Skip to main content

Posts

Showing posts from January, 2011

Microsoft Attack Surface Analyzer - Review

As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.
The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces - link.  The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).
This approach is not new, however Microsoft's product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.
I decided to test this tool out with sof…

Business Browsing Insecurity

Just finished my talk on browser insecurity for the Calgary ISACA chapter.  Thank you to those who attended.  The intention of the topic isn't to scare people, but to help inform those that only hear from vendor's regularly regarding the state of their controls.

Here is a link to the presentation in both pdf (with speaking notes) and the ppt formats.

PDF Presentation
PPT Presentation

If anyone wants to continue any of the discussions we had afterward please feel free to email or call me.

PCI-DSS Version 2.0 - Standard Effective

If you've stayed connected to the PCI-DSS world, you'll know that version 2.0 of the standard was released late last year.  As of January 1st, 2011 stage 2 has begun, which means the standard becomes effective.  Which unfortunately only means that stakeholders (merchants, processors, etc) should start using the new standard and not the old, not that the standard provides effective security (that would be nice if you could just announce that kind of thing).  Here is a link to the standard's lifecycle to make this more clear.

Keep in mind that you can still use the old standard for compliance reporting for 14 months, but if the new standard is available, its likely a good idea to get a handle on the changes and how they'll affect your compliance program.

Encryption Fails - Embedded SSL Keys - PS3 root keys

A couple of noteworthy failures in the implementations of encryption.

The littleblackbox project over at google code aims to provide a list of all of the private keys embedded into device firmware by vendors that are too lazy to create unique private keys for devices.  This includes consumer devices, some commercial devices, basically anything that has a private key embedded in common firmware shipped with the device.  Once you have the private keys you can then decrypt future communications from the devices (read: admin interface traffic, SSL vpn session negotiation, etc).

This affects lots of products and software including many of the popular dd-wrt devices.

Want to add to the list of recognized private keys, simply download the binwalk tool and feed it a firmware file from your device.

It also appears that the root encryption key from Sony's PS3 game console has been discovered and posted by Geohot on his site.  Here is a video from fail0verflow's explanation of the weaknesses…

Google's Michael Z Releases a Contentious New Tool - cross_fuzz

Lcamtuf or Michael Zalewski has released a tool to test browsers for security issues by parsing the DOM object model, injecting values into a large number of objects, and triggering garbage collection by destroying the created objects.  A more detailed explanation of the tool and how it works can be found here:

http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

The interesting part is that Microsoft had previously asked to have the tool's release delayed due to an un-patched vulnerability discovered in the IE browser, exploitable on XP.  Michael declined to delay the release stating that he had reason to believe that possibly nefarious individuals were aware of the bug, and may be exploiting it in the wild.

Some commentary over at Slashdot here

Interesting start to 2011!