SmartPhone Malware

In 2009 at the CanSecWest conference in Vancouver, it was reported by main-stream media that because no hackers were able to exploit vulnerabilities on the common smartphone platforms, that they were secure.  Now NetQin has shown that they have identified a new set of malware targeting the Symbian platform.  Just more confirmation that any platform is susceptible to malware, if it is an attractive enough target.

TDL3 - Decomposed by F-Secure

F-Secure's team of researchers do a great job of dissecting yet another piece of malware. This time its TDL3, an example of increasingly complex and carefully architected software. F-Secure's analysis of this bot, shows some interesting trends:
- The code uses low level disk access to prevent its detection by file-scanning tools, and to provide itself with full disk access
- The implementation of an encrypted file-system within a protected area of the infected machine's disk
- The hooking of browser processes and forwarding of search terms to the bot's C&C servers

Interesting read.

New NSS Labs End-point Security Report

In a new report released by NSS Labs 10 Anti-malware vendors are described taking anywhere between 4 and 90 hours to protect their customers from these threats.  The report also mentions up to 50,000 new threats each day that entice users to click malicious links within compromised web-pages.

The vendors covered by the report include AVG, Norman, ESET,  Panda, F-Secure, Sophos, Kaspersky, Symantec, McAfee and Trend Micro.  A sample of the report is available here, but the full version with all the juicy details is $495.00 USD.

OSX Exploitation Step-by-Step

For the non-programmers/hackers it might be a little difficult to understand, but D1DN0T has written an excellent walk-through for a penetration test of a service which is running on OSX.  This write-up is good because it shows some of the common problems that occur during debugging and some of the methods of investigating ways around them.  This seems like a trivial exploit to create although I'm sure that much more time and effort went into putting the exploit together than is explained in the text.

Google's Web Application Security Training Resource - Jarlsberg.appspot.com

"Do no evil".  No really.  The google software team is really firing on all cylinders lately first it was a passive web application security tool ratproxy, then the active web application security assessment tool skipfish, now the people at Google Code University have released a training framework for web developers, security analysts, and anyone else interested in some of the most prevalent web application security threats.

Google Code University has released a distributable web application named jarlsberg coded in python which provides excellent examples of vulnerable application issues.  This includes some common and less-than-common tests (Reflected XSS via AJAX!), including XSS, XSRF, DoS, Code Execution, SQLi, and various others.

Before this, people used webgoat, and other forms of vulnerable applications that came packaged in some of the more popular security live-cds.  This makes all of those obsolete, as it is simple to setup and use, and to reset back to original state.

Although this application isn't as complex as many real web applications, its explanations of the issues, and exploitation hints, make it the perfect test-bed for a simple introductory course (and self-study material) into web application security testing (more to come on this soon!).

Cinco DNSSEC Mayo

For many, the switch on May 5th to the new DNSSEC support in the root server pool is long overdue, for others the swich has people jumpy dreaming up reasons why this will "kill your internet". While Keith Mitchell, head of engineering at root server operator Internet Systems Consortium says "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that it," he says of the Register story. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names," says Mitchell.

As defined by DNSSEC.net "it was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence."

This is intended to protect people from far worse things (phishing, DNS poisoning, rewriting, etc) than having to resolve names through alternate servers. For an easier description wikipedia as always has us covered.

Happy Cinco DNSSEC Mayo!

Akamai State of the Internet Report

Akamai has released the latest of their reports on the state of the global Internet.  The report is bias toward information relevant to the US, but still has plenty of useful and meaningful global data as well.  A few interesting tidbits:

Top Average Measured Connection Speed (by Country) - South Korea at 11.7Mbps

Canada Average Measured Connection Speed - Not listed (not in the top 10)

Top Unique IP Addresses per Capital (how may IP addresses per person) - Norway at .49 or 1 IP for every two people

Canada - Not listed (not in the top 10)

Top Attacked Port - TCP/445 (Microsoft DS) for 74% of the attack traffic observed.

Check out the report yourself (you have to give them your email address to get access).