Security Weekly News 09 December 2010 – Full List

Category Index

Hacking Incidents / Cybercrime

Credit card giants MasterCard and Visa came under intense cyber attack on Wednesday as supporters of WikiLeaks retaliated for moves against Julian Assange
after the release of U.S. diplomatic cables that angered and embarrassed Washington.
The Swedish prosecution authority, whose arrest order for Assange over accusations of sexual offenses led a British court to remand the 39-year-old
WikiLeaks website founder in custody, also said it had reported an online attack to police.
Following the decision by Amazon not to host WikiLeaks anymore last week, PayPal has now permanently restricted the account used by WikiLeaks due to a
violation of its acceptable use policy.
According to a statement by PayPal, its payment service ‘cannot be used for any activities that encourage, promote, facilitate or instruct others to engage
in illegal activity’. It said that it has ‘notified the account holder of this action’.
However a new twist on this tale is that the Anonymous group is set to take a temporary break from their efforts against the entertainment industry in order
to spend some time helping WikiLeaks. According to Sean-Paul Correll, threat researcher and security evangelist at Panda Security, the first attack has been
set on PayPal.
A brazen series of computer intrusions into Google networks in China announced by the search engine company earlier this year were directed by the highest
levels of the Chinese government, a ‘well-placed’ Chinese source told U.S. Embassy officials in Beijing in January.
The revelation was contained in a classified State Department cable, part of a cache of cables leaked to the site WikiLeaks and disclosed Saturday.
‘A well-placed contact claims that the Chinese government coordinated the recent intrusions of Google systems,’ the cable said. ‘According to our contact,
the closely held operations were directed at the Politburo Standing Committee level.’
A group of fraudsters has been arrested in Yakutsk and Moscow for allegedly compromising all the ATMs in the city of Yakutsk – population: around 210,000 –
in the Republic of Yakutia in the Russian Federation. Three of the men formed the actual criminal group, and the fourth – a Moscow-based malware developer –
was ‘subcontracted’ by them and received 100,000 rubles (some $3200) to develop a custom ATM virus with which they would infect the devices.
Siphoned off Nectar into private honeypots
A London IT worker has been found guilty of fraud offences related to scamming supermarket Sainsbury’s out of loyalty points worth £70,000.
James Stevenson, 45, of Muswell Hill, was a lead analyst programmer for Sainsbury’s and used his position to set up several different accounts to collect
the Nectar reward points.
Stevenson was found guilty last month of fraud by false representation for using the dodgy points to buy £8,120 worth of shopping, the Tottenham Journal
reports.
Cybercriminals are exploiting Twitter to spread malware using festive-themed messages, according to PandaLabs. Using methods akin to black hat SEO
techniques, hackers are taking advantage of trending topics to position malware distribution campaigns.
As the holiday period has begun, topics such as ‘Advent calendar,’ ‘Hanukkah’ or even ‘Grinch,’ are among the most popular subjects used by hackers to
entice users.
According to Milwaukee’s Journal Sentinel one of the largest spam senders in the world is sitting in a cell in Milwaukee awaiting his first court appearance
on Friday, where he will be charged with being one of the greatest spammers in the world.
The case being heard, in the Eastern District of Wisconsin (2:2010-cr-00246), charges Oleg Nikolaenko, born July 17, 1987, with violations of 18 U.S.C. §§
1037(a)(3) and 2.
According to the 13 page criminal complaint beginning in January 2007, violated CAN-SPAM in a maximum way. The first charge against him was CAN-SPAM
violations:
ProFTPD Compromise Report  [sourceforge.net]
On Sunday, the 28th of November 2010 around 20:00 UTC the main
distribution server of the ProFTPD project was compromised. The
attackers most likely used an unpatched security issue in the FTP daemon
to gain access to the server and used their privileges to replace the
source files for ProFTPD 1.3.3c with a version which contained a backdoor.
The unauthorized modification of the source code was noticed by
Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on
Wednesday, December 1 and fixed shortly afterwards.
Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that
once accounted for roughly a third of all spam sent worldwide.
According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and
operator of the Mega-D botnet.
Siberia Exploits Kit Fights Back Against AV Companies [labs.m86security.com]
Siberia Exploit Kit is an evolving crimeware that was first seen in the wild in late 2009. A few months ago the author of Siberia Exploits Kit deployed an
upgraded version of the toolkit, as written in the Malware Intelligence Blog.
Like our last post about Phoenix Exploit’s Kit, Siberia Exploit’s Kit author also emphasizes the issue of circumventing recognition by Anti-Virus and URL
filtering services, as it contains a built in Anti-Virus checker.
News that two malware families have decided to pool their resources shows how much of an organised business cyber crime has become, Trend Micro has said.
The deal involves two of the most notorious botnet kits, ZeuS and SpyEye, which the security firm reckons are responsible for the majority of all stolen
information online. ZeuS has been linked to several cases of online banking fraud.
Last month, reports emerged that the author of ZeuS, who goes by the online names of Slavik or Monstr, had gone underground and had given his toolkit’s
source code to the SpyEye author (known as Gribodemon or Harderman)

Software Updates

Sumatra PDF 1.2 released  [blog.kowalczyk.info]
Simple, lightweight alternative to Adobe Reader and Foxit Reader .. without Javascript support by design.
VMware has released some security updates.
ProFTPD Compromise Report  [sourceforge.net]
On Sunday, the 28th of November 2010 around 20:00 UTC the main
distribution server of the ProFTPD project was compromised. The
attackers most likely used an unpatched security issue in the FTP daemon
to gain access to the server and used their privileges to replace the
source files for ProFTPD 1.3.3c with a version which contained a backdoor.
The unauthorized modification of the source code was noticed by
Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on
Wednesday, December 1 and fixed shortly afterwards.
Description: SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query.
Access Vector: Network
Attack Complexity: Medium
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability
Google Chrome 8.0.552.215 on Mac OS X. Previously only available in the Beta channel, Google has released version 8 of the Chrome web browser into the
stable channel. This major update is the first version capable of using the upcoming web store and includes a built-in PDF viewer that’s sandboxed to help
prevent attackers from exploiting security vulnerabilities in the plug-in. A sandboxed Adobe Flash Player plug-in has been integrated into the Development
(Dev) channel version of the browser, so that too should appear in the stable release in due time.
Kaspersky has finally released Critical Fix 2 for Kaspersky Anti-Virus (KAV) and Kaspersky Internet Security (KIS) 2011. Critical Fix 2 has already been
released once, back in early October, but was removed from the server after a few days without explanation.
Winamp 5.601 Released  [forums.winamp.com]
* Improved: [in_wave/libsndfile] Added AIF to default extension list
* Improved: [ml_plg] Localization of playlist names & various other tweaks
* Fixed: Win2k compatibility (caused by 5.6-specific DLL load vuln fix)
* Fixed: [in_midi] Security vulnerability (thanks: Morten @ kryptoslogic)
* Fixed: [in_mp3] Querying endoffset metadata for iTunes gapless playback
* Fixed: [pmp_ipod] Sync and Eject issues
* Fixed: [pmp_ipod] Compilation flag when Album Artist is ‘Various Artists’
* Fixed: [pmp_wifi] Crash when devices.w5s missing
* Misc: Made installer disable incompatible 3rd-party gen_lyrics plugin
* Misc: More general tweaks, improvements, fixes and optimizations

Business Case for Security

Part 1 (How to find your websites) of the series describes a process for website discovery. This piece (part 2) describes a methodology for rating the value
of a website to the business that many of our customers have found helpful. Website asset valuation is a necessary step towards overall website security
because not all websites are created equal. Some websites host highly sensitive information, others only contain marketing brochure-ware. Some websites
transact million of dollars each day, others make no money or maybe a little with Google AdSense. The point is we all have limited security resources (time,
money, people) so we need to prioritize and focus on the areas that offer the best risk reducing ROI.
GOVCERT: Botnets explained  [www.youtube.com]
This post is the fourth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest
value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these
posts are designed to give you recommendations, a place to start. For the fourth topic I like to focus on social networking. I feel this is the future for
many social engineering based attacks. If you think about it, social networking is designed to get as many people as possible to share as much information
as possible, the perfect breeding ground for human based attacks. In addition, even if your organization forbids or blocks social networking sitespeople
still use them in their personal lives which can impact your organization. As such there are some key risks we need to identify and respective behaviors we
want to change to mitigate those risks.
1. The first risk is posting too much personal or private information.
2. Even if people are aware and careful what they post, they must understand that others can post private information about them.
3. The third risk is scams. This is nothing new, we discussed scams in topic #3 Email and IM.
4. Just like operating systems and smartphones, users should be careful of the 3rd party apps they use.
5. Finally, end users need to be taught no confidential organization information may be posted (such as publicly posting raid plans the day before a
military action). One good rule of thumb is if the information is not already on the company public website then don’t post it.
Security Awareness Topic #5 – Browsers  [www.securingthehuman.org]
This post is the fifth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value
for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are
designed to give you recommendations, a place to start. For the fifth topic I like to focus on browsers. Browsers have become the primary method most
people interact with the Internet. From banking online or searching for information to updating their Facebook account or buying the latest pair of shoes.
Because browsers are such a target, and because the Internet can be such a hostile environment we need to make end users aware of certain risks and change
some common behaviors.
1. The first step is keeping browsers updated. Vendors are not only constantly patching browsers and fixing known vulnerabilities, but adding new security
features such as sandboxing. Always having the latest version is one of the best ways to help secure your browser and your system. Teach end users how to
check if their browser is updated and how to enable automatic updating.
A DUBLIN firm has developed e-learning software for teaching people how to better protect themselves on social networks, which was co-written by Ira
Winkler, one of the world’s foremost information security experts.
The product, developed by Vigitrust, is called Security for Social Networking 101 and is a response to the risks that have emerged from the popularity of
sites such as Facebook and Twitter. The amount of personal information that people publish can make it easy for fraudsters to pass themselves off as friends
and ask their victims for money.
The module is also intended to address the concerns of businesses, especially in the US, that certain kinds of company information might not be suitable for
publishing on a social network. Since banning these sites outright is probably not an option for many firms, training is seen as a way to educate staff
about appropriate behaviour when online.
An online survey of 229 consumers has found that all have at least one USB stick but half could not remember what they had saved on a device.
It found that 54 per cent of people had between three and six sticks, while a fifth (21 per cent) owned as many as ten, or even more. Also, 34 per cent
admitted they did not know where all their USB devices are at any given time, while ten per cent admitted to losing a USB device containing corporate data,
yet 76 per cent never reported the loss to their bosses.
Bob Heard, chief executive officer and founder of Credant, who conducted the survey, said: “Companies are spending millions on their security and it could
all be in vain if they fail to close this basic area of vulnerability. If they have a workforce that are using USB storage media, blissfully unaware of the
potential mayhem that these ubiquitous devices could potentially cause, no matter how much is spent the enterprise will never be secure.
Implementing ISO/IEC 27001 and creating an effective Information Security Management System for the first time can be challenging!
This toolkit has everything you will need. When you use our highly practical and informative books and tools to help you tackle the project, you receive
unique guidance and support for your organisation – plus, with this package, you save money!
* Read a free paper on how our real-world policy and procedure templates can help you
* Here’s a data sheet on the contents of our ISMS toolkit
* You can even try before you buy! There is a free demo version of this toolkit.
A €3.7 MILLION EU-wide project aimed at improving data protection in Europe is to be led by researchers from Waterford Institute of Technology (WIT).
The Endorse project involves industry experts from the Netherlands, Italy, the UK, Spain, Austria and Ireland. Over the next year those involved hope to
develop software that will allow companies to check compliance with their own country’s data protection legislation.
Thanks to some dude that looks like a James Bond villain that rents rack space from an nuclear bomb resistant underground lair, combined with a foreign
nation running the equivalent of a Hoover strapped to a Xerox over the entire country, ‘data leaks’ seem to be back in the headlines.
While most of us intuitively understand that completely preventing leaks isn’t possible, you wouldn’t know it by listening to various
politicians/executives/pundits. Although most of us understand that eliminating data leaks/loss isn’t possible, we don’t always dig into the reasons why;
especially when it comes to technology.
Lately I’ve been playing with using aspects of quantum mechanics as metaphors for information-centric (data) security. When we start looking at problems
like protecting data in the highly distributed and abstracted environments empowered by virtualization, decentralization, and cloud computing, it resembles
the transition from the standard physics models dating back to Newton, to the quantum world opened by the atomic age.

Web Technologies

Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career.
Developers are often pressured to deliver code as quickly as possible, and the complexity of the platform and vast number of configuration options often
leaves the application in a less than desirable security state. In addition, the configuration requirements for debugging and production are different,
which can often introduce debugging settings in production, causing a variety of issues.
Over the years, the ASP.NET platform has matured and better documentation has been made available through MSDN and community blogs, but knowing which
feature or configuration setting to use is often troublesome. Even with good knowledge of the security functionality, mistakes can happen that could result
in security vulnerabilities in your application.
Peer code review is a useful process and a good way to catch issues early. Still, not everyone has the time or budget-or knowledgeable peers at hand-for
such review.
HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user
input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is
that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation
checkpoints, and access and possibly exploit variables that may be out of direct reach.
The consequences of the attack depend on the application’s logic, and may vary from a simple annoyance to a complete corruption of the application’s
behavior.
12 programming mistakes to avoid  [www.infoworld.com]
The dirty dozen of application development pitfalls — and how to avoid these all-too-common programming blunders
A car magazine once declared that a car has ‘character’ if it takes 15 minutes to explain its idiosyncrasies before it can be loaned to a friend. By that
standard, every piece of software has character — all too often, right of the box.
Most programming ‘peculiarities’ are unique to a particular context, rendering them highly obscure. Websites that deliver XML data, for example, may not
have been coded to tell the browser to expect XML data, causing all functions to fall apart until the correct value fills the field.
Lately it seems that a lot of people are talking about the potential security vulnerabilities of having an unrestricted crossdomain.xml. It’s public
knowledge that this can be abused by an attacker setting up Cross Site Request Forgery.
Below is the sample code in the crossdomain.xml. This is a simple one. Some of the big websites that have these crossdomain.xml’s unrestricted have alot
more data in the xml file. From the blogs that I have read in the community and from HP Web Inspect Remediation Guide “Exploiting a Vulnerability Involves
crafting a custom Flash Application”.
The fix is “not to design and deploy Flash APIS meant to be accessible to arbitrary third parties. It is also recommended “to host these on a sub domain”.
We are not going to discuss how to exploit this vulnerability but rather to find it in the wild with 02.
Sessionmanagement in X-Header  [tar-xvzf.blogspot.com]
I recently stumbled upon a solution for session management where I’m searching hard to find the weak points but I failed so far.
There is this web 2.0 application which neither uses cookie nor it transports the session ID within the URL. The devs decided to transport the session ID
within an X-Header HTTP field which they send over on each (XHR) request. This seems smart from a range of perspectives:
1. They do not have to care about CSRF Protection, because no session identifier is sent without explicit intend.
2. They do not have to care about cached or otherwise leaked session ids, since the ID is held in RAM only and the user doesn’t see (and thus cannot share
it accidentally) it.
Website Monocultures and Polycultures  [jeremiahgrossman.blogspot.com]
Before diving in let’s first establish a baseline on the fundamental assumptions about software monocultures and polycultures. Monocultures, meaning all
systems are identical, are at elevated risk to systemic widespread compromise because all nodes are vulnerable to the same attack. For example, one zero-day
exploit (not necessarily required) has the capability of ripping through the entire ecosystem. The benefit of a monoculture however is the consistency of
all the connected nodes allow for easier management by IT. Manageability makes keeping patches up-to-date less difficult and by extension raises the bar
against targeted attacks and random opportunistic worms.
So if website attacks are generally targeted, again except for SQLi worms, and it’s easier to secure code written all in the same language, then we should
be advocating monoculture websites. Right? Which is exactly the opposite of how the community seems to want to treat networks. I just found that to be
really interesting. What I’m working on now inside WhiteHat is trying to find statistical evidence in real terms how the security posture of the average
monoculture and polyculture compare. I’m guessing monoculture websites are noticebley more secure, that is, less vulnerabilities. But what would your theory
be?
As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing
programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making
processes more efficient and easing the burden of information overload.
In the realm of automated web application testing, today’s technologies fall into one of two categories, Static Application Security Testing (SAST) and
Dynamic Application Security Testing (DAST). SAST analyzes application binaries or source code, detecting vulnerabilities by identifying insecure code paths
without actually executing the program. In contrast, DAST detects vulnerabilities by conducting attacks against a running instance of the application,
simulating the behavior of a live attacker. Most enterprises have incorporated at least one SAST or DAST technology; those with mature SDLCs may even use
more than one of each.
HTML5 reaches 1% of the web  [news.netcraft.com]
Despite still being developed, HTML5 is already in use on more than 1% of the world’s websites.
Netcraft’s December Web Server Survey found the HTML5 DOCTYPE on 1.06% of homepages. An additional 0.05% of sites made use of new HTML5 features without
explicitly declaring the correct DOCTYPE.
HTML5 is the next major revision of the HTML standard, and looks set to supersede HTML 4.01 and XHTML 1.1 with its support for video and audio playback.
Microsoft has recently shifted its strategy on Silverlight as a cross-platform solution and now wants to implement standards-based HTML5 really, really,
really well in Internet Explorer 9.
Virtual patching with mod security  [www.securityninja.co.uk]
As someone who is responsible for operational security I think that one of the biggest challenge I have to deal with is how to keep the systems and
applications up to date with no service interruptions.
It is not only a question of having good patching polices or procedures that dictate how you have to patch after a vulnerability is found in your platform.
The time required to analyse the vulnerability, develop a fix, test the fix and deploy it into production can leave a system vulnerable to attack for a
period of time which might not be acceptable to the business.
It seems to be fairly well known that there are multiple unpatched
CSRF vulnerabilities in the administration interfaces for various
Linksys routers. Since the initial reports of these are from a few
years ago, and since some exploits are available, I have written
additional proof of concept exploits for the Linksys routers that I
have access to.
While in most cases the victim must be authenticated with the
application in question to exploit a CSRF vulnerability, since the
factory default passwords for all of the routers in question are known
to be admin, the victim does not necessarily need to be authenticated.
This means that only suggested workaround that I have seen up until
now, do not surf the web wile authenticated in the router’s
administration interface, does not solve the problem in certain cases
where the user is still using the default password. This is mitigated
somewhat by the fact that most browsers provide at least some degree
of protection from these types of attacks, described in additional
detail below.
This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 years of PHPIDS filter evasion at the CONFidence 2.0
conference. You can find the slides here. For a quicker reference you can use the following cheatsheet. More detailed explaination can be found in the
slides or in the talk (video should come online in a few weeks).
While I am often critical of companies for their privacy practices, when they do good things, I think it is important to publicly praise them for it. As
such, Microsoft deserves a significant amount of credit for moving the ball forward on privacy enhancing features in the browser. This blog post will reveal
a few of my initial thoughts about Microsoft’s announcement, and what I think are the politics behind its decision.
Briefly, Microsoft today announced that it will be improving the InPrivate Filtering feature in its browser — which would have been a great feature, if the
company hadn’t intentionally sabotaged it in response to pressure from people within the company’s advertising division.
disabling websockets for firefox 4  [www.0xdeadbeef.com]
We’ve decided to disable support for WebSockets in Firefox 4, starting with beta 8 due to a protocol-level security issue. Beta 7 included support for the
-76 version of the protocol, the same version that’s included with Chrome and Safari.
Adam Barth recently demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the
browser and the Internet.
Once we have a version of the protocol that we feel is secure and stable, we will include it in a release of Firefox, even a minor update release. The code
will remain in the tree to facilitate development, but will only be activated when a developer sets a hidden preference in Firefox.

Network Security

We’ve had a few reports on AVG updates breaking things on Windows 7 64 bit (thanks Bill, et all).
The problem lies with the mandatory update.
The AVG site has some info on how to deal with the issue here http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=94159
Episode #124: Levelling Up  [blog.commandlinekungfu.com]
Tim set himself up to bomb:
So I came up with the idea for this episode, totally my fault. And I knew going into it that I was setting myself for a significant beating from Hal. My
guess is that it will take him all of five minutes to write his portion. So here goes.
One of the nice features of Windows is the extremely granular permissions that can be granted on files and directories. This functionality comes at a price,
it makes auditing of permissions a big pain. Especially when it comes to groups, and even worse, nested groups. A few of my colleagues and I were looking
for files that would allow us to elevate our privileges from the limited user account one with more privileges. Files run by service accounts, or possibly
an administrator, and are also modifiable by a more limited user. In short, we were looking for files owned by an admin but writeable by a limited user.
Before we get into the fu, we need to look at how file permissions look in PowerShell.
Shearing FireSheep with the Cloud  [www.stratumsecurity.com]
If your laptop ever connects to a network behind enemy lines (e.g. hhonors, attwifi, panera), this post is for you. The step-by-step directions below allow
you to stand up a portable, cloud-based private VPN that you can use from anywhere – for around $0.50 a month. Once you get everything setup, you can feel
good connecting to a hotspot and laugh at the guy running FireSheep.
Speaking of Firesheep, I’ve actually had some people close to me (including my wife) ask how they can prevent these types of attacks from happening. There
are some nice “off-the-shelf” solutions like HTTPS Everywhere and BlackSheep but as a security professional I wanted to give a recommendation that would
provide broader coverage than these solutions.
Another fun attack that willis and I found during our SAP BusinessObjects research is that we could do internal port scanning by using Crystal Reports.
The way this works is that when you browse to a Crystal Reports web application (http://hostname/CrystalReports/viewrpt.cwr) there are a few parameters
which are used to communicate with the SAP services on the backend. The problem here is that these parameters are controlled by the user. Now a better way
to do this is to provide a drop-down list or make all the configurations done by the server.
This Tech Tip provides straightforward instructions on how to construct and use a passive Ethernet tap. The end product may be used with any hub or switch
and any operating system. A passive Ethernet tap is useful when installing an intrusion detection system (IDS) sensor or when snooping Ethernet traffic.
Hardware Requirements
* A single 4-port Ethernet housing such as the Versatap AT44 Surface Jack Housing from Allen Tel Products
* 4 Category 5e modular snap-in jacks such as the AT55 Category 5e Modular Snap-In Jacks from Allen Tel Products
* A small section, about 6 inches, of Category 5e cable
In the modern client-focused threat landscape,JavaScript plays a very important role in delivering and executing attacks.Many browser-based vulnerabilities
are triggered by specific sets of JavaScript calls,and HTML,CSS,or PDF-based vulnerabilities often have accompanying payloads written in JavaScript.Thus,if
a defender can reliably detect malicious JavaScript,they can protect against the vast bulk of browser-based,client-side attacks – including 0-day delivered
with standard malicious JavaScript tricks.
It’s almost effortless to use vCenter Server to create customized clones of virtual machines. VMware vSphere is the only virtualization platform that has
fully integrated Linux guest customization – a handy wizard allows setting unique attributes of the guest such as name, static IP address, timezone, and DNS
settings. That means the your new VM is deployed and ready for action without additional configuration.
Intro to Static Analysis Part 1  [internetopenurla.blogspot.com]
This is Part 1 of our Intro to Static Analysis.
There are a number of schools of thought on how to approach reversing malware. Some people jump right into dynamic analysis in effort to quickly learn what
the specimen is doing so they can put rules in place on their network to stop it’s functionality or see who else might be infected. Some of these people,
will then perform static analysis to see if they may have missed something. Others leave it at the results found from their dynamic analysis.
Other people do static analysis first to fully understand the expected behavior so they know if something is happening with the sample when running it in a
dynamic lab other than what is expected. They will then run dynamic analysis on it to see if their findings are correct.
Recently, Tenable added exploitability reporting for Nessus. After performing a scan, results can be filtered to see which vulnerabilities have exploits
available for them. In the report, you can even see which common exploitation tools have payloads for these vulnerabilities. This is a great way to help
prioritize which vulnerabilities to fix first. However, it is not a great way to manage your network or decide whether to patch a system or not. Consider
the following conversation that represents many I’ve had on this topic:
IT Auditor: Ron, we love the new exploit filtering feature in Nessus!
Ron: That’s very cool. What do you like about it?
IT Auditor: We don’t have to patch as many servers as before!
Ron: Really, why is that?
IT Auditor: If an exploit isn’t available for the vulnerability, why should we worry about it?
DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven themselves to be important and effective countermeasures against
the types of exploits that we see in the wild today. Of course, any useful mitigation technology will attract scrutiny, and over the past year there has
been an increasing amount of research and discussion on the subject of bypassing DEP and ASLR [1,2]. In this blog post we wanted to spend some time
discussing the effectiveness of these mitigations by providing some context for the bypass techniques that have been outlined in attack research. The key
points that should be taken away from this blog post are:
* DEP and ASLR are designed to increase an attacker’s exploit development costs and decrease their return on investment.
* The combination of DEP and ASLR is very effective at breaking the types of exploits we see in the wild today, but there are circumstances where they can
both be bypassed.
* Exploits targeting Microsoft and third party vulnerabilities have been created that are capable of bypassing DEP and ASLR in the context of browsers and
third party applications.
* We are currently not aware of any remote exploits that are capable of bypassing DEP and ASLR in the context of in-box Windows services and various other
application domains.
* Knowledge of potential bypass techniques directly informs our future work to improve the robustness and resiliency of DEP, ASLR, and our other mitigation
technologies
ZozzleAs browser-based exploits and specifically JavaScript malware have shouldered their way to the top of the list of threats, browser vendors have been
scrambling to find effective defenses to protect users. Few have been forthcoming, but Microsoft Research has developed a new tool called Zozzle that can be
deployed in the browser and can detect JavaScript-based malware at a very high effectiveness rate.
Zozzle is designed to perform static analysis of JavaScript code on a given site and quickly determine whether the code is malicious and includes an
exploit. In order to be effective, the tool must be trained to recognize the elements that are common to malicious JavaScript, and the researchers behind it
stress that it works best on de-obfuscated code. In the paper, the researchers say that they trained Zozzle by crawling millions of Web sites and using a
similar tool, called Nozzle, to process the URLs and see whether malware was present.

Database Security

V3RITY for Oracle  [www.v3rity.com]
V3RITY is a tool that can be used in an Oracle forensics investigation of a suspected breach. It is the first of its kind and is currently in the beta
stages of development.
An Introduction to V3RITY for Oracle in Microsoft Word Format
An Introduction to V3RITY for Oracle in PDF Format
Snow, Woe and Oracle Security!  [www.petefinnigan.com]
I have also agreed some new trainings recently. I will be teaching my class ‘how to perform a security audit of an Oracle database’ next week in Ljubljana
(snow permitting I guess as we still have a lot of bad weather), then in February with Opitz Consulting in Switzerland, then in March in Edinburgh with
PiSec and also in March in Athens, Greece. Finally I will also be teaching in Croatia in May next year. Finally, Finally I will also be creating a new one
day class to be split over either 2 or 3 days and taught over the internet; watch out for more news on this soon. These are all public classes and of course
we would love to see at some of them.

Mobile Security

ASLR to unwashed iDevice masses
A computer consultant is embarking where Apple has refused to go, adding a security measure known as ASLR to iPhones to make them more resistant to malware
attacks.
Short for address space layout randomization, ASLR has been noticeably absent from all iOS devices since their inception, making possible the types of
attacks that commandeered a fully patched iPhone at this year’s Pwn2Own hacker contest. By randomizing the memory locations where injected code is executed,
ASLR aims to thwart such exploits by making it impossible to know ahead of time where malicious payloads are located.
Introducing Nexus S with Gingerbread  [googleblog.blogspot.com]
The very first Android phone hit the market in November 2008. Just over two years later, Android’s vision of openness has spurred the development of more
than 100 different Android devices. Today, more than 200,000 Android devices are activated daily worldwide. The volume and variety of Android devices
continues to surpass our wildest expectations-but we’re not slowing down.
Today, we’re pleased to introduce the latest version of the Android platform, Gingerbread, and unveil the next Android device from the Nexus line of mobile
products-Nexus S. And for developers, the Gingerbread SDK/NDK is now available as well.
Nexus S is the lead device for the Gingerbread/Android 2.3 release; it’s the first Android device to ship with the new version of the Android platform
iPhone Skype Call via BeEF  [www.youtube.com]
Demonstrating Nitesh Dhanjani’s iPhone insecure handling of Skype URLs in the new Ruby BeEF
NEW DELHI: Nokia on Thursday announced installation of a server in India to enable security agencies lawfully intercept its email and messenger services, a
move which may force BlackBerry to follow suite.
Nokia India Vice President and MD D Shivakumar called on Home Secretary G K Pillai on Thursday and handed over the letter, saying the company has conformed
with all requirements suggested by the law enforcement agencies.
The company, however, assured its customers that their privacy would be protected, even while fulfilling public responsibility and legal obligations.
‘As a responsible corporate citizen, we follow all local laws and regulations that are required by the government authorities,’ it added

Privacy

Researchers have discovered that dozens of Web sites are using simple Javascript tricks to snoop into visitors’ Web browsing history. While these tricks are
nothing new, they are in the news again, so it’s a good time to remind readers about ways to combat this sneaky behavior.
The news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing
history of visitors to record where they’d been.
It’s no secret that many websites leverage an advertising based funding model to derive revenue from viewers. But the game is getting much bigger than just
showing advertisements. Now its all about customizing ads to the particular user viewing the site. The company that can best profile a user can offer the
most targeted ad and demand the highest payment for this service.
Unfortunately it is becoming increasingly difficult for a user to control what pieces of information are stored by sites they visit. The dominant methods
of profiling users in the past were tracking beacons and cookies that could be used to centrally record a user’s activity across various websites. These
could be used to build a pretty powerful picture of a user’s habits and interests.
Organizers of National Opt Out Day, the Wednesday before Thanksgiving when air travelers were urged to opt out of the full-body scanners at security
checkpoints and instead submit to full-body patdowns — were outfoxed by the TSA. The government pre-empted the protest by turning off the machines in most
airports during the Thanksgiving weekend. Everyone went through the metal detectors, just as before.
Now that Thanksgiving is over, the machines are back on and the ‘enhanced’ pat-downs have resumed. I suspect that more people would prefer to have naked
images of themselves seen by TSA agents in another room, than have themselves intimately touched by a TSA agent right in front of them.
Updated with response from Adobe (NSDQ: ADBE). So-called Flash cookies-chunks of data embedded in the Adobe Flash Player on internet users’ browsers that
can’t be eliminated with standard privacy controls-have been on the radar of privacy advocates since last year. But the FTC made it clear today that it’s
now starting to take a more active role in addressing what it referred to as the “Flash problem.”
In response to a question from a reporter about whether the FTC was looking into ways to implement a “Do Not Track” system not within web browsers, FTC
Chairman Jon Leibowitz said that the commission hopes to explore other options as it receives public comment over the next two months. Then he added:
“There’s an Adobe Flash problem that needs to be solved… We’ve been talking to Adobe.”
Two California residents filed suit against the owner of adult website YouPorn, alleging it had violated cybercrime and consumer-protection laws by using
surreptitious technology to harvest information about what websites they had visited.
The suit, which a lawyer for the plaintiffs said was filed late Friday in the U.S. District Court of the Central District of California, is one of the first
to target a practice called ‘history-sniffing,’ which is drawing increased scrutiny from regulators and academics.
The technique generally relies on the fact that Internet browsers display web links in different colors based on whether the user has visited the particular
link before. By running some code inside a user’s web browser, a company can tell whether certain sites have been visited and create a profile of where
someone has been online without them knowing.
Anonymity loves company…  [blog.thinkst.com]
Today i did a brief interview with E-TV news on ‘Anonymity Systems’. Interestingly enough, the journalist started the interview determined to go down the
‘Anonymity is Evil!’ route.
I must confess to being slightly surprised by the thought. I didn’t expect such strong support for the ‘Anonymity allows Child Pornography’ point of view.
The snippet of the interview that was aired was probably only a few minutes long (I have not seen it yet), but i thought it was probably worth it to note a
few simple thoughts on Anonymity systems.
Very few people, (if any), would question the necessity of allowing anonymity for people who suffer from victimization. Dissidents of a tyrannical regime,
or victims of crime need a platform that will permit them to speak out without fear of further victimization. The problem is that ‘anonymity needs company’.
This simply implies that it’s really difficult to be anonymous alone.
NEW DELHI: Nokia on Thursday announced installation of a server in India to enable security agencies lawfully intercept its email and messenger services, a
move which may force BlackBerry to follow suite.
Nokia India Vice President and MD D Shivakumar called on Home Secretary G K Pillai on Thursday and handed over the letter, saying the company has conformed
with all requirements suggested by the law enforcement agencies.
The company, however, assured its customers that their privacy would be protected, even while fulfilling public responsibility and legal obligations.
‘As a responsible corporate citizen, we follow all local laws and regulations that are required by the government authorities,’ it added
Implanting a camera in the back of his head as part of an art project may have granted a New York University (NYU) photography professor, Wafaa Bilal, a
certain notoriety in the last several weeks, but it has robbed him of something else: dinner-party invitations, The Wall Street Journal reported Friday.
Concerned about the intrusion of his head-camera, which is rigged to broadcast online a live stream of images snapped automatically at one-minute intervals,
some of Bilal’s acquaintances have removed him from their guest lists, he said in his first interview about the project.
A recent study launched by the UC San Diego Department of Computer Science to determine the scope of privacy-violating information flows at popular websites
shows that popular Web 2.0 applications such as mashups, aggregators, and sophisticated ad targeting are teeming with various kinds of privacy-violating
flows. Ultimately the researchers determined that such attacks are not being adequately defended against.
This study comes as a result of the increasing complexity of JavaScript web applications propagating privacy-violating information flows. ‘Privacy-violating
information flows’ is a general term which can be subcategorized into four areas of nefarious activity: cookie stealing, location hijacking, history
sniffing, and behavior tracking. Their goal was to draw attention to the prevalence of history sniffing at high traffic sites.
While I am often critical of companies for their privacy practices, when they do good things, I think it is important to publicly praise them for it. As
such, Microsoft deserves a significant amount of credit for moving the ball forward on privacy enhancing features in the browser. This blog post will reveal
a few of my initial thoughts about Microsoft’s announcement, and what I think are the politics behind its decision.
Briefly, Microsoft today announced that it will be improving the InPrivate Filtering feature in its browser — which would have been a great feature, if the
company hadn’t intentionally sabotaged it in response to pressure from people within the company’s advertising division.

Cloud Security

Securing the future  [businessandleadership.com]
Concerns over security and data privacy in the cloud need to be seen in the context of what organisations are currently doing to protect their confidential
information, says Gordon Smith.
Survey after survey rate security concerns as the main obstacle to cloud computing. Whether the risks are perceived or real is to some extent irrelevant; as
long as they exist, cloud providers must address them or face reluctant customers, despite a persuasive business case that offers cost savings and flexible
technology to meet a company’s needs.
Travel tips for a safe trip into the cloud
* Perform due diligence on the cloud provider you intend to use
* Ask rigorous questions about where data will be physically stored
* Evaluate what implications a cloud strategy has on compliance efforts
* Clearly define roles around protecting and securing data
* Don’t assume security is someone else’s responsibility
* Assess actual levels of security with in-house IT compared to the cloud
* Don’t move the most sensitive company or customer information until the technology is well proven within the business
There have been many interesting tidbits that, as expected, are primarily focused on cloud computing and virtualization. That’s no surprise as both are top
of mind for IT practitioners, C-level execs, and the market in general.
Another unsurprise would be the response to a live poll conducted at the event indicating the imaginary “cloud security” troll is still a primary concern
for attendees.
I say imaginary because “cloud security” is so vague as a descriptor that it has, at this point, no meaning.
Do you mean the security of the cloud management APIs? The security of the cloud infrastructure? Or the security of your applications when deployed in the
cloud? Or maybe you mean the security of your data accessed by applications when deployed in the cloud? What “security” is it that’s cause for concern? And
in what cloud environment?
See, “cloud security” doesn’t really exist any more than there are really trolls under bridges that eat little children.
Application, data, platform, and network security, however, do exist and are valid concerns regardless of whether such concerns are raised in the context of
cloud computing or traditional data centers.

Tools

CORE IMPACT Pro continues to be the most comprehensive penetration testing product available, enabling customers to conduct real-world assessments across a
broad spectrum of risk areas, including network systems, endpoint systems, end users, web applications, wireless networks – and now, network devices. Since
2001, CORE IMPACT has evolved to offer the deepest level of professionally developed and updated penetration testing capabilities available today.
V3RITY for Oracle  [www.v3rity.com]
V3RITY is a tool that can be used in an Oracle forensics investigation of a suspected breach. It is the first of its kind and is currently in the beta
stages of development.
An Introduction to V3RITY for Oracle in Microsoft Word Format
An Introduction to V3RITY for Oracle in PDF Format
Metasploit Pro and Metasploit Express 3.5.0 Update 20101201135645  [www.metasploit.com]
Summary
This weekly update for Metasploit Pro and Metasploit Express brings 8 new modules, including exploits for Java Web Start, CakePHP, FoxIt PDF Reader, and
DATAC Realwin SCADA server. It also includes the recently-disclosed Stuxnet 0day Task scheduler privilege escalation for Windows Vista, Windows 7, and
Windows 2008. This week’s update is a framework-only update, in preparation for the 3.5.1 release.
RUBotted  [free.antivirus.com]
New RUBotted Version: 2.0 Beta
RUBotted monitors your computer for potential infection and suspicious activities associated with bots. Bots are malicious files that enable cybercriminals
to secretly take control of your computer. Upon discovering a potential infection, RUBotted will identify and clean them with HouseCall.
What’s New?
* Improved detection
* Enhanced cleaning capabilities
* Accessible status and log reports
* Compatible with other antivirus products
* Interfaces with Trend Micro Smart Protection Network
winAUTOPWN v2.5 Released  [security-sh3ll.blogspot.com]
winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation.It takes inputs like IP
address, Hostname, CMS Path, etc. and does a smart multi-threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are
released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN.
Amazon CloudWatch  [aws.amazon.com]
Amazon CloudWatch is a web service that provides monitoring for AWS cloud resources, starting with Amazon EC2. It provides customers with visibility into
resource utilization, operational performance, and overall demand patterns-including metrics such as CPU utilization, disk reads and writes, and network
traffic. To use Amazon CloudWatch, simply select the Amazon EC2 instances that you’d like to monitor; within minutes, Amazon CloudWatch will begin
aggregating and storing monitoring data that can be accessed using the AWS Management Console, web service APIs or Command Line Tools.
Dradis v2.6 released  [security-sh3ll.blogspot.com]
dradis is an open source framework to enable effective information sharing.dradis is a self-contained web application that provides a centralised repository
of information to keep track of what has been done so far, and what is still ahead.
%28Security-Shell%29  [virtualboxes.org]
VirtualBoxes – Free VirtualBox® Images
Ready-to-use virtual machines sporting open-source operating systems
Netsparker 1.7.0.0 Released  [www.mavitunasecurity.com]
This is the 8th update this year (except minor releases). We added bunch of new checks, new features and done lots of improvements. We are really happy
about this one. We added full support PostgreSQL and MS Access in SQL Injection engine. Now just like SQL Server, MySQL and ORACLE it’s possible for
Netsparker to find, confirm and exploit SQL Injection vulnerabilities when backend database is PostgreSQL or MS Access.
OWASP Zed Attack Proxy v1.1.0 Released  [security-sh3ll.blogspot.com]
An easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used
by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.ZAP provides
automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
HeapLocker  [blog.didierstevens.com]
HeapLocker is a new tool I’m releasing to mitigate heap spray attacks. But be patient, don’t use this version (V0.0.0.2) yet for other reasons than
experimenting! I’m still testing newer versions that I’ll release soon.
HeapLocker uses 5 mitigation techniques.
Sysinternals Utilities Index  [technet.microsoft.com]
Snorby v2.0 released  [security-sh3ll.blogspot.com]
The goal of this release is to be the new de facto companion to all Snort, Suricata, and Sagan installations.
Snorby is a new and modern Snort IDS front-end. The basic fundamental concepts behind snorby are simplicity and power. The project goal is to create a free,
open source and highly competitive application for network monitoring for both private and enterprise use.
Snorby has been written completely from the ground up using Rails 3 and Ruby 1.9.2. Snorby 2.0’s visual design has been completely overhauled and offers
analysts advanced keyboard shortcuts for handling large volumes of events
In the past few weeks I used JavaSnoop RC6 to assess a privileged applet application that had it’s own secure message protocol on top of mutually-
authenticated HTTPS. Kind of a tough nut to crack, even with JavaSnoop. This assessment exposed a number of performance issues, bugs, and necessary features
that were just plain missing.
After probably 100 hours of development and testing, I’m releasing the final JavaSnoop 1.0!
It’s been a year since Shodan launched, and I wanted to take this opportunity to talk about what’s changed and where things are heading. For the next month,
there is also an anniversary deal to get all existing add-ons and some credits for $15. And during that time, 1 credit will export 10,000 hosts instead of
the current 1,000. But now onto discussing the latest additions
VIX API  [www.vmware.com]
The VIX API helps you write programs and scripts to automate virtual machine operations and run programs or manipulate files within guest operating systems.
This API is high-level, easy to use, and practical for both script writers and application programmers. It runs on either Windows or Linux and supports
management of VMware Server, Workstation, and ESX/ESXi, optionally through vCenter Server. Bindings are provided for C, Perl, and COM (Visual Basic,
VBscript, C#).
Metasploit HTTP fuzzer  [c4an-dl.blogspot.com]
This is a tool that I developed because I thought it was kind of missing on the metasploit framework. The main purpose of this tool is to help testing a web
app for different problems using a custom requests. I think this is needed because scanners often the miss simple vulnerabilities because of the fact that
they rely on a specific signature to identify them. Although they are really helpful to identify vulnerabilities on large web apps, almost all the times
will miss basic vulnerabilities like SQL injections or XSS just because they did not test a parameter or because they are looking for a specific response
code that in a lot of cases will never be returned by the web site. My opinion is that manual and semi-automated testing is the best approach to identify
web app vulns. This is where this tool might be helpful.

General

Firefox 4 offers silent add-on updates  [www.computerworld.com]
New add-on manager updates extensions automatically, some sans restart
Firefox 4 will automatically update the browser’s extensions, a Mozilla interface designer said Sunday.
Add-ons, also called ‘extensions’ by Mozilla, will update silently in the background, said Jenny Boriss, a Firefox user experience designer, in a blog post
yesterday. Earlier versions of the open-source browser notified users of available add-on updates each time Firefox was launched.
Add-on developers can also revamp their wares to allow updates without a Firefox restart, which is currently required.
While you are often safer overseas than you are in your hometown, a few scams seem to pop up all over the world. Repeat the mantra: if it looks too good to
be true, it must be too good to be true…
1. Fake police
Though sometimes this happens with the real police, these scam artists will demand to see your passport and find something wrong with your visa, but then
suggest your troubles will all be over if you pay a fine. To them. In cash. Right now. Standing your ground and offering to accompany them to the station
will usually see the error ‘excused’.
2. Gem or carpet deals
On entry into a store, often prompted by an enthusiastic taxi or rickshaw driver, you will be offered a deal so preposterously lucrative that refusing it
seems unthinkable. Think again – those gems are going to be worthless and the carpet you buy may not make it home at all. There are legitimate traders
selling both jewels and rugs, and they do not act like this.
Electronic Pickpocket  [www.wreg.com]
How RFID chips can be read without you noticing (credit cards, passports, etc)
With Internet Explorer 7 and Windows Vista, Microsoft introduced a Protected Mode. This feature is designed to protect computers against attacks exploiting
vulnerabilities in IE extensions or in the browser itself and prevent the injection of malicious software.
Researchers from Verizon Business have now described a way of bypassing Protected Mode in IE 7 and 8 in order to gain access to user accounts.
There are two different security issues around Google products over the past 12 hours or so. The first is with Google Website Optimizer where there was the
potential of an Cross-Site Scripting (XSS) attack. The second is with people using Goo.gl, Google’s URL shortener, within Twitter to grab your Twitter
passwords. While the second one, goo.gl is not really a Google issue, the Google Website Optimizer XSS issue is.
1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer
2. Microsoft follows Google and Mozilla and starts paying a bug bounty
3. A mobile app causes a major enterprise security breach
4. Government and corporations stock up on anti-leak security products to defend against insider attacks, but high profile leaks continue
5. A critical infrastructure facility in the US suffers a damaging incident resulting from a Stuxnet-like stealthy targeted worm

Funny

How to Freak Out Your Neighbors  [www.makeuseof.com]
Getting Snowed in is something to celebrate (Pic)  [yfrog.com]
Epic Halloween Prank !  [www.youtube.com]
Keep Your Feet Nice & Toasty!
RSS_EMAIL_CAMPAIGN&utm_medium=email  [www.internet-time.org]
The Official Internet Years Job Calculator