security expert if they think the typical user is able to protect themselves online and avoid getting hacked, the answer will be an unqualified "no". While browser vendors are addressing a small slice of a long-standing problem, most people are not aware of the remaining risks of a default install of the latest version of Firefox or Internet Explorer. When visiting any Web page, the site owner is easily able to ascertain what websites you've visited (CSS color hacks) or places you're logged-in (JavaScript errors / IMG loading behavior). They can also automatically exploit your online bank, social network, and webmail accounts (XSS). Additionally, the browser could be instructed to hack devices on the intranet, including DSL routers and printers. And, if that's not enough, they could turn you into a felon by forcing requests to illegal content or hack other sites (CSRF). The list goes on, but DNS-rebinding attacks get a little scary even for me, and it's not like we haven't known of these issues for years.

The browser security oxymoron hasn't escaped the watchful eyes of the media's Dan Goodin (The Register) and Brian Krebs (Washington Post), who figured out that something isn't quite right. Nor Robert "RSnake" Hansen (CEO, SecTheory), who is a little confused as to why organizations such as OWASP don't pay closer attention to browser security (recent events have shows signs of change). According to sources, only about half of IE users are running the latest, most secure and stable version of the browser. And again, if you ask the experts how they protect themselves, you'll receive a laundry list of security add-ons, including NoScript, Flashblock, SafeHistory, Adblock Plus, LocalRodeo and CustomizeGoogle. Even with these installed, which relatively few people do, openings still exist resulting in an increasing number of people virtualizing their browsers or running them in pairs. Talk about extreme measures, but this is what it takes to protect yourself online.

Today, my philosophy about browser security and the responsibility of the vendors has changed. In my opinion, the last security-mile won't and can't be solved efficiently by the browser vendors, nor should we expect it to. I fully appreciate that their interests in building market share conflicts with those security features experts request, which by the way never ship fast enough. To be fair, there really is no way for browser vendors to make the appropriate amount of security for you, me, or everyone in the world while at the same time defending against all of the known cutting-edge attack techniques. Everyone's tolerance for risk is different. I need a high-level of browser security and I'm OK if that means limiting my online experience; but, for others that could be a non- starter. So, this leaves the door open for open source or commercial developers to fill in the gaps.

I was recently talking with RSnake about this and he said "I think the browser guys will kill any third party add-ons by implementing their own technology solution, but only when the problem becomes large enough." I think he's exactly right! In fact, this has already happened and will only continue. The anti-phishing toolbars were inspired directly from those previously offered by Netcraft and eBay. The much welcome XSSFilter built into the upcoming Internet Explorer 8 is strikingly reminiscent of the Firefox NoScript add-on. Mozilla is already adopting the model themselves by building their experimental Content Security Policy add-on, which may one day work itself into a release candidate.

At the end of the day, the bad guys are going to continue winning the Web browser war until things get so bad that adding security add-ons will be the norm rather than the exception. Frankly, Web browsers aren't safe now, because they don't need to be. So, until things change, they won't be… secure.

All Yesterday's Parties [Emergent Chaos]

Posted: 01 Nov 2008 12:27 PM CDT

hung over pumpkins.jpg

From Dissent. Click for full size.

Lockpicking workshop @hack.lu [Flickr] [Security4all] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 10:39 AM CDT

Security4all posted a photo:

Lockpicking workshop @hack.lu

For the first time, there was a lockpicking workshop @hack.lu. It was a great experience.

More about the event on security4all.blogspot.com/2008/10/coverage-of-hacklu-2008...

Lighting talks @hack.lu [Flickr] [Security4all] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 10:38 AM CDT

Security4all posted a photo:

Lighting talks @hack.lu

Lightning talks in a little corner of the Parc Hotel during Hack.lu 2008

More about the event on security4all.blogspot.com/2008/10/coverage-of-hacklu-2008...

Home router security project @hack.lu [Flickr] [Security4all] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 10:38 AM CDT

Security4all posted a photo:

Home router security project @hack.lu

A speaker from hack.lu did an assessment of the security of SOHO routers. It was scary and not good news.

More about the event on security4all.blogspot.com/2008/10/coverage-of-hacklu-2008...

More information about the project at this website.

Lockpicking @hack.lu [Flickr] [Security4all] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 10:36 AM CDT

Security4all posted a photo:

Lockpicking @hack.lu

The guys from TOOOL.nl were so friendly to give a presentation about the security of physical locks.

More about the event on security4all.blogspot.com/2008/10/coverage-of-hacklu-2008...

The difference between blogging and writing [StillSecure, After All These Years]

Posted: 01 Nov 2008 07:31 AM CDT

Illustration of a scribe writing

Image via Wikipedia

Blogging has certainly helped me to become better at expressing myself and sharpened my written communication skills.  Every once in a while I fool myself into thinking that it makes me a writer.  I was reminded of the difference this week when I read a manuscript from Rick Clyne. Ricky is part of the StillSecure marketing team. He is responsible for much of the content on our web site, collateral and messaging.  Rick also writes a very funny, tongue-in-cheek blog called Ricky's Lunch Blog, where he asserts his thought leadership on all things related to lunch. Last year Rick took about 6 months off to work on his life long dream of writing a novel. I admire Rick for that. If I had the gumption, I would like to try the same thing.

Anyway, Rick gave me the manuscript to read this week.  It is called Point of Presence.  It is a Ludlum-Crichton type of thriller.  It is an Internet thriller that deals with information security (of course), terrorists and more.  I really liked the story and the book.  I have a great amount of admiration for what Rick has created.

Now comes the hard part.  Getting an agent and publisher.  Rick does not know where to go on that one. I don't have much advice, but wanted to ask you my blog reading public for help and advice.  Do any of you have any advice for Rick or know anyone who might be able to help get this great book published?  If so either leave a comment or write to me at podcast@stillsecure.com

You would be doing a great service and just maybe turning the world on to a great new author!

Reblog this post [with Zemanta]

Quickpost: Fingerprinting PDF Files [Didier Stevens] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 06:57 AM CDT


Per request, a more detailed post on how I use my pdf-parser stats option.

I have two malicious PDF files with a different title, different size (100K and 700K) and different content. But they share an identical internal PDF structure, because they have exactly the same number and type of fundamental elements:

These statistics were generated with the following command:

pdf-parser.py --stats malware.pdf

As both malicious PDF files produce identical stats (or fingerprint), I can assume they share the same origin.


Quickpost info
      

ALERT about 4000 sites hacked today/yesterday night [belsec] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 06:52 AM CDT

http://www.zone-h.org/component/option,com_attacks/Itemid,45/page,1

This is an enormous number for one day and you have to understand that these are only the websites that have been sent by the defacers themselves - or members of their groups or clans - to zone-h.org the number may actually be much higher.

Zone-h.org proves with this 'honeypot' function its utility. It is however clear that they need some support to be able to continue this. SANS maybe ?

Belgian hacked websites for today [belsec] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 06:46 AM CDT

bad dns server of the day ns.rtbf.be (main public french radio/tv) [belsec] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 03:16 AM CDT

bit-axx is another belgian domainspeculator [belsec] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 03:12 AM CDT

Technical info

First Name: bIT-axx
Last Name: DNSTECH
Company Name: bIT-axx bvba
Language: en
Street: Provinciebaan 48
Location: 2230 Herselt
Country: BE
Email: dns@bit-axx.com

when you google them than you see with "this domain may be for sale" site:be that there are about 400+ domainnames for sale

I have nothing against trying to sell generic domainnames but there is a difference with domainextorsion - buying up private specific domainnames in the hope that the rightful owner will be forced to buy them back

This could be the case for the following domainnames

www.tongerlopharma.be/?q=/node/39

www.derijck.be/?q=/node/39

www.uyterhoeven.be/

www.wynantsdavid.be/

www.gevelrestauratie-gt.be/node/48

www.fruitvandijck.be/node/48

www.rijschool-kta-stio.be/node/48

NIST: Guidelines on Cell Phone and PDA Security [/dev/random] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 03:10 AM CDT

NIST released a new document: Guidelines on Cell Phone and
PDA Security
.

New cell phone provides more and more functions and are able to handle lot of data types. They are also widely open to the world (Infrared, Bluetooth, Wi-Fi, 3G, …). It’s important to have a clear view of the security policy regarding the mobile devices inside the company.

.CZ implements DNSSEC [belsec] [Belgian Security Blognetwork]

Posted: 01 Nov 2008 02:50 AM CDT

This makes them the fifth national TLD to implement support for DNSSEC. Full list of supporting TLDs as of 2008-09-02: .PR, .SE, .BR, .BG, .CZ.

So when .be that is sitting on lots of cash without doing something useful with it. This would be something we would thank them for. It would be one of the essential steps of not only securing the Belgian DNS infrastructure (even if it is not a total solution) but also of our .be domain (and maybe all new domains have to be set up from the beginning in dnssec ?). It would off course have a good impact on the security of the rest of our national infrastructure.

Government computers used to find information on Joe the Plumber [CultSEC Blog]

Posted: 01 Nov 2008 02:24 AM CDT

If you haven't heard of Joe the Plumber by now, then you've been unplugged and off the grid, in your own world. This report in the Columbus Dispatch talks about Joe and what investigators are trying to uncover. It would seem some people didn't like dissenting opinions so they decided to see what they could dig up on good ole'Joe.

This story is an excellent example showing a complete breakdown in security processes and procedures caused by people. Remember, I believe we can have the best technology in place to protect our information, but it will only be as good as our people and/or the training they have. In the case of "Joe the Plumber" the human element was corrupt and his private information was accessed.

I sure hope this isn't a glimpse of things to come with the election of a new president.

Labs Feature in Google Apps [.:Computer Defense:.]

Posted: 01 Nov 2008 01:33 AM CDT

This is a "wish post". I'm a huge fan of Google Apps, I love using my @computerdefense.org email address with everything Google and having it inside of GMail is great. However there are a number of labs features that I would love to have access to and don't get because I use Google Apps intead of GMail. So this is a request that Google make the Labs feature of GMail available to Google Apps users.

Cheetah Delays Luggage [Emergent Chaos]

Posted: 31 Oct 2008 08:27 PM CDT

A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed.

I would like to be able to link to the full story, but given as how it is an AP story and they sue people who do that, you're just going to have to google it.

I'd also love to give a good TSA joke here, but I can't think of one.

Studs Terkel, 1912-2008 [Emergent Chaos]

Posted: 31 Oct 2008 06:44 PM CDT

No Chicagoan stood up for the common man like Studs Terkel, although Nelson Algren was probably in the running.

A security-related anecdote, courtesy of the Chicago Tribune:

In 1997 he went to the White House to receive the National Humanities Medal and the National Medal of Arts with a group including Jason Robards, Angela Lansbury, conductor James Levine, Chicago religion scholar Martin Marty and Chicago arts patron Richard Franke. He was stopped at the White House gate and asked for identification. Studs, who had never driven a car, did not have a driver's license. The only thing he could come up with to appease the White House guards was his CTA seniors pass. They let him in.


Friday News and Notes [Digital Bond]

Posted: 31 Oct 2008 05:10 PM CDT

I got rused by a fake phish [360 Security]

Posted: 31 Oct 2008 02:03 PM CDT

I got rused by a fake phish

I hadn't thought this story was so funny, until yesterday when I told it to Mike and Melina Murray. That in it self says something about me that you will understand at the conclusion of my tale. Me, Mike and Melina were laughing so hard at my expense. He looked at me and said "you have to blog that" and well, I hadn't realized it until then, but yes, its worthy of a blog post.

Two weeks ago I received an email. The subject was simply "You are invited to our Halloween Party". Obviously spam, I was thinking, but just perhaps maybe it's a real party from someone that hadn't told me they were having a party. Upon opening the email, I discovered it to be an Evite to a party. Or rather so it looked like an Evite to a party.

Immediately, without conscious thought, I was hovering my mouse over the links looking for anything strange. No odd links could be found. Yet, that did not stop my process. Next, a look at the email headers resulted in what appeared to be a legitimate email. "This simply has to be the best malware email delivery I've seen in a long while" was the exact thought I had formulated.

Quickly, I grabbed the entire email contents and HTML source. Then I opened up vi and pasted it all in there. Line by line I examined the contents. Every X header, every mimetype, every HTML tag was scrutinized. A few minutes later, I leaned back in my chair and asked out loud, "Where is the misspelling? Where is the remedial English?".

Still, having not fallen for this malware, this well designed phish; I decided to just see what happens upon clicking on these links. I grabbed a VM and put it on the guest network. I was bold, I was so intrigued to see what Trojan was going to get downloaded. I clicked that link with gusto. A few seconds later, an Evite loaded up in my browser. I checked the URL. I checked DNS. I examined the HTML source. I reviewed any chance of XSS. It was an honest to gosh Evite.

I had come to learn that Suzy and Jeff must had accidentally mistyped their friend's email and as a result, I got invited to their Halloween bash. Yup, Carrie was bringing her two kids and a bunch of Apples for dunking. Sarah and Doug were attending as well, they would be toting their daughter and some guacamole.

By this time, me, Mike and Melina are laughing so hard that other people in Starbucks are looking at us strange. Through Mike's tears of laughter, he asks, "Did you let them know they got their friends email wrong?"

I respond, "No way, maybe its actually a spam troll looking for valid email addresses!"

No comments: