Win7/IE8 Exploit - CanSecWest - Vancouver BC, Canada

Recent trends for malware usually point to some older version of Internet Explorer running on Windows XP.  The lack of address randomization and execution protection makes it an easy target to create functioning exploits.  This years CanSecWest security conference again proves that it draws some of the brightest security researchers from around the globe.

As usual Charlie Miller is there on his "no more free bugs" tour - pointing out that Apple still hasn't taken security seriously enough, and showing through 5 lines of python code ways to reliably identify 20+ exploitable bugs in very common Internet related applications.  Seriously Apple, time to implement the basics, users of your operating system are not just educated coders and security people, they are common people that like to click through stuff.

More interesting though is the exploit of a fully patched IE8/Windows7 platform by Peter Vreugdenhil.  His two step bug and exploit avoids both the ASLR, and permanent DEP protections which have made this target so difficult to exploit, proving that if it is built by humans it can be unbuilt by humans.  Paper here.

Rounding out the conference so far is French researchers presenting on abuses of computing capability within host based network cards.  Did you realize that your network card is really an always-on always-listening mini-computer which can be used to listen into communications and access host-memory directly?

More to come from the conference over the next couple days...

COBIT 5 - Exposure Draft

ISACA has released an exposure draft which describes the design requirements objectives for the next version of the COBIT framework.  It appears that a tighter integration with the other ISACA products will be a main focus ensuring that RiskIT and ValIT processes are tightly integrated.
It will be interesting to see what feedback they get, and the release schedule for the publication.  The continuing development and release of these products keeps ISACA as one of the best professional organizations that provides good return on member dues.

skipfish - Google's Free Web Security Testing Tool

Recently, Google and Michal Zalewski (lcamtuf), author of the other venerable passive web security tool ratproxy, have released a beta version of a second web application security tool, skipfish which performs very optimized security checks of well-known security issues.
As stated within their own documentation the primary design goals are to be high-performance, easy to use, and employ well designed security checks.  I will be comparing this tool to several other tools including AppScan, BurpSuite, and several others, and providing some findings of my own.
Thanks again Google / Michael, this type of continued support helps us and our clients find and fix vulnerabilities!


Update 1: redspin has a bit of an initial writeup on it.


Update 2:  Simple instructions for 10.6.2 OSX install:


a)  download and unpack both skipfish and libidn.
b)  ./configure and make libidn
c)  select a dictionary that you want to use for bruteforcing server resources (these are used to find server resources not linked from the applications being assessed).  Copy the selected file to the root skipfish directory as skipfish.wl
d) make skipfish
e) run skipfish with selected options:  skipfish -h for a list.

Anti-virus, Patching, Drugs and the Immune System

Anti-virus is a hotly debated control.  For some it is a very profitable business model, and for others it is a primary portion of their security environment.  In other circles pointing out faults and weaknesses in anti-virus controls has become a banner for a crusade.  All of this results in confusion of users who are using it to protect themselves against online threats, which makes all of us a little less secure.  I'd like to make the point that if we focused on the causes of our online illnesses, secure software development and patching, that this would go a long way to improving our trust in the online community.

Anti-virus, like drugs produced by pharmaceutical companies are good at one thing, treating known conditions effecting us.  In anti-virus' case this is known malware and viruses.   These treatments are still essential at treating these conditions, and investment in new treatments is also very important.

On the other hand secure coding, development practices and rapid patching of systems is like our immune system, its there to help us prevent the infections from occurring in the first place.  And just as doctors provide advice on avoiding situations and preventing conditions which would result in infection, security professional provide advice on improving processes around the management of our environments, and the behaviours of our users.

Unfortunately, like drugs, anti-virus products are promoted as being a cure-all by some vendors biased by the profits to be had in the sale of these products.  Doctors live by a code of ethics which prevents them from solely relying upon drug treatments  to treat, cure and prevent the conditions of their patients. Like doctors, we security professionals need to provide the best advice to our customers, and ensure that we recognize the clear differences between these controls, and recommend and apply the right amounts of prevention and treatment.

Whitehouse Unveiling Their Cyber Security Initiatives

The Whitehouse has unveiled a report describing the specific initiatives that the US government is taking in reaction to the global cyber security threat.  These 12 initiatives, documented within the Comprehensive National Cybersecurity Initiative (CNCI)appear to be part of a well-coordinated plan championed by Howard Schmidt, the President's Cybersecurity Coordinator and include:


Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
Initiative #4: Coordinate and redirect research and development (R&D) efforts.
Initiative #5. Connect current cyber ops centers to enhance situational awareness.
Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
Initiative #7. Increase the security of our classified networks.
Initiative #8. Expand cyber education.
Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.
Initiative #10. Define and develop enduring deterrence strategies and programs.
Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.