Security Weekly News 23 December 2010 – Full List

Category Index

Hacking Incidents / Cybercrime

Gardai are expected to send a file to the Director of Public Prosecutions (DPP) in the coming weeks following an investigation into the suspected sale by a civil servant of personal information on hundreds of claim-ants to a private detective.
The civil servant, who was working in the Department of Social Protection, has been suspended and gardai and the Data Protection Commissioner (DPC) have been investigating the incident for a number of weeks.
It is understood the DPC has also raided the private investigator’s office and the premises of three insurance firms to gather information on the claimants.
SQL Injection Blamed for New Breach  []
Stronger App Security Could Have Prevented Online Hack
The breach of a Web server that housed payment card data for a New York tourism company’s website highlights security gaps in cardholder data protection.
The online breach, which led hackers to cardholder information for 110,000 credit cards, was facilitated via SQL injection — one of the most frequent modes of attack hackers use to illegally acquire payment-card details.
Twin America LLC (d.b.a., City Sights NY) reportedly discovered the breach in late October, after a programmer noticed unauthorized script had been loaded to the server. The company on Dec. 9 notified the New Hampshire Attorney General of the breach, after it determined that some 300 New Hampshire residents had been impacted by the attack. City Sights’ attorney Theodore Augustinos would not comment on the breach, saying he was not authorized to share details beyond those included in the letter to the AG.
State-owned Dutch bank ABN Amro has been robbed by computer hackers who stole 5.5 million euros without inside help.
A report in daily about the digital heist is partly denied, however, by the Dutch Association of Banks NVB, which says it is nearly impossible to hack a bank from outside.
Thirteen people have been arrested for the virtual robbery, which took place in March 2010. Sources close to the investigation say that the hackers were able to manipule the bank’s account system, but neither police nor ABN Amro are giving any details.
The hackers transferred the money to an accomplice in the town of Wageningen who piped amounts to accounts in Belgium, Hungary and other countries.
The thirteen, who do not all know each other, have been accused of fraud, theft and money laundering. Police found them by tracing the stolen money. Some 2 million euros have been retrieved by ABN Amro, but the remaining amount is still missing.
The U.S. Securities and Exchange Commission has accused an Estonian financial firm and two of its employees of carrying out a fraudulent hacking scheme that netted them at least $7.8 million.
The SEC filed an ’emergency federal court action’ against Estonian financial services firm Lohmus Haavel & Viisemann and employees Oliver Peek, 24, and Kristjan Lepik, 28.
The agency accused the two of using a so-called spider program to steal information related to more than 360 embargoed press releases in advance of their official distribution date from news and PR Web site Business Wire.
A statement from the SEC claims the stolen information allowed the two to time their trades around the release of news involving mergers, earnings and regulatory action. Using U.S. accounts, the defendants allegedly bought stocks long or sold short.
McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.
Hacked corporate blowers in premium rate phreak caper
Romanian police are claiming success in breaking up a cybercrime ring blamed for losses of more than €11m ($14.6 million) through telecoms call charge fraud.
Raids on Tuesday led to the arrest of 42 suspected members of the gang, reckoned to be led by two Romanians, according to Romanian prosecutors.
This week I’ve taken the opportunity to take a closer look at the current ZeuS campaigns. A few of them keep popping up again and again, so I’ve tried to get some more information about those botnets, their targets as well as the infrastructure that the cybercriminals are using.
In this first blog post I will talk about a ZeuS botnet which I call the “Bozvanovna Botnet”, which is being spread using drive-by exploits (hopefully I will find the time to blog about the other botnets that I’ve found too…).
First of all, let’s take a look at the botnet Command&Control infrastructure: The cybercriminals have registered a pretty big amount of domains to serve ZeuS configs and binaries as well as to provide a dropzone for the infected clients (bots) to upload the stolen information. The reason for this is pretty simple: In most cases the domains that get listed on ZeuS Tracker will get nuked quickly. Then the cybercriminals have to register new domains every time the old domains get suspended.
* “No legitimate company will ever cold call to tell you your computer has a problem”
The National Consumer Agency and Microsoft Ireland today warned consumers of a scam where cyber criminals call consumers, claiming to be from Microsoft or other legitimate technology companies to tell them they have a virus on their computer.
The scammers then get people to download a file from a website and gain access to their computers where they can see personal details including financial information. In some cases they also ask for credit card details.
Suspect lifted other personal information, as well, from computers storing New York state agency data
In yet another instance of an insider going to the dark side, a subcontractor upgrading software for the State of New York’s Office of Temporary Disability Assistance has been arrested for allegedly stealing 15,000 Social Security numbers from computers storing the data for the state agency.
Evan Kane, 25, of Waterford, N.Y., has been charged with forgery, possession of a forged instrument, falsifying records, and identity theft, according to published reports.

Unpatched Vulnerabilities

A 0-day exploit has been published at exploit-db (see US-Cert advisory) that takes advantage of a memory corruption vulnerability in IIS 7.5’s FTP service. This bug will work pre-authentication.
From the looks of it, it is a pure remote exploit that’s chief use would be denial of service. As with any memory corruption bugs, it is theoretically possible to use this to gain access to the server with the permissions of the user that is running IIS. I think that would be difficult in this case, but time will tell. It is, nevertheless, a serious bug that at present has no patch. (As of this writing, Microsoft hasn’t confirmed it is an issue).
Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.
Proof-of-concept exploit bypasses ASLR and DEP
The Metasploit project recently published an exploit for this vulnerability using a known technique to evade ASLR (Address Space Layout Randomization) and bypass DEP (Data Execution Prevention).
In a few words, Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some html tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it
Recommendation: Use Enhanced Mitigation Experience Toolkit (EMET) to dynamically rebase all loaded DLLs
In order to minimize the risk of exploitation, users could install EMET and proceed to protect the iexplore.exe process as shown in the BlueHat video.

Software Updates

MySQL 5.5 released  []
MySQL 5.5 delivers significant enhancements enabling users to improve the performance and scalability of web applications across multiple operating environments, including Windows, Linux, Oracle Solaris, and Mac OS
Microsoft has withdrawn update KB2412171 for Outlook 2007, released last Patch Tuesday, after a number of user complaints. The changes in the update may have solved some problems, but they also created some. For instance, the update prevents emails from being retrieved from servers that do not support Secure Password Authentication (SPA) even when that option has been selected in the client. Users of Gmail are in particular affected by this issue.
Nearly 5 months after arriving in beta form, Microsoft has released version 2 of Security Essentials (MSE), its anti-malware and virus protection software for Windows formerly known as Morro. The major update comes over one year after version 1.0 was released and includes a number of new features and improvements.
The Google Chrome development team has released Chrome 9.0.597.19, the first beta of version 9 of the company’s WebKit-based web browser. Previously only available in the Chrome developer channel (a.k.a. the Dev channel), the first Chrome 9 beta adds a number of security and performance enhancements, as well as new features over the previous version.
After a lengthy beta test, Secunia has finally released version 2 of the Personal Software Inspector (PSI). If configured to do so, PSI 2.0 automatically updates most installed programs. The free tool can therefore not only highlight vulnerabilities it detects, but also remedy them, without prompting users.
Update: HP says it has identified a potential security issue with the HP StorageWorks P2000 G3 MSA only. This does not impact HP’s entire MSA line of storage solutions. An immediate fix for this issue has been identified and customers are rapidly being informed of the solution.
New Release of Open Source, Cross-Platform Virtualization Software Delivers Improved Usability, Performance and Scalability
Further enhancing the popular, open source, cross-platform virtualization software, Oracle today announced the availability of Oracle VM VirtualBox 4.0.
Part of Oracle’s comprehensive portfolio of virtualization solutions, Oracle VM VirtualBox enables desktop or laptop computers to run multiple guest operating systems simultaneously, allowing users to get the most flexibility and utilization out of their PCs, and supports a variety of host operating systems, including Windows, Mac OS X, most popular flavors of Linux (including Oracle Linux), and Oracle Solaris.
A buffer overflow flaw in the open source smart card library OpenSC can be exploited to inject and execute malicious code on a system. According to UK security company MWR InfoSecurity, the bug in the library is triggered when reading serial numbers from smart cards. The card-atrust-acos.c, card-acos5.c and card-starcos.c drivers in OpenSC version 0.11.1 are all affected.

Business Case for Security

Debora Plunkett, head of the NSA’s Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable – not even that of the NSA.
‘There’s no such thing as ‘secure’ any more,’ she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly.
We recently met with leaders from the U.S. financial services sector, and they asked a number of questions about recent trends in insider threat activities. We are often asked these types of questions, and we can answer many of them right away. Others require more extensive data mining in our case database. In this entry, we address the following question:
Between current employees, former employees, and contractors,
is one group most likely to commit these crimes?
The answer to this question has some important implications, and not just for these particular meeting attendees. If, across all types of incidents and all sectors, the vast majority of incidents are caused by current, full-time employees, organizations may focus on that group to address the vulnerability. If, on the other hand, there are a large number of part-time contractors or former employees, there may be different controls that an organization should consider using.
The Cost of Insecurity 2010  []
2010 has been notable for a number of reasons, the advent of a coalition government in the UK, followed by swinging spending cuts, and a turbulent economic picture. In a regulatory sense, too, 2010 stands out: increasingly active regulators have increased fines for organisations which are found to have failed to comply with basic levels of protection around data. A new record was set with the £17.5 million FSA fine on Goldman Sachs. Moreover, the emphasis has broadened – rather than the ICO and FSA focusing solely on the financial sector. Both Hertfordshire County Council and A4E were the subject of fines for weak controls around personal data. At the same time, other regulation continues to apply – many organisations are struggling with PCI-DSS compliance, not only in the commercial sector, but also in the state sector, where cards are important for covering payments for basic services.
In our introduction to this series we mentioned that the current practice of incident response isn’t up to dealing with the compromises and penetrations we see today. It isn’t that the incident response process itself is broken, but how companies implement response is the problem.
Today’s incident responders are challenged on multiple fronts. First, the depth and complexity of attacks are significantly more advanced than commonly discussed. We can’t even say this is a recent trend — advanced attacks have existed for many years — but we do see them affecting a wider range of organizations, with a higher degree of specificity and targeting than ever before. It’s no longer merely the defense industry and large financial institutions that need to worry about determined persistent attackers. In the midst of this onslaught, the businesses we protect are using a wider range of technology — including consumer tools — in far more distributed environments. Finally, responders face the dual-edged sword of a plethora of tools; some of them are highly effective, and others that contribute to information overload.
Inside the business of malware  []
The data breach at gossip website Gawker Media highlights the needs for companies to balance the costs of taking information security measures with the risks of losing sensitive data, according to Cisco analysts.
Hackers recently compromised the Gawker Media servers and leaked some 1.4 million user passwords and other confidential information. In a Dec. 17 memo, Gawker Media’s chief technology officer Thomas Plunkett explained how the data breach happened.
“In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords. With this information, they were able to gain access to the editor wiki, some Gawker Media email accounts, and other external resources. It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature. We were also not prepared to respond when it was necessary.”
The length of time between when a developer writes a vulnerable piece of code and when the issue is reported by a software security testing process is vitally important. The more time in between, the more effort the development group must expend to fix the code. Therefore the speed and frequency of the testing process whether going with dynamic scanning, binary analysis, pen-testing, static analysis, line-by-line source code review, etc. matters a great deal.
With the holidays approaching, many people are looking for gift ideas and deals. Holiday season is also hunting season for malicious hackers who send out gift idea and deal phishing emails.
How do you protect your employees from divulging their personal and even corporate passwords to an attacker? It’s hard to combat phishing with technology. Training employees to spot phishing scams is the most effective, but training is time intensive and may impact productivity.
Exploitation of just ONE software vulnerability is typically all that separates the bad guys from compromising an entire machine. The more complicated the code, the larger the attack surface, and the popularity of the product increases the likelihood of that outcome. Operating systems, document readers, Web browsers and their plug-ins are on today’s front lines. Visit a single infected Web page, open a malicious PDF or Word document, and bang — game over. Too close for comfort if you ask me. Firewalls, IDS, anti-malware, and other products aren’t much help. Fortunately, after two decades, I think the answer is finally upon us.
Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all.
This is the 11th post in the long, long series (part 1, part 2, part 3 – all parts). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.
And so we continue with our Complete PCI DSS Log Review Procedures (please read in order- at this point we are pretty deep in the details and this piece might look out of context):
More than 60 percent of respondents have tried multiple anti-virus products over the course of a year, according to Avira. In addition, 25 percent of the users admitted to turning off their anti-virus protection because they thought those programs were slowing down their computers.

Web Technologies

Unencrypted public wifi should die  []
Unencrypted public access wireless networks are an unbelievably harmful technology devised with no regard for the operation of the modern web – and they introduce far more problems than immediately apparent. The continued use unencrypted wifi on municipal level and in consumer-oriented settings is simply inexcusable, even if all the major websites on the Internet can be pressured into employing HTTPS-only access and Strict Transport Security by default.
Straightforward snooping and cute tricks such as sslstrip aside – all of them still deadly effective, by the way – there are many less obvious problems we simply can’t solve any time soon:
How to Conceal XSS Injection in HTML5  []
I was playing around with window.history object. In general, it’s quite limited and can be considered rather useless. However, HTML5 brings some new methods to History object in order to make it more powerful.
In this article I will take a quick glance on a quite peculiar method called pushState(). There is one security related issue I want to point out, which I’m considering rather harmful.
history.pushState() was introduced in HTML5 and it’s meant for modifying history entries.
By using pushState() we’re allowed to alter the visible URL in address bar without reloading the document itself. Sounds a bit risky, doesn’t it?
There’s a remarkable flaw in Amazon’s web shop (tested on .de,, .com): It’s a stored XSS vulnerability. So far so, good what’s new? – is probably what you’re thinking – XSS problems had Amazon and other major companies too in the past.
‘WAHH’ revealing Amazon cookies under Vista/IE8
Picture 1: Web Application Hacker’s Handbook (a.k.a. WAHH) exploiting Amazon (IE under Vista)
This one is different though. Whereas the standard example for a stored XSS vulnerability over an out-of-band channel is a web mailer like OWA using SMTP here this channel for the attack is kind of – err, let’s put it this way – unusual: One has to write a book! No, I am serious. This book needs to contain a crafted string so that it bypasses their weak/not existing filters/encodings and of course this book needs to be sold through Amazons shop and last but not least Amazon has to offer the ‘search in this book’ functionality.
Facebook is using “” whenever you click on an external link; and as a result:
1- Your current page won’t be sent via the “Referer” section of the HTTP header. So, it is useful for the privacy.
2- It is possible to stop malicious or unwanted links by using a single point (“l.php” page).
Now, I want to show a flaw in this process in which by clicking on an external URL in Facebook, users can go directly to the destination URL without passing the “” page:
Add a “:/” at the end of the domain name! That’s it!
Once you have deployed ModSecurity, you have probably been faced with this question:
How should I configure my Web Application Firewall (WAF) to handle Authorized Vulnerability Scanning (AVS) traffic?
The answer to this question is not quite as easy as it may first appear. This question arises when organizations are running their own internal web application vulnerability scans. They soon realize that they need to figure out how to get their security tools (scanner and waf) to ‘play nice’ with each other.
Before deciding on how to reconfigure ModSecurity with regards to handling the scanning traffic, you first must confirm the goal of your scanning efforts. There are usually two main scanning goals:
* To identify all vulnerabilities within a target web application, or
* To identify all vulnerabilities within a target web application that are remotely exploitable by an external attacker.
You may want to reread the seconed item to make sure that you understand the difference, as it is factoring in the exploitability of a vulnerability in a production web application.
I’m attaching two CSV files for use in test cases and tools. The uni2asc.csv contains all of the Unicode characters that map to something ASCII < 0×80. The bestfit.csv contains all of the known best-fit mappings to dangerous ASCII between legacy charsets and Unicode.
uni2asc.csv – for straight Unicode to Unicode mappings
bestfit.csv – for legacy charset to Unicode mappings
Attack and Defense Labs  []
Cracking hashes in the JavaScript cloud with Ravan
Password cracking and JavaScript are very rarely mentioned in the same sentence. JavaScript is a bad choice for the job due to two primary reasons – it cannot run continuously for long periods without freezing the browser and it is way slower than native code.
HTML5 takes care of the first problem with WebWorkers, now any website can start a background JavaScript thread that can run continuously without causing stability issues for the browser. That is one hurdle passed.
The second issue of speed is becoming less relevant with each passing day as the speed of JavaScript engines is increasing at a greater rate than the increase of system speed. It might surprise most people how fast JavaScript actually is, 100,000 MD5 hashes/sec on a i5 machine (Opera). Thats the best number I could get from my system, in most cases it would vary between 50,000 – 100,000 MD5 hashes/sec. This is still about 100-115 times slower than native code on the same machine but that’s alright. What JavaScript lacks in outright speed can be more than made up for by its ability to distribute.
WebKit CSS Type Confusion  []
Here is an interesting WebKit vulnerability I came across and reported to Google, Apple and the developers.
Description: WebKit CSS Parser Type Confusion
Software Affected: Chrome 7/8, Safari 5.0.3, Epiphany 2.30.2, WebKit-r72146 (others untested)
Severity: Medium
The severity of the vulnerability was marked Medium by the Chrome developers because the bug can only result in an information leak. I don’t have a problem with that but I have some more thoughts on it at the end of the post. But first the technical details.
If you’re a Mac or iOS developer and happen to have an iPhone, iPod Touch or iPad running the iBooks app, go open the iBookstore and search for “apple developer”. As you can see, Apple is offering iOS / Mac development iBooks completely for free.
Windows Live has just announced something new for Hotmail: Interactive e-mail.
The e-mail giant is allowing developers to embed and run JavaScript from within e-mails; this is the natural next step in e-mail’s evolution from plain text to HTML and beyond.
What this means for the average e-mail recipient is that more of the messages they receive will be increasingly up-to-date, and content will be interactive. If the developer sending the e-mail is hip to Hotmail’s changes, you’ll be able to take actions from within the e-mail itself without having to navigate to a slew of other web pages. Basically, the new Hotmail e-mails will look, feel and behave like a web page running within an e-mail.
What’s wrong with OpenID?  []
It boggles my mind that this is apparently a big question for techies and, to me, is a perfect example of the Silicon Valley mindset that doesn’t understand how to build products that real people want to use.
The short answer is that OpenID is the worst possible ‘solution’ I have ever seen in my entire life to a problem that most people don’t really have. That’s what’s ‘wrong’ with it.
To answer the most immediate question of ‘isn’t having to register and log into many sites a big problem that everyone has?,’ I will say this: No, it’s not. Regular normal people have a number of solutions to this problem. Here’s some of them:
Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.
Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.

Network Security

Imagine there is an un-patched Internet Explorer vuln in the wild. While the vendor scrambles to dev/test/QA and prime the release for hundreds of millions of users (I’ve been there… it takes time), some organizations may choose to adjust their defensive posture by suggesting things like, “Use an alternate browser until a patch is made available”.
So, your users happily use FireFox for browsing the Internet, thinking they are safe from any IE 0dayz… after all IE vulnerabilities only affect IE right? Unfortunately, the situation isn’t that simple. In some cases, it is possible to control seemingly unrelated applications on the user’s machine through the browser
Ever tested some of the more exotic transport protocols?
SCTP is interesting … multihoming means you can have several ips involved on each side of a connection (association in sctp speak) … so when you move from wired to wireless your ssh session still is fine. If you find a proper SCTP ssh, of course.
Testing it on Ubuntu LTS, though, using socat for glue… a listening SCTP socket is invisible in netstat -ln. Fun. tcp, udp, raw sockets are visible … but sctp isn’t.
socat SCTP-LISTEN:8080,fork TCP-CONNECT:localhost:22
Nice, stealthy backdoor. Does not show in netstat(8) or ss(8). Combine with socat TCP-LISTEN:2223 SCTP-CONNECT:localhost:8080 on a remote host and we have a completely stealthy tunnel, if the firewall is mildly clue-challenged.
So I started this series on Network Reliability Mechanisms back in September ( ), and with work and life and the rest, I realized that I’ve let the promised installments in this series slide a bit.
In today’s diary we’ll explore and compromise HSRP – Cisco’s Hot Standby Routing Protocol. Why would you want to do this you ask? You may remember some of our previous diaries on ARP Poisoning Man in the Middle attacks (for instance, this one ==> ), and protections against them ( ). Hijacking a redundancy protocol like HSRP allows you to bypass all of these layer 2 protections by simply participating in the (legitimate) HSRP exchange.
Users of the popular exim mail server report attacks exploiting the recently patches vulnerability [1,2]. It appears that the attacks are scripted and installing popular rootkits. If you experienced an attack against exim: We are interested in packet captures or other logs showing how the attack is performed.
Recently I’ve been presenting about ‘Wi-Fi (In)Security’ on the GOVCERT.NL Symposium 2010 in Rotterdam (November 2010) and (a reduced version) on the 4th CCN-CERT meeting in Madrid (in Spanish; December 2010). The full presentation can be found on Taddong’s lab web page. My main goal was to create awareness about all the still prevalent Wi-Fi vulnerabilities, threats, and security risks we are facing both on the wireless infrastructure and the client side. It is almost year 2011, and there is a general feeling that our Wi-Fi environments are pretty secure, as we already have WPA2-Enterprise with multiple authentication methods based on 802.1x/EAP to choose from. However, still there are lots of things to be aware of, specially on the client side (including laptops and mobile devices).
On the infrastructure side, in the best case scenario, we will end up with two worlds, the secure one, based on WPA2-PSK/Enterprise, and the insecure one, based on open Wi-Fi networks (e.g. hotspots) . This is also reflected on the Wi-Fi Alliance roadmap, and it is their goal for 2014 (yes, 3 years from now!).
There were some pretty wild accusations made about backdoors being placed in OpenBSD’s IPsec implementation by it’s authors. Normally this type of thing isn’t worth a mention, but in this case the accusations were specific enough to be testable. Having no other projects to work on (that was a joke), I decided it might be interesting to dive into the code.
I did find something interesting.
OpenBSD did, in fact, ship with a bug which prevented IPsec packets from being properly authenticated for a few releases near the time in question. The bug was patched silently, no security advisory was issued. The developer who introduced it and the developer who later patched it were said to have been funded by the same company, the one alleged to have coordinated the backdoors.
Well, we’ve got something that works. So, of course we have to muck with it 🙂
The immediate architectural question is whether we should support the storage of full keying data in DNS. See, right now, we’re just storing the hash of keying data – a nice, fixed size blob that can fit into a text record without much fuss. There’s a fundamental assumption with this approach: Any protocol we happen to use, will negotiate a public key (presently inside a certificate) at the application layer. DNSSEC only needs to be used to validate the data received at that layer.
Unencrypted public wifi should die  []
Unencrypted public access wireless networks are an unbelievably harmful technology devised with no regard for the operation of the modern web – and they introduce far more problems than immediately apparent. The continued use unencrypted wifi on municipal level and in consumer-oriented settings is simply inexcusable, even if all the major websites on the Internet can be pressured into employing HTTPS-only access and Strict Transport Security by default.
Straightforward snooping and cute tricks such as sslstrip aside – all of them still deadly effective, by the way – there are many less obvious problems we simply can’t solve any time soon:
Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem quite difficult to get up and running for the first time. Mallory is still actively developed. Improving the user experience from the initial code checkout to helping users “Mallorize” traffic is a key goal for the project. However, until then, this howto guide will suffice to get Mallory up and running for your testing needs.
This guide will explain how to get Mallory up and running (in this guide I use an EeePC). I also use a tethered Android device for a WAN connection, and have MiTM victims connect to the netbook over its WiFi connection. I will also be sharing how we use a tool called hostapd to make our EeePC look like an infrastructure mode WiFi access point, as opposed to an Ad-Hoc WiFi access point. Using this guide, you should be able to set up a mobile Mallory gateway in no time.
In this guide I will explain how to hijack the syscall in kernel 2.6.*: in particular how to bypass the kernel write protection and the “protected mode” bit of the CR0 CPUs register.
I don’t explain what is a syscall or syscall table: I assume you know what it is.
– Accessing to Syscall Table
If you have tried to execute rootkit wrote for 2.4.* kernels then you will know that them don’t work in the 2.6.* kernel systems.
In kernel 2.6.* the “sys_call_table” is no longer exported and you can’t access it directly: moreover the memory pages in which the table resides are now write-protected.
So we can no longer access the table in this way:
extern void *sys_call_table[];
sys_call_table[__NR_syscall] = pointer
Avoiding AV Detection  []
As a follow-up to my post on the USB Stick O’ Death, I wanted to go a little more in depth on the subject of AV evasion. Following my release of (some of) my code for obfuscating my payload, it became apparent that researchers at various antivirus companies read my blog (Oh hai derr researchers! Great to have you with us! I can haz job?) and updated their virus definitions to detect my malicious payload. To be perfectly honest, I was hoping this would happen, as I figured it would be a teachable moment on just how ineffective current approaches to virus detection can be, give readers a real world look at how AV responds to new threats, and provide one of the possible approaches an attacker would take to evading AV software. My main goal in this research was to see how much effort it would take to become undetectable again, and the answer was ‘virtually none’.
In this post, I will first look at how I was able to evade detection by many AV products simply by using a different compiler and by stripping debugging symbols. Then, I will look at how I was able to defeat Microsoft’s (and many other AV products’) detection mechanisms simply by ‘waiting out’ the timeout period of their simulations of my program’s execution. However, a quick note before we begin: I’m by no means an expert on antivirus, as this exercise was partly to further my understanding of how AV works, and these explanations and techniques are based on my admittedly poor understandings of the technologies behind them. If I mistakenly claim something that isn’t true, or you can shed light on some areas that I neglect, please comment. I would love to learn from you.
The purpose of this article is to explore the many different forensic artifacts that can be discovered from Windows prefetch files. The first section will briefly cover the prefetch file and the prefetching process. The second section, will discuss the forensic values of the prefetch file, specifically the forensic artifacts the prefetch file contains, and the story that can be revealed by the mere existence or absence of prefetch files. The article will conclude with some examples of how you can use prefetch files to aid in forensic analysis and what to watch out for when using prefetch files to prove or disprove a case.
The main purpose of this article is to explain the use of prefetching in forensic analysis, but it is important to have a baseline understanding of the technology to provide a good foundation for how and why prefetch files contain certain artifacts. The prefetching process utilized by Microsoft was created to speed up the Windows operating system and application startup. The prefetching process occurs when the operating system, specifically the Windows Cache Manager, monitors certain elements of data that are extracted from the disk into memory. This monitoring occurs each time the system is started for the first two minutes of the boot process, then sixty seconds after all the Win32 services have completed their startup, and the first ten seconds after an application is executed.
Dstat is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting.
Dstat allows you to view all of your system resources in real-time, you can eg. compare disk utilization in combination with interrupts from your IDE controller, or compare the network bandwidth numbers directly with the disk throughput (in the same interval).

Cloud Security

The Cloud Security Alliance’s matrix is a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA’s 13 domains
The Cloud Security Alliance (CSA) has launched a revision of the Cloud Controls Matrix (CCM). The new matrix (version 1.1), available for free download here, is designed to provide fundamental security principles to guide cloud vendors and help prospective cloud customers assess the overall security risk of a cloud provider.
The matrix provides a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA’s 13 domains. The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as ISO 27001/27002, ISACA COBIT, PCI, and NIST. The latest version includes more thorough mapping around NIST and GAAP, as part of more ‘holistic guidance’, according to CSA.
Malware Persistence in the Cloud  []
The cloud is certainly going to change some things about malware infection. When a desktop is reset to clean state every time an employee logs in, you now have to wonder how malicious attackers are going to maintain persistent access to the Enterprise. This is similar to what happens when an infected computer is re-imaged only to end-up infected all over again.
There are several ways to maintain persistent access without having an executable-in-waiting on the filesystem. Memory-only based injection is an old concept. It has the advantage of defeating disk-based security. One common observation is that such malware doesn’t survive reboot. That is true in the sense that the malware is not a service or a driver – but this doesn’t mean the malware will go away. Stated differently, the malware can still be persistent even without a registry key to survive reboot. This applies to the problem of re-infection after re-imaging (a serious and expensive problem today in the Enterprise) and it also applies to the future of cloud computing (where desktop reset is considered a way to combat malware persistence).


I love Pandora. I really couldn’t do without it. But I could do without its sending my demographic information, phone ID, and location to eight trackers across six companies. And Pandora’s far from the worst offender, the WSJ shows us.++
The Journal’s report lays bare much of what we already suspected, or outright knew but didn’t bother thinking about: iOS and Android apps are having a field day with your personal info. More than half of the 101 popular apps they tested sent your UDID to companies without your awareness or consent. Nearly as many sent your location, and a handful even sent along demographic info and other personal details to advertisers.
Court Rebuffs Obama on Warrantless Cell-Site Tracking
A federal appeals court on Wednesday rejected the Obama administration’s contention that the government is never required to get a court warrant to obtain cell-site information that mobile-phone carriers retain on their customers.
The decision by the 3rd U.S. Circuit Court of Appeals is one in a string of court decisions boosting Americans’ privacy (.pdf) in the digital age – rulings the government fought against

Mobile Security

ENISA Smartphone Security Report  []
Here is a new Smartphone Security report from ENISA that I contributed to –
‘A new ENISA report identifies the top security risks and opportunities of smartphone use and gives practical security advice for businesses, consumers and governments. Top risks include spyware, poor data cleansing when recycling phones, accidental data leakage, and unauthorised premium-rate phonecalls and SMSs.’
As more people adopt smartphones, criminals will find new ways to use them for no good
Smartphones could soon be used to launch distributed attacks, much like traditional PCs are now used as parts of larger botnet networks, according to a new report from ENISA, the European Network and Information Security Agency. In research that details the many risks of smartphones, the findings claim that while the devices are not currently being targeted for such attacks, this may change as mobile devices are becoming more popular, more connected and the complexity and the number of vulnerabilities in these platforms is increasing.
Apple pulls jailbreak detection from iOS 4, and InfoWorld catches Androids that lie about Exchange policy support — so what can IT trust?
Much of security is built on trust, but it turns out you can’t always believe a mobile device’s claims. They can be programmed to lie about their capabilities, as in the case of several Android devices, as well as jailbroken iPhones and iPads. Thus, they can appear to conform to IT security policies managed via Microsoft’s Exchange ActiveSync (EAS) protocol even when they don’t. Two recent events show that trust may be misplaced in the mobile world.
Last week, Apple quietly dropped its jailbreak detection capability from iOS 4’s APIs, so iPhones and iPads can’t report whether they’ve been jailbroken. (Apple did not comment.) Jailbreaking, although legal, can compromise a device, allowing malware and worse into the corporate network. Indeed, the few reported cases of
iPhone viruses have occurred on jailbroken units.
Android Touch-Event Hijacking  []
With the recent release of Android 2.3 (Gingerbread), developers can now protect themselves from a new twist on an old bug: TapJacking. Like ClickJacking on the web, TapJacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. Using this technique, an attacker could potentially trick a user into making purchases, clicking on ads, installing an application, granting permissions, or even wiping all of the data from their phone.
Messing with Droid X  []
I just got a Droid X last week, before getting it I made sure efuse ( was bypassed or it wouldn’t be fun having a stock Android. I’ll outline the steps I’ve taken so far to customize my themes, root my droid, fix the market, overclock, and more. I’m going to simplify most of these for apps that are already out in the market now, I decided to do mine from scratch but makes posting a lot easier.
First things first, lets get root on the Droid X. The easiest way I found was using adb shell. Before diving down, read up on adb, its really easy… It’s a direct interface with your Droid and you can download the SDK packages from Google.
Great tutorial on rooting the Droid X:
Simplistic terms, put your Droid X into debugging mode under settings and applications, fire up the shell script through ADB and your running as root.

Cryptography / Encryption

Karsten Nohl of Security Research Labs, a white-hat hacker, believes that a recent spike in car theft is due to a break in the car immobilizer security systems; thieves are able to re-mobilize the immobilized vehicles. My question is: how long until someone builds a TV-B-Gone for car engines that lets you stop cars with the click of a button?
Some time ago, I started thinking about the possibility of using Rainbow Tables to crack old-school Unix crypt(3) passwords. Nobody had done this, and the reason most often cited was the presence of the two-character salt at the beginning of the hash.
This didn’t make a whole lot of sense to me. I mean, 2 characters? Isn’t that essentially like taking an 8-character password space and making it a 10-character space? People are already creating 10-character tables for other hash algorithms. Why can’t we do this for crypt(3)?
Turns out, it’s not that difficult. Over a few nights, I managed to work some rough hacks into the source for linuxrainbowcrack, and it seems like it’s working. I haven’t actually built a set of tables (other than small test tables) because I’m sure the code could be better optimized, and I simply don’t have the horsepower. But I’m hoping that others can both optimize the code, and generate and distribute tables.


Internet Backbone May Be Vulnerable To Attack  []
In 2003, George Mason University PhD candidate Sean Gorman mapped critical fiber optic networks across the U.S. and illustrated that vulnerabilities in the communications infrastructure could easily be identified using data and records available to the general public.
The study also concluded that there are multiple ‘choke points’ that could be targeted which would cripple Internet functionality, and revealed the lack of redundant systems that would ensure continued operability.
Now Swiss researchers suggest that Internet backbones are unduly susceptible to attack, which potentially cripple critical communications and infrastructure operations.
Do you use any of these passwords? Change them if you do.  []
Thanks to database breaches like those suffered by RockYou and Gawker, leaked passwords on Pastebin, and password caches stored in Malware like Conficker, the criminals of the world have an impressive starting point to guessing your passwords.
According to Techspot (Thanks Richard!), Intel’s new Core processors (Sandy Bridge), that will hit the market for desktops and laptops early 2011, have a remote kill switch (called Anti-Theft v3.0). This technology embedded in the CPU allows the user to remotely disable the processor through 3G, that is, even when the computer is not connected to the Internet or it switched off.
Intel’s goal is to offer the user the capability to shut down remotely the computer if it is lost or stolen. Somehow, this is similar to what most modern mobile device platforms offer today to remotely lock, show a message, or wipe a stolen or lost device, such as Windows Mobile 6.5, iPhone, iPad… I guess that, in any case, the thief will be able to replace the CPU with a new one and make the computer work again. Will be Intel planning to add remote disk wiping capabilities from the processor too? 😉
Google has started warning users when they are about to visit web sites which may have been hacked. Google has long warned users when search results include sites which spread malware and now plans to detect web sites which may have been hacked, without the owner’s consent, for purposes such as phishing or spamming.
from the nike-picks-up-the-RIAA-strategy dept
Warning: you might not want to ever buy Nike shoes again. If you accidentally buy a counterfeit pair of shoes, Nike might sue you. Via Glyn Moody, we learn that Nike chose to sue a guy who ordered a single pair of trainers online, believing they were legitimate Nike shoes. The shoes were seized at the UK border as counterfeits. Nike could have gone after the actual counterfeiters. Or it could have (perhaps more questionably) gone after some other third parties, such as the retailers who sold the shoes. Instead, it chose option 3 and sued the buyers directly. Most of the suits were settled (or, apparently, ignored).
If you’re an avid Skype user, you’re probably aware that Skype’s been suffering downtime today. They’ve updated their blog with more details (in short, supernodes went down, so they’re creating new mega-supernodes-obviously), but it’s likely going to be a few more hours before your Skype account is back up and running. It’s got to be bad timing for Skype (and Skype users), considering the amount of video calling I’m sure goes on during the holidays. (I just video chatted my family last night.)
Riptides can carry hapless swimmers out into the ocean very quickly – by the time a lifeguard is able swim out to rescue them, it may be too late. Using a Jet Ski to reach struggling swimmers is one option, although such watercraft can be expensive, problematic to store on-site, and difficult to launch for one person. Now, seaside municipalities can get something cheaper and easier for reaching those swimmers-in-distress: an electric remote-control motorized rescue buoy called EMILY.


VMware Fusion 3.1  []
Enjoy the Holiday Season with VMware Exclusive Deals!
Get 15% OFF VMware Fusion 3 and $30 Rebate. The price drops from $79.99 to $37.99 after Rebate.
Offer valid through Jan 7th 2011 @ 5:00 PM (PST), Act Now!
Samurai 0.9.5 released  []
The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications
web.config Security Analyzer  []
Analyze your web.config file against security vulnerabilities.
littleblackbox  []
Database of private SSL keys for embedded devices
LittleBlackBox is a collection of thousands of private SSL keys extracted from various embedded devices. These private keys are stored in a database where they are correlated with their public SSL certificates as well as the hardware/firmware that are known to use those SSL keys.
A command line utility is included to aid in the identification of devices or network traffic that use these known private keys. Given a public SSL certificate, the utility will search the database to see if it has a corresponding private key; if so, the private key is displayed and can be used for traffic decryption or MITM attacks. Alternatively, it will also display a table of hardware and firmware that is known to use that private key.
INSECT Pro is a penetration security auditing and testing software solution designed to allow organizations of all sizes mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across their infrastructure and applications.
INSECT can help to build a strong security posture that is easy to use so both professional penetration testers and less experienced security pros will have all the tools they need to reduce costs, proactively find vulnerabilities, assess risk, and check the effectiveness of security defenses.
New sshttp feature trickery  []
sshttp is now able to hide SSH inside HTTPS as well.
SSH behind HTTP was possible before, and so was HTTPS,
but now it is ‘official’ 🙂
You cannot mix HTTP and HTTPS in the same instance,
but you can run multiple sshttpd’s.
I just completed a pretty massive update of the Backtrack 4 Full Disk Encryption How-to. The Evil URL Shortener  []
The Inspiration
I, like many people, have been closely following a lot of the chaos happening around the recent Wikileaks dump, and was particularly fascinated by the DDoS attacks by activists on either side. One tool specifically caught my eye in the midst of the attacks, however: the JS LOIC. The tool works simply by constantly altering an image file’s source location, so that the browser is forced to continuously hammer the targeted server with HTTP requests. Not a sophisticated or technically interesting tool by any means, but conceptually interesting in that it only requires a browser to execute one’s portion of a DoS attack. While the concept itself is not all that new, it got me thinking about the implications of such browser based DoS attacks. Clearly, it opens the door for the creation of a DDoS botnet without ever having to actually exploit the hosts participating in the network; all that is required is to get some Javascript to run in the participants’ browsers.
Malwarebytes’ Anti-Malware 1.50.1  []
Malwarebytes’ Anti-Malware 1.50.1 has been released. This version is a bugfix release, and fixes a number of minor stability issues in the 1.50 release build. If you had issues with 1.50, please let us know if 1.50.1 resolves them.
ProcDump v3.01  []
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts
pwnshell  []
If you’ve got arbitrary file uploads to a J2EE web accessible directory, you need something to maximize your compromise. The world needs a JSP shell that really helps a blackbox attacker pivot to important assets, so I took a stab at it. It’s called quite lamely called pwnshell. It’s a single JSP that, when browsed to, delivers the user a Web 2.0 shell for the victimized server. Great for demos! The shell is here.
How do you use it?
1. Upload it to the victim server (try it on a local Tomcat server!)
2. Browse to it
3. Pretend you’re on looking at xterm
Download Armitage 12.22.10  []
Cisco ACL Parser v0.04  []
Here is a new version of the ACL parser. I fixed a lot of issues with this script. The object groups are now expanded for the PIX and ASA. I have added the attributes for ACL entries for log level, time, and inactive state. I enhanced the remark feature also. The script was verified and test by Anthony, who contacted me after my initial public release v2. Anthony ran the script against an ASA 7.x with ACL that totals over 5000 lines. Here a quote from his response after testing:
“This is truly a parsing masterpiece. This did exactly what I needed and meets all of my requirements perfectly. Had no issues with any of the lines in the over 5000 lines of a single ACL that I ran through it, wonderful! Save me days of work! Seriously!!! Thanks a million. I know this wasn’t easy… especially since your script more than doubled!!”
Antid0te for Mac OS X Snow Leopard  []
Rebasing the dynamic linker DYLD to improve Snow Leopard’s fake ASLR
Last week at the Power of Community 2010 (POC2010) security conference in Seoul Charlie Miller presented his talk about the changes in Snow Leopard security. An important message of his talk was that Apple’s failure to load the dynamic linker DYLD at a random base address is a major weakness from a security point of view. Charlie demonstrated how a ROP payload can be build that only uses parts of the not randomized DYLD binary. You can download his slides here.
At the same conference I presented my research into adding ASLR to jailbroken iPhones which also mentioned the fact that there are several similarities between iOS and Mac OS X Snow Leopard in regards to the DYLD and the dyld_shared_cache. I also mentioned that not rebasing the DYLD binary is a major weakness because it consists enough code to kickstart shellcode with a ROP stub based on DLYD only. Therefore it was pretty straight forward to just apply my research into rebasing the DYLD binary from iOS to Mac OS X Snow Leopard, which is presented here. You can download my slides here and the antid0te iPhone security tool will be available here once it is released.
Metasploit Pro and Metasploit Express 3.5.1 Update 20101222161711  []
This weekly update for Metasploit Pro and Metasploit Express 3.5.1 brings three new modules, and updates to the pcap import and nexpose functionality.


Software Engineering explained  []
What shall we call it?  []
Don’t leak on me  []
Jiu Jitsu  []