Skip to main content


Showing posts from 2010

Protection and Response to User Account Leaks

Today it is being widely published that Gawker media has had their entire databased of user accounts and passwords (DES encrypted) leaked to the public.  Although this event may have been limited to those with user accounts on Gawker properties, imagine this happening on a major service like google, hotmail, or your bank. The two most significant impacts to most people are: 1)  Gaining access to the Gawker services exposed.  Once the encryption is brute forced on the password data it is possible for someone to directly login to the service as you. 2)  Reuse of passwords on other services.  Because humans are creatures of habit, we tend to reuse usernames and passwords across services, so if someone can find your email address and password, they can attempt to login to other services as you as well. This provides an opportunity to reflect on methods of preventing and responding to these types of events. Response - Although it appears to be a good idea to change the password on the affe

Google Application Security Info

I've covered this before, but google's team has done a fantastic job of promoting improved application security practices.  The gruyere ( is a set of application security training activities focused on educating developers on how to identify and respond to application security issues using a real application.  For those with no budget for security training, this is perfect!

Security Updates - Monday October 18th

Its been close to a month since my last post.  Here is a quick list of a few things that are worth mentioning in the security business today; Advanced Evasion Techniques - StoneSoft and ICSA labs identifying and testing some new network security evasion techniques.  Looks like there is some substance here, as tweets are starting from a few credible sources.   Link  - beware this looks like it might just be vendor FUD! HDMoore and metasploit release a new version of the wiki, and metasploit unleashed.  This is a great resource for anyone needing an intro to pentesting using the framework.   Link Social Engineering Toolkit or SET has been updated with a few notables including new functionality for the teensy - the hardware based HID attack vector.   Link The 2010 Verizon PCI-DSS report has been released.   Link

.NET Security Issues - Crypto Attack PoC

There has been some news regarding the latest .NET attack, which exposes some of the oracle padding issues related to some of the tokens used by .NET applications.  Some people have been downplaying the issues saying that these are only theoretical attacks, now researchers have posted a very practical demonstration of the attack on dotnetnuke.  Enjoy!

Adobe 0-day Weaponization

So, it used to take at least some time before published 0-day vulnerabilities were weaponized into malicious trojans and other exploit code.  Now it appears that they time to develop exploit modules is extremely limited, and possibly in some cases prepared before public release. As referenced in the slashdot story an Adobe spokesman described that the situation could change with the availability of the public samples and exploit code.  I think these types of advisories should be changed to "..the situation has changed, exploit code certainly already exists and has been used privately for some time.."

Network Analysis - Threat Detection Service

As part of a partnership locally with Metafore  we are pleased to be able to provide a new threat detection service.  This service samples your egress network traffic looking for patterns which may indicate that malicious software is operating and abusing your computing environment. Our team provides the deployed equipment with minimal requirements from you (span port on egress network switch/tap), and two weeks later we will provide you with a report summarizing what was found and our recommendations regarding controls needed to effectively manage these types of real threats.   We have yet to put this tool in an environment which it was not able to find some form of malicious traffic, really!  Here is a sample of the executive report that is produced.  If you are interested in this service please just drop me an email.

DLL Preloading - Update Microsoft Recommendation

UPDATE September 2nd 2010 - Microsoft has issued new updated guidance and a new tool to help customers manage this within their environments.   This new tool helps configure environments to address the root cause of the issue, while software vendors update applications.  Highly recommend that organizations examine and use this tool to prevent exploitation. As with most reported vulnerabilities Microsoft has issued a response  to the DLL Preloading issue that has been hotly discussed.  Their advisory is interesting; 1.  First they recommend disallowing outbound SMB and WEBDAV access (at the firewall) to prevent users from making preloading connections out to the Internet.  This is a solid recommendation, but more in terms of general guidance instead of specifically to this issue.  The problem is that a malicious user could simply zip up the affected document with a copy of the dll and the user would be able to load it locally - hdmoore provides an audit kit that even builds the dll a

Windows DLL Injection Vulnerability

Most of the security world has now heard about the vulnerability that was reported by hdmoore regarding the linking of malicious dll files by using remote shares in the windows filesystem.  This issue has also been discussed at slashdot by many users. Since metasploit is constantly updated with the latest public exploits, I decided to try this one out to see how easy it really is on the Windows 7 platform.  Here is the coles notes and results of my attempts. 1.  Prep my test environment.  I use a Windows 7 box fully patched running Windows Defender as my primary Windows work environment.  I also have the convenience of using VMware fusion to virtualize the environment so it was easy to clone my installation to create a sample copy.  I made sure to use the host-only networking so I can isolate the Windows box with metasploit. 2.  I updated my metasploit environment running on my OSX host.  A quick svn update gave me the latest code.  Version 10133 checked out. 3.  I opened msfconsole an

SmartPhone Malware

In 2009 at the CanSecWest conference in Vancouver, it was reported by main-stream media that because no hackers were able to exploit vulnerabilities on the common smartphone platforms, that they were secure.  Now NetQin  has shown that they have identified a new set of malware targeting the Symbian platform.  Just more confirmation that any platform is susceptible to malware, if it is an attractive enough target.

TDL3 - Decomposed by F-Secure

F-Secure's team of researchers do a great job of dissecting yet another piece of malware. This time its TDL3, an example of increasingly complex and carefully architected software. F-Secure's analysis of this bot, shows some interesting trends: - The code uses low level disk access to prevent its detection by file-scanning tools, and to provide itself with full disk access - The implementation of an encrypted file-system within a protected area of the infected machine's disk - The hooking of browser processes and forwarding of search terms to the bot's C&C servers Interesting read.

New NSS Labs End-point Security Report

In a new report released by NSS Labs 10 Anti-malware vendors are described taking anywhere between 4 and 90 hours to protect their customers from these threats.  The report also mentions up to 50,000 new threats each day that entice users to click malicious links within compromised web-pages. The vendors covered by the report include AVG, Norman, ESET,  Panda, F-Secure, Sophos, Kaspersky, Symantec, McAfee and Trend Micro.  A sample of the report is available here , but the full version with all the juicy details is $495.00 USD.

OSX Exploitation Step-by-Step

For the non-programmers/hackers it might be a little difficult to understand, but D1DN0T has written an excellent walk-through for a penetration test of a service which is running on OSX.  This write-up is good because it shows some of the common problems that occur during debugging and some of the methods of investigating ways around them.  This seems like a trivial exploit to create although I'm sure that much more time and effort went into putting the exploit together than is explained in the text.

Google's Web Application Security Training Resource -

"Do no evil".  No really.  The google software team is really firing on all cylinders lately first it was a passive web application security tool ratproxy , then the active web application security assessment tool skipfish , now the people at Google Code University have released a training framework for web developers, security analysts, and anyone else interested in some of the most prevalent web application security threats. Google Code University has released a distributable web application named jarlsberg coded in python which provides excellent examples of vulnerable application issues.  This includes some common and less-than-common tests (Reflected XSS via AJAX!), including XSS, XSRF, DoS, Code Execution, SQLi, and various others. Before this, people used webgoat , and other forms of vulnerable applications that came packaged in some of the more popular security live-cds.  This makes all of those obsolete, as it is simple to setup and use, and to reset back to origin

Cinco DNSSEC Mayo

For many, the switch on May 5th to the new DNSSEC support in the root server pool is long overdue, for others the swich has people jumpy dreaming up reasons why this will "kill your internet". While Keith Mitchell, head of engineering at root server operator Internet Systems Consortium says "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that it," he says of the Register story. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names," says Mitchell. As defined by "it was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data in

Akamai State of the Internet Report

Akamai has released the latest of their reports on the state of the global Internet.  The report is bias toward information relevant to the US, but still has plenty of useful and meaningful global data as well.  A few interesting tidbits: Top Average Measured Connection Speed (by Country) - South Korea at 11.7Mbps Canada Average Measured Connection Speed - Not listed (not in the top 10) Top Unique IP Addresses per Capital (how may IP addresses per person) - Norway at .49 or 1 IP for every two people Canada - Not listed (not in the top 10) Top Attacked Port - TCP/445 (Microsoft DS) for 74% of the attack traffic observed. Check out the report yourself (you have to give them your email address to get access).

McAfee Botch, Mistake or Intentional?

If you've been keeping up with the news today regarding the McBlunder by McAfee, you might not have thought of the chance that this might be intentional and malicious.  About a year ago a security researcher documented a case where a remote update was maliciously replaced with other code.  Now most products that do remote updates require some cryptographic signature to make sure that the update is legit (I assume, but don't know for sure that this is the case for McAfee updates), but what if the update was tampered and changed before it was signed.  This is not too far fetched and certainly damages McAfee which malware authors never pass up on these types of opportunities.  It will be interesting to see if this angle is explored at all - or at least what McAfee releases after the internal investigation. And for those affected - here is the official fix at this time via McAfee

Google's Government Transparency

Here's an interesting link regarding the removal requests that Google receives from different Governments around the world. More interesting is that this information (although not detailed) shows that not all requests are complied with. The overview here explains this in a bit more detail, and also indicates that different rules apply to different countries based on their local laws. Quite interesting.

Win7/IE8 Exploit - CanSecWest - Vancouver BC, Canada

Recent trends for malware usually point to some older version of Internet Explorer running on Windows XP.  The lack of address randomization and execution protection makes it an easy target to create functioning exploits.  This years CanSecWest security conference again proves that it draws some of the brightest security researchers from around the globe. As usual Charlie Miller is there on his "no more free bugs" tour - pointing out that Apple still hasn't taken security seriously enough, and showing through 5 lines of python code ways to reliably identify 20+ exploitable bugs in very common Internet related applications.  Seriously Apple, time to implement the basics, users of your operating system are not just educated coders and security people, they are common people that like to click through stuff. More interesting though is the exploit of a fully patched IE8/Windows7 platform by   Peter Vreugdenhil .  His two step bug and exploit avoids both the ASLR, and permane

COBIT 5 - Exposure Draft

ISACA has released an exposure draft which describes the design requirements objectives for the next version of the COBIT framework.  It appears that a tighter integration with the other ISACA products will be a main focus ensuring that RiskIT and ValIT processes are tightly integrated. It will be interesting to see what feedback they get, and the release schedule for the publication.  The continuing development and release of these products keeps ISACA as one of the best professional organizations that provides good return on member dues.

skipfish - Google's Free Web Security Testing Tool

Recently, Google and  Michal Zalewski ( lcamtuf ), author of the other venerable passive web security tool ratproxy , have released a beta version of a second web application security tool, skipfish which performs very optimized security checks of well-known security issues. As stated within their own documentation the primary design goals are to be high-performance, easy to use, and employ well designed security checks.  I will be comparing this tool to several other tools including AppScan, BurpSuite, and several others, and providing some findings of my own. Thanks again Google / Michael, this type of continued support helps us and our clients find and fix vulnerabilities! Update 1: redspin has a bit of an initial writeup on it. Update 2:  Simple instructions for 10.6.2 OSX install: a)  download and unpack both skipfish and libidn . b)  ./configure and make libidn c)  select a dictionary that you want to use for bruteforcing server resources (these are used to find server resour

Anti-virus, Patching, Drugs and the Immune System

Anti-virus is a hotly debated control.  For some it is a very profitable business model, and for others it is a primary portion of their security environment.  In other circles pointing out faults and weaknesses in anti-virus controls has become a banner for a crusade.  All of this results in confusion of users who are using it to protect themselves against online threats, which makes all of us a little less secure.  I'd like to make the point that if we focused on the causes of our online illnesses, secure software development and patching, that this would go a long way to improving our trust in the online community. Anti-virus, like drugs produced by pharmaceutical companies are good at one thing, treating known conditions effecting us.  In anti-virus' case this is known malware and viruses.   These treatments are still essential at treating these conditions, and investment in new treatments is also very important. On the other hand secure coding, development practices and ra

Whitehouse Unveiling Their Cyber Security Initiatives

The Whitehouse has unveiled a report describing the specific initiatives that the US government is taking in reaction to the global cyber security threat.  These 12 initiatives, documented within the Comprehensive National Cybersecurity Initiative (CNCI)appear to be part of a well-coordinated plan championed by Howard Schmidt, the President's Cybersecurity Coordinator and include: Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise. Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise. Initiative #4: Coordinate and redirect research and development (R&D) efforts. Initiative #5. Connect current cyber ops centers to enhance situational awareness. Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan. Initiative #7. Increase the security of our

Web Application Vulnerability Scanners Compared

Web Application Vulnerability Scanning and Identification is a hot topic for many customers, and there a number of excellent products which can help with the identification process. Larry Suto has produced the second of his independent evaluations of these products and posted the results . In addition the guys over at NTO have posted their response to the report which identifies some interesting debates and responses from the vendors based on the results. This kind of transparency on the effectiveness of these tools is excellent and really highlights the challenges that ALL web application vulnerability scanners have - especially those tools that can't automatically find the vulnerabilities in their own test sites!

Advanced Persistent Threats APTs

APTs or Advanced Persistent Threats are threats in which the threat agent (person or persons responsible) is highly motivated, well resourced, and highly skilled. This modis operendi of these people is to identify high-value target profiles (senior management, financially responsible, and influential) and gain persistent access to sensitive information. Over the last few months, there has been an increasing number of public reports related to APT incidents: Wall Street Journal Business Week Athough it has been widely reported in the past that malware writers and the criminal elements funding their research were moving in the direction of smaller, more targeted attacks, it appears that this trend has been accelerated and is catching many organizations and people off-guard in the process. There are a couple of difficult challenges associated with countering these types of threats: 1) Threat information - with a few exceptions (government and private intelligence) most people and organi

ScanSafe 56%-80% of 2009 Malware Infections Related to Adobe Acrobat

In a new report released by CISCO's ScanSafe they claim that 2009 started off with 56% of malware infections occurring by way of flaws found in Adobe Acrobat products. This seems to be very high to me, I would think that some of the drive-by browser flash infections are still a larger percentage of this total.

Chip and PIN Vulnerabilities Documented

There is a significant research document that's been published publicly on some issues related to the new Chip and PIN standard. Looks like the vulnerability is associated with a lack of coordination between each of the organizations involved. The attack although sophisticated is easily used by individual's with no technical understanding of the attack simply a "wedge" inserted between the card and the POS device. Considering that these cards are all being migrated to by Canada's largest card issuers, this is a big issue. I have not yet confirmed that this affects chip and pin cards issued in Canada. Link to press release- Link to technical paper-

Targeted Attacks - 2010 Predictions

It doesn't seem long into the new year and we already have two really high-profile targeted attacks, The one reported at the end of December was a targeted attack on Google and a few other companies using some 0-day code. - Google's release The other is a new report of defense contractors being targeted using a only-recently patched exploit for adobe acrobat reader. - F-secure's writeup Not surprisingly, motivation of would-be attackers continues to move from targets of opportunity to targets of value, the surprising thing about it is how quickly this trend is progressing.

Security Updates - 2009/2010

Sorry about the hiatus between posts - its been a busy holiday season and isn't showing any signs of slowing down in the next few weeks. I've posted a few tweets here and there for some quick updates but nothing major, so here are a few links that have really caught my eye over the last month or so (some really good stuff here!). Best Practice / Research updates NIST has published a draft revision of an important risk management framework which guides the implementation and compliance approaches with FISMA. In my opinion this strengthens the guidance and makes it easier to implement - NIST's SP 800-37 Rev. 1 - DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. The draft was open for comment until the end of December, so look for a release sometime in January. ISACA has published two new sets of documents for members, updated guideline on implementing and improving IT governance, and a new framework and p