NSM Security Solutions

sslyze – Fast and Full-Featured SSL Configuration Scanner

2011-12-15T04:16:00.000-08:00

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news headlines, bringing attention to weak configurations, and the need to avoid them. Additionally, server misconfiguration has always greatly increased the overhead caused by SSL, slowing the transition to improved communications security.

To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.

SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.

Features

Insecure renegotiation testing
Scanning for weak strength ciphers
Checking for SSLv2, SSLv3 and TLSv1 versions
Server certificate information dump and basic validation
Session resumption capabilities and actual resumption rate measurement
Support for client certificate authentication
Simultaneous scanning of multiple servers, versions and ciphers

For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can readhere.

You can download sslyze here:

sslyze-0.3_src.zip

Microsoft Security Bulletin for December 2011

2011-12-15T04:00:00.000-08:00

Microsoft’s Security Bulletin for December 2011 includes 13 bulletins addressing 17 vulnerabilities. Three of the bulletins are rated "critical": MS11-087, MS11-090, and MS11-092 and the rest are "important". This month many of the patches relate to vulnerabilities with known exploits likely available in the wild, so it is essential that organizations prioritize patching as soon as possible.

Microsoft reports that the exploit code for the “critical” MS11-087 and MS11-092 is likely to be in the wild. This comes as no surprise with MS11-087, which addresses the much publicized zero-day vulnerability related to the malicious Duqu worm. The vulnerability is in Windows kernel-mode drivers and could allow remote code execution. Microsoft previously released a workaround for this as a part of Microsoft Security Advisory #2639658, so organizations applying patch MS11-087 need to also undo the workaround if it was deployed.

MS11-092 is a vulnerability in Windows Media player and Media Center, which an attacker could use to phish a victim into visiting a site or opening a file on their site. Microsoft also reports that there is likely already exploit code available for this vulnerability.

This month, there are a couple of updates related to Internet Explorer. MS11-092 is an Active-X bug that exploits a user when they visit a webpage with Internet Explorer. MS11-099 is a cumulative security update for Internet Explorer. Browser updates always get my attention because browsers are on the front line in the security battle. As we approach the end of the year, organizations should be thinking about bringing in the new year by upgrading their legacy browsers and upgrading to Internet Explorer 9.

There are several bulletins related to Microsoft Office Suite and applications related to it such as Powerpoint, Publisher, and Excel. MS11-094, related to Powerpoint, is like to have exploit code in the wild.

According to the 80/20 rule, 20% of your vulnerabilities will likely cause 80% of your security risk. I see Microsoft getting the number of critical bulletins way down, but at the same time those criticals could be responsible for mass compromises and included in mass malware packs.

This is a month where Microsoft patched a wide variety of vulnerabilities so organizations need to test and patch the “critical” ones as soon as possible, and prioritize the “importants” by which ones have exploit code available, and which ones allow remote code execution.

From: https://community.rapid7.com/community/infosec/blog/2011/12/14/microsoft-security-bulletin-for-december-2011

Vendor Security

2011-12-06T09:14:00.000-08:00

I’d like to share our experiences with vendor security since I’m sure it’s something that impacts all of us. Like every company, Rapid7 relies on a number of technology vendors for a huge range of products and services to run the business. I’m sure no one will be surprised to hear that as a security company we have a policy specifying the security requirements that our vendors need to meet before we’ll do business with them. Our view is that their security directly impacts any of our internal or customer data that their systems hold, so we take it as seriously as our own infrastructure security. Most or all of you probably have the same approach, but one unique thing that we have at our disposal is a number of highly skilled security experts on staff which allows us to have a mandatory application security assessment as part of our policy.

The results of this policy over the last few years have been eye-opening. The number of prospective vendors that pass our security bar is disappointingly low, across every category we used (marketing tools, sales tools, support tools, file transfer tools, IT infrastructure, etc). The most recent failure sparked this blog post, but it was the norm rather than the exception. More often than not they fail basic tests with numerous readily apparent and easily exploitable issues. If the vendor has a great product or service that we think is significantly better than the alternatives we evaluated, we’ll delay our deployment while we engage with them to address the issues we found, getting commitments to fix in a defined timeline. The results there have been equally dismal, with most of them missing their commitments and forcing us to end up going with an alternate months later. It’s clear that our security bar is far higher than their bar, but also that in many cases they don’t have either the desire or skills to significantly improve their security.

All of this ends up slowing our deployment of the various third party solutions, which is an acceptable tradeoff in our view. But what do we do when none of the vendors in the space pass the security bar? And more broadly, what can we do as a security community to raise awareness of the state of vendor security and create impetus for change? Our individual efforts to push the vendors we’ve engaged with generally haven’t been enough to move the ball. If you have any suggestions on how we can tackle this as a community, please post them below.

In the meantime, I thought I’d share our own approach in case it’s useful to any of you. The overall approach we use is a coordinated process between procurement, legal, and IT security. Having a coordinated process between the business discussion and technical due diligence allows for not just improved decision making, but also more informed negotiation.

First, in addition to screening new vendors, if you haven’t already been doing this, start by pulling together a list of all your existing vendors (particularly SaaS vendors that have an exposed security surface). This will be eye-opening the first time you do it, since lots of groups will have been using tools without any IT involvement.
- One useful tactic we use to find out what’s in use and catch new ad-hoc “deployments” that bypass your vetting process is a periodic review of corporate credit card statements, flagging expenses associated with known vendors & SaaS providers.
Use a security questionnaire to understand their security policies, processes, and sophistication.
Demand to see the results of their latest security audit, showing what was tested, the findings, and the remediation they’ve done since that time. (We do an audit ourselves because we can). Negotiate for rights to this on a periodic basis.
Pay close attention to audit logging functionality. Does the SaaS application track and report on login/logout, user actions within the application, and does it track source IP address? At the very least, you will want to conduct periodic reviews of the account logs to check for anomalies.
Scrutinize the identity management capabilities and set a policy for how they are used. Access management, particularly account management, is one of the weakest areas of SaaS security today. Multiple users are often tempted to share accounts because account limits are common to SaaS: this practice needs to be discouraged. Organizational password strength and password rotation policies are usually difficult to enforce when it comes to SaaS. Account provisioning and de-provisioning usually happens outside the IT group, and sometimes there are multiple users on a SaaS application with the ability to create accounts but no single user with clear ownership of, and responsibility for, the application. This creates a substantial risk that accounts will not be revoked in a timely fashion upon a change in employment status. Some approaches that can mitigate the issue:
- Ensure that IT is solely responsible for account management in all SaaS applications.
- Conduct periodic reviews of active SaaS accounts across all applications, matching to current employee rosters.
- Work with your SaaS provider to enact IP-level restrictions to all logins, so that employees are required to be either physically present in the office or connected to the VPN to log in to the SaaS application. This will require the VPN to operate in “full tunnel” mode, where all traffic (including internet traffic) is driven over the VPN to egress from the corporate network.
Most SaaS applications allow you to grant different levels of permissions to different users. As much as possible, place reasonable limits on user access levels in SaaS applications. Restrict manager privileges to as few accounts as possible

As companies increasingly rely on SaaS solutions to do every day business, and security moves even further outside of your control, it becomes more and more important to proactively ensure the security and integrity of the solution you rely on. Employing a number of these suggestions, when considering your SaaS solutions, will help put you on the road to a higher level of security serving both your internal stakeholders and customers well.

Article from Rapid7 Blog:

https://community.rapid7.com/community/infosec/blog/2011/12/06/vendor-security

The Mole – Automatic SQL Injection SQLi Exploitation Tool

2011-12-06T08:57:00.000-08:00

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Features:

Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
Command line interface. Different commands trigger different actions.
Auto-completion for commands, command arguments and database, table and columns names.
Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
Developed in python 3.

If you want to see documentation, download or tutorial, please refer here:

http://themole.sourceforge.net/

Adding custom wordlists in Metasploit for brute force password audits

2011-12-06T08:52:00.000-08:00

In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:

If you are security testing a hospital, you may want to add a dictionary with medical terms.
If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape)

For more details, please refer to this Metasploit Blog:

https://community.rapid7.com/community/metasploit/blog/2011/12/05/adding-custom-wordlists-in-metasploit-for-brute-force-password-audits

October 2011: Ten Cisco Vulnerabilities

2011-12-06T08:37:00.000-08:00

The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories:

Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Cisco Unified Contact Center Express Directory Traversal Vulnerability
Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
Cisco Security Agent Remote Code Execution Vulnerabilities
Cisco Unified Communications Manager Directory Traversal Vulnerability
CiscoWorks Common Services Arbitrary Command Execution Vulnerability
Cisco Show and Share Security Vulnerabilities
Directory Traversal Vulnerability in Cisco Network Admission Control Manager
Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Multiple Vulnerabilities in Cisco Firewall Services Module

Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as “Client build: 27.25.4.11889.” This indicates the server is running software version T27 SP25 EP4.

Details
The Cisco WebEx Recording Format (WRF) Player is affected by the following vulnerabilities:

Cisco WebEx Player WRF Parsing Vulnerability: This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-3319
Cisco WebEx Player ATAS32 Processing Vulnerability:This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-4004

The vulnerabilities may cause the player application to crash or, in some cases, remote code execution could occur.

Impact
Successful exploitation of the vulnerabilities described in this document could cause the Cisco WRF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF player application.

Link: http://tools.cisco.com/…/cisco-sa-20111026-webex

Cisco Unified Contact Center Express Directory Traversal Vulnerability
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.

Vulnerable Products
The following Cisco UCCX versions are vulnerable:

Cisco UCCX version 6.0(x)
Cisco UCCX version 7.0(x)
Cisco UCCX version 8.0(x)
Cisco UCCX version 8.5(x)

The following Cisco Unified IP Interactive Voice Response versions are vulnerable:

Cisco Unified IP Interactive Voice Response version 6.0(x)
Cisco Unified IP Interactive Voice Response version 7.0(x)
Cisco Unified IP Interactive Voice Response version 8.0(x)
Cisco Unified IP Interactive Voice Response version 8.5(x)

Details
The Cisco Unified Contact Center Express is a single/two node server, integrated “contact center in a box” for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). The vulnerability is due to improper input validation, and could allow the attacker to traverse the filesystem directory. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. The vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response could be exploited over TCP port 8080 in 6.0(x) and 7.0(x) versions and TCP port 9080 starting in 8.0(x) version of the product.

Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the Cisco Unified Contact Center Express or Cisco Unified IP Interactive Voice Response filesystem.

Link: http://tools.cisco.com/…/cisco-sa-20111026-uccx

Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator.

Vulnerable Products
Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series are affected by this vulnerability. For Cisco Video Surveillance 2421 and 2500 series IP Cameras, all 1.1.x software releases and releases prior 2.4.0 are affected by this vulnerability, For Cisco Video Surveillance 2600 IP Camera, all software releases before 4.2.0-13 are affected by this vulnerability.

Details
The Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series of devices are affected by a RSTP TCP crafted packets denial of service vulnerability that may allow an unauthenticated attacker to cause the device to reload by sending a series of crafted packets. This vulnerability can be exploited from both wired and wireless segments.

Impact
Successful exploitation of the vulnerability may result in DoS condition. Subsequent exploitation may result in sustained DoS condition, as the cameras will continue to reload.

Link: http://tools.cisco.com/…/cisco-sa-20111026-camera

Cisco Security Agent Remote Code Execution Vulnerabilities
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC.

Vulnerable Products
These vulnerabilities only affect 6.x versions of Cisco Security Agent running on Windows platforms.

Details
Version 6.x of Cisco Security Agent running on Windows platforms is affected by the following vulnerabilities:

Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect availability, related to File ID SDK: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0794
Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect availability via vectors related to Outside In Filters: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0808

Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to perform remote code execution on the affected device that will execute with Administrator privileges.

Link: http://tools.cisco.com/…/cisco-sa-20111026-csa

Cisco Unified Communications Manager Directory Traversal Vulnerability
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.

Vulnerable Products
The following products are affected by this vulnerability:

Cisco Unified Communications Manager 6.x
Cisco Unified Communications Manager 7.x
Cisco Unified Communications Manager 8.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.

Link: http://tools.cisco.com/…/cisco-sa-20111026-cucm

CiscoWorks Common Services Arbitrary Command Execution Vulnerability
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.

Vulnerable Products
This vulnerability affects all versions of CiscoWorks Common Services-based products running on Microsoft Windows. Common Services version 4.1 and later are not affected by this vulnerability.

Details
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator. The vulnerability is due to improper input validation in the CiscoWorks Home Page component. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. An exploit could allow the attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
This vulnerability affects CiscoWorks Common Services running only on Microsoft Windows.
This vulnerability could be exploited over the default management ports, TCP port 1741 or 443.

Impact
Successful exploitation of this vulnerability may allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.

Link: http://tools.cisco.com/…/cisco-sa-20111019-cs

Cisco Show and Share Security Vulnerabilities
The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities.

The first vulnerability allows an unauthenticated user to access several administrative web pages.
The second vulnerability permits an authenticated user to execute arbitrary code on the device under the privileges of the web server user account.

Vulnerable Products
These vulnerabilities affect all versions of Cisco Show and Share prior to the first fixed releases as indicated in the Software Version and Fixes section of this Cisco Security Advisory.

Details
Cisco Show and Share contains the following vulnerabilities:

Anonymous users can access some administration pages: Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. These include pages for accessing Encoders and Pull Configurations, Push Configurations, Video Encoding Formats, and Transcoding. This vulnerability is documented in Cisco Bug ID CSCto73758, (registered customers only) and has been assigned CVE identifier CVE-2011-2584.
Cisco Show and Share arbitrary code execution vulnerability: An authenticated user with privileges to upload videos could upload code that could then be executed under the privileges of the web server.

Impact
These vulnerabilities have the following impact on Cisco Show and Share:
CSCto73758: Anonymous users can access some administration pages. Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. The impact of the different administrative web pages include:

Encoders Configurations
Push Configurations
Video Encoding Formats
Transcoding

CSCto69857: Cisco Show and Share arbitrary code execution vulnerability. An authenticated user may upload arbitrary code that can be executed on the appliance with the same privileges as the web server.

Link: http://tools.cisco.com/…/cisco-sa-20111019-sns

Directory Traversal Vulnerability in Cisco Network Admission Control Manager
Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.

Vulnerable Products
Only Cisco NAC Manager software versions 4.8.X are affected by this vulnerability. Cisco NAC Manager software versions 4.7.X and earlier are not affected.

Details
Cisco NAC Manager contains a directory traversal vulnerability. The management interface uses TCP port 443. An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.

Impact
An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.

Link: http://tools.cisco.com/…/cisco-sa-20111005-nac

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:

MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
TACACS+ Authentication Bypass vulnerability
Four SunRPC Inspection Denial of Service vulnerabilities
Internet Locator Service (ILS) Inspection Denial of Service vulnerability

Vulnerable Products

MSN IM Inspection Denial of Service Vulnerability: The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by a DoS vulnerability.
TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series Adaptive Security Appliances.
SunRPC Inspection Denial of Service Vulnerabilities: Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.
ILS Inspection Denial of Service Vulnerability: A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.

Impact
Successful exploitation of all the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall and/or administrative sessions.

Link: http://tools.cisco.com/…/cisco-sa-20111005-asa

Multiple Vulnerabilities in Cisco Firewall Services Module
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:

Syslog Message Memory Corruption Denial of Service Vulnerability
Authentication Proxy Denial of Service Vulnerability
TACACS+ Authentication Bypass Vulnerability
Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities
Internet Locator Server (ILS) Inspection Denial of Service Vulnerability

Vulnerable Products
The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the “Software Version and Fixes” section for specific information on vulnerable versions.

Details

Syslog Message Memory Corruption Denial of Service Vulnerability: A denial of service vulnerability exists in the implementation of one specific system log message (message ID 302015, “Built outbound UDP connection session-id for src-intf:IP/Port to dst-intf:IP/Port ARP-Incomplete”) that can cause memory corruption and lead to a lock up or crash of the Cisco FWSM in the event that that system log message needs to be generated for IPv6 traffic that has flowed through the device. The Cisco FWSM may not recover on its own and a manual reboot may be necessary to recover.
Authentication Proxy Denial of Service Vulnerability: A denial of service vulnerability exists in some versions of Cisco FWSM Software that affects devices configured to use authentication to grant users access to the network, also known as cut-through or authentication proxy. Vulnerable configurations are those that contain the aaa authentication match or aaa authentication include commands. The vulnerability may be triggered when there is a high number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability exists in the TACACS+ implementation in the Cisco FWSM. Successful exploitation could allow a remote attacker to bypass TACACS+ authentication of VPN users (the Cisco FWSM only allows VPN sessions for management), firewall sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities: The Cisco FWSM is affected by four vulnerabilities that may cause the device to reload during the processing of different crafted SunRPC messages when SunRPC inspection is enabled. These vulnerabilities are triggered only by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities.
ILS Inspection Denial of Service Vulnerability: The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, SiteServer, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server.

Impact
Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions

Link: http://tools.cisco.com/…/cisco-sa-20111005-fwsm

Article from: http://www.ciscozine.com/2011/12/02/october-2011-ten-cisco-vulnerabilities/

Using Google as Malware Spreading Technique

2011-12-06T08:35:00.000-08:00

Exploit Database released whitepaper called Using Google as Malware Spreading Technique. The malware distributors spread the programs by using search engine optimization (SEO) techniques, such as link farming, keyword stuffing, and abusing search algorithms. You can refer to this paper:
http://www.exploit-db.com/download_pdf/18206

Hacker attack Google, Gmail, YouTube, Yahoo, Apple, Microsoft, Hotmail

2011-12-06T08:23:00.000-08:00

The biggest are down!!! Hacker with nickname AlpHaNiX attack Google, Gmail, Youtube, Yahoo, Apple etc. All websites are hacked on domain .cd wich belongs to Democratic Republic of Congo. Hacker use strategy so-called DNS cache poisoning.

Hacked websites: http://apple.cd/, http://yahoo.cd/, http://gmail.cd/, http://google.cd/, http://youtube.cd/, http://linux.cd/, http://samsung.cd/, http://hotmail.cd/, http://microsoft.cd/

DNS cache poisoning is a security or data integrity compromise in the Domain Name System (DNS). The compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a name server.

For details, please refer here:

http://security.web-center.si/?p=161

Computerized Prison doors hacked with vulnerabilities used by Stuxnet worm

2011-11-10T05:19:00.000-08:00

Security holes in the computer systems of federal prisons in the United States can effectively allow hackers to trigger a jailbreak by remote control. The discovery of the Stuxnet worm has alerted governments around the world about the possibility of industrial control systems being targeted by hackers.

A team of researchers with John Strauchs, Tiffany Rad and Teague Newman presented their findings at a recent security conference. They said the project wasn't really all that difficult -- it just took a little time, some equipment bought online and a basement workspace. The idea for the research came about from work that Strauchs had done previously.

"I designed a maximum security prison security system. That is, I did the engineering quite a few years ago and literally on Christmas Eve, the warden of that prison after it was occupied, called me and told me all the doors had popped open, including on death row, which of course sent chills down my spine. So we fixed that problem very quickly. It was a minor technical thing that had to do with the equipment used, but the gist of it was it made me think if that could be done accidentally, what was the extent of what you could do if you did it deliberately?"

The security systems in most American prisons are run by special computer equipment called industrial control systems, or ICS. They are also used to control power plants, water treatment facilities and other critical national infrastructure. ICS has increasingly been targeted by hackers because an attack on one such system successfully sabotaged Iran’s nuclear program in 2009.A malicious cyber-intruder could “destroy the doors,” by overloading the electrical system that controls them, locking them permanently open, said Mr. Strauchs, now a consultant who has designed security systems for dozens of state and federal prisons.

The U.S. Department of Homeland Security has confirmed the validity of their results and the researchers have already demonstrated the attack to federal and state Bureaus of Prisons and a number of federal agencies.

Source: http://thehackernews.com/2011/11/computerized-prison-doors-hacked-with.html

Sqlninja 0.2.6

2011-11-10T04:33:00.000-08:00

Sqlninja 0.2.6 "bunga bunga edition" is available! I have been extremely lazy in the last few months or so, and the new job is not really helping me in finding time and motivation to work much on this little old pet project of mine. However, the new version is finally ready! It is basically an official release with all the new features that have been in the SVN for a while (most of them for almost 1 year, ouch). More specifically:
ICMP-based shell (thanks Nico!)
CVE-2010-0232 support to escalate the sqlservr.exe process to SYSTEM (greetz Tavis!)
Header-based injection support
Grab it from the Download page and please report any bug you find :)
http://sqlninja.sourceforge.net/download.html

Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv3.There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network.

Here’s what it does:

Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if 'sa' password has been found
Creation of a custom xp_cmdshell if the original one has been removed
Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

Let us stop with the buzz on TOR

2011-11-08T19:32:00.000-08:00

Hi to all,

Since a few weeks a huge buzz has arised around the TOR security and especially regarding the attack we have designed and experimented. I decided not to react, not to feed the buzz since I do not like it and if controversy may sometimes be constructive, in the present case, things have gone too far: stupid comments on comments from others (on which basis since we have published only a very few things yet?), personal attacks close sometimes to libelling, huge emotions, doubts and fear that may be understood however, collective hysteria...

However, going on sticking away would in some sense backing this buzz. It is time to remind that the only possible goal is to have more security, to determine whether really our attack can put seriously TOR security into question and go ahead to try to find solutions to improve. Security is a too serious thing to be only a playground for buzz. Even if -- especially as a former military cryptanalyst -- I do not fully agree on a few conceptual choices in TOR, there must be no doubt for anyone about our will to contribute to the TOR security and this from the very beginning. We must not forget that a few people who use TOR are putting sometimes their life into danger (political opponents, militaries...) for a more democratic and free society. In this respect, we cannot waste a precious time. Up to me, the issue is very clear: there is absolutely no doubt that we need a solution like TOR even this solution is far from being perfect. But is there such a thing as a perfect solution, especially if you add political and national security issues?

When I decided to work on TOR -- by mid of 2010 -- I was just interested in the crypto part, looking for some application of the concept of dynamic cryptographic trapdoor that I had imagined a few years ago. So far I could test it only in non public yet real networks. Hence it was not possible to publish anything on those results. So at the beginning, I had nothing against TOR and I still don't.

When it was clear that TOR could also succumbed to this concept, I imagined the attack under the present light of media. If I have a rather good knowledge of network technology, it was not sufficient and I needed to have more skilled guys, especially to find ways to force 3-node routes through compromised nodes with a very high probability. Two of my best students of our N&IS Specialised master, Seun from Nigeria and Leonard from Tanzania -- two really excellent students -- have joined the party on April 2011. They have worked very hard, have done an excellent job both at the academic level and at the operational/technical level. I can say that as a tutor, I am really proud of their work. Of course, for anyone who knows how research works, you never totally start from scratch and Seun and Leonard's first tasks were to establish a bibliography on the existing network approaches used by previous researchers: Murdoch, Evans, Danezis, Pappas, Bendiken... who all have been mentioned in the slides. Then they have developped their own tools/approaches to fit my operational intent. Just as it is required in any research work. And other people doing hacking or research are doing the same.

We have just done research, serious, good and operational research up to me. We have tested our attack in conditions close to the reality. People will make their own ideas. I decided at that time not to make buzz, just to present this work in hacking conferences. Unfortunately my employer -- an academic institution -- has required from me to present my attack to French journalists. I have accepted since an employer is always right...or you have to resign. But at the very end, I did not really mind: who cares about news published in French in the world? Then things went wrong and the hype created by others has gone too far. The TOR foundation contacted me in a form that was probably not very fair -- to my perception at last -- and myself I have to make a throrough criticism of myself when facing the resulting buzz. After 22 years in the Army (in the French Marine Corps Infantry), I suppose that I have kept a not very flexible and accomodating mind. Sorry for that. We have decided that it was necessary to restore the contact with the TOR foundation and its president Roger Dingledine to go beyond our differences in opinions, views and interpretations and go ahead towards more security in TOR in a more constructive way. Any other end would have been totally irresponsible from Seun and me.

Our attack works not because the TOR source code has flaws. Once again, it is well-written and in a secure way. It is more related to conceptual issues. We have just analyzed the TOR network at a higher level, by considering it as a critical infrastructure and using a large, multi-level and coordinated attacks. Up to me according to personal information, which are confirmed partly on the TOR website, I am convinced that China (especially in 2009 and late 2010) has already tried similar attacks and has been, at least partly successful. Of course we cannot accept that.

The main problem comes from the fact that
the TOR network relies on volunteers which most of the time do not secure their computers. That is dramatic. Just imagine the security nightmare in a big company where every user would be free to choose the operationg system, the way to configure it... We will not publish all what we have detected. But be sure that we have seen horrible things as far as security is concerned. In this respect, we think that an overall computer security policy should be enforced and any OR not complying with it should be banned from the network.
TCP is a nightmare as well and this is the main issue. I am not a network expert but I have the feeling that it will difficult to built more security at that level. We have managed to return a few of the TOR protections against DDoS against TOR itself when considering local, surgical strikes.
But to be honest, being able to force 3-node circuits can be exploited only if there exists a significant part of ORs that have been compromised. So back to the first point.

Up to me there is some hope and technical improvements should be possible. Among many possible ideas. we propose:
as an emergency measure, to ban weak ORs that are not secure enough. This requires to make fingerprinting and active auditing what we did actually but only partly for legal reasons.
to add steganography techniques in TOR. Remember that using cryptography focuses attention and hence attacks. Why not a steganographic version of TOR?
to limit not so say prevent the installation of dynamic cryptographic backdoors (memory protection by hardware-based virtualization for instance, malicious cryptography techniques to prevent memory tampering, process protection techniques [we have developped a few in our lab]...).
Seun intends to dedicate his PhD thesis to the enhancement of the TOR security with innovative propositions. He is just waiting for a PhD grant. We are ready to contribute and to be involved anyway.

We have sent all source code and slides to the TOR foundation in order to help it to design and release a potentially more secure version of TOR. Recent exchanges with Roger seem to show that somehow our work is considered as significant and was not greatly exaggerated. That is sufficient to us. I let him confirm or not. We will release the source code and data as scheduled on November 10th (right after PacSec 2011) unless the TOR foundation recommends to wait a little bit more. As researchers and hackers we just need our contribution to be recognized. If it has helped finally to take part to the enhancement of overall TOR security, well we will proud of that.

Special thanks to Dragos, Rodrigo and Filipe.

Eric Filiol & Oluwaseun REMI-OMOSOWON

Source: http://cvo-lab.blogspot.com/2011/11/let-us-stop-with-buzz-on-tor.html

Metasploit Sighting: Exploiting iPhone

2011-11-08T19:18:00.000-08:00

Many security researchers use the Metaploit Framework for security proof of concepts and demonstrations. The following video shows Charlie Miller, @0xcharlie, using Metasploit's Meterpreter to handle a session from an exploited iPhone. In this video, Charlie navigates the iPhone's file system and downloads files to his local computer. Charlie found a flaw which allowed him to bypass Apple's coding signing requirements, which allowed him to run arbitrary code on the iPhone.

To see the video, please go to this link:
https://community.rapid7.com/community/metasploit/blog/2011/11/08/metasploit-framework-sighting-exploiting-iphone

Toolkit cracks encrypted information on iOS 5 devices

2011-11-01T20:30:00.000-07:00

ElcomSoft updated the iOS Forensic Toolkit with iOS 5 support for recovering keychain information in iOS 5 devices.

Providing near-instant forensic access to encrypted information stored in the latest iPhone and iPad devices, iOS Forensic Toolkit enables access to protected file system dumps extracted from supported Apple devices even if the original device passcode is unknown.

By performing a physical acquisition analysis of the device itself, the toolkit offers instant access to all protected information including SMS and email messages, call history, contacts and organizer data, Web browsing history, voicemail and email accounts and settings, stored logins and passwords, geolocation history and the original plain-text user passcode.

The tool can also perform logical acquisition of iOS devices, or provide forensic access to encrypted iOS file system dumps.

The toolkit can acquire a 16-Gb iPhone 4 in about 20 minutes, or a 32-Gb version in 40 minutes.

With the release of iOS 5, Apple made some minor tweaks and some major changes to data encryption. “There was no break-through in the iOS security model”, says Andrey Belenko, ElcomSoft leading developer. “The architectural changes are more of an evolution of the existing model. However, we highly welcome these changes, as they present better security to the end user. In particular, the number of keychain items that can be decrypted without the passkey is now less than it used to be. Device passcode is one of the hallmarks of Apple’s security model, and they are expanding the use of it to cover more data than ever before.”

The Toolkit currently supports the following iOS devices:

iPhone 3G
iPhone 3GS
iPhone 4 (GSM and CDMA models)
iPod Touch (3rd and 4th generations)
iPad (1st generation only).

Read Full Article
https://www.net-security.org/secworld.php?id=11867

Information about toolkit
http://www.elcomsoft.com/eift.html.

Honeynet Project: Android Reverse Engineering (A.R.E.) Virtual Machine released

2011-11-01T20:15:00.001-07:00

This VirtualBox-ready VM includes the latest Android malware analysis tools as follows:

Androguard
Android sdk/ndk
APKInspector
Apktool
Axmlprinter
Ded
Dex2jar
DroidBox
Jad
Smali/Baksmali

A.R.E. is freely available from http://redmine.honeynet.org/projects/are/wiki

THC SSL DOS

2011-10-31T23:39:00.000-07:00

Today the German hacker group “The Hacker’s Choice” officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.

Technical details can be found at http://www.thc.org/thc-ssl-dos.

“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago” said a member of THC who wants to remain anonymous.

The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer (“bot”).

“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using
an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”, Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.

Read full article:
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/

To download:
http://www.thc.org/thc-ssl-dos/

OWASP Mantra Security Toolkit -3rdBeta

2011-10-12T02:31:00.000-07:00

Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

The third beta of OWASP Mantra Security Toolkit has been released. One of the main features of this version is the multi-language support. Mantra now supports Hindi and Spanish, in addition to English. If you can give us a helping hand by translating Mantra into more languages, feel free to contact us and we will look forward to see you in Team Mantra. This version is based on Firefox 7.0.1 and comes with some new extensions which you will definitely find useful. One of the other changes is renaming the "Ayudha" menu back to "Tools". We all are comfortable with "Tools" and we decided to keep it intact.
Download the file:
http://www.getmantra.com/download/index.html

Backdoor Trojan alleged to have been created and used by German law enforcement authorities

2011-10-12T02:27:00.000-07:00

Under German law, the police are allowed to use spyware to snoop on suspected criminals – but only under strict guidelines. The spyware must not alter any code on the suspect’s computer and safeguards must be put in place to prevent the Trojan being subverted to include additional functionality.

The Chaos Computer Club (CCC) has announced the discovery of a backdoor Trojan horse that is capable of spying on online activity such as recording Skype conversations and monitoring online behaviour. The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA.

Sophos’s analysis of the malware confirms that it has the following functionality:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls
* The Trojan attempts to communicate with a remote website

“While it’s not possible to *prove* who authored the malware, it’s beginning to look more and more likely that the German authorities were involved,” said Graham Cluley, senior technology consultant at Sophos. “The malware targets Windows computers and to become infected, you typically might receive an email containing an attached file, or a link to the web which would then infect the computer. SophosLabs detects all malware that we know about – regardless of who the author might be. So whether this malware is state-sponsored or not, we’ve added protection against this attack.”

Source: SecurityPark

Facebook's URL scanner is vulnerable to cloaking attacks

2011-10-10T22:40:00.000-07:00

Members of a hacking think-tank called Blackhat Academy claim that Facebook's URL scanning systems can be tricked into thinking malicious pages are clean by using simple content cloaking techniques.

Such attacks involve Web pages filtering out requests that come from specific clients and feeding them content that is different from what is displayed to regular users.
Attackers have been using this method to poison search results on Google for years now by serving keyword-filled pages to its indexing robot, but redirecting visitors to malware when they click on the links. However, it turns out that Facebook is also vulnerable to this type of content forging. "Hatter," one of the Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.
Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook's original request and served a JPEG file.

"While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable," the Blackhat Academy hackers said.
"These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name," they explained.
Earlier this week, Facebook signed a partnership with Websense to use the security vendor's cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it.
Websense doesn't believe that to be the case. "This is nothing new. We use numerous methodologies and systems to ensure that our analysis of content (in real time) is not manipulated by malware authors, including using IP addresses not attributable to Websense so that malware authors are unaware that it is Websense analyzing the content," the company said.
"Also, the Websense ThreatSeeker Network is fed via an opt-in feedback loop from tens of thousands of customers distributed globally. These IPs are also not attributable to Websense.com. It is because of technologies like this that Facebook chose Websense to provide protection for their growing user base of more than 750 million users," it added.
That could well be true, but it's worth keeping in mind that Websense primarily sells security solutions to businesses and Facebook is usually blocked on many corporate networks. It would be logical to assume that relying on its customers' appliances to scan URLs on the social networking website might not have an immediate impact.
Hatter says that as a security research outfit Blackhat Academy follows responsible disclosure and notified Facebook of the content cloaking issue at the end of July. Despite this, the method still works.

"We're well aware of the content forgery technique described and have built protections into our systems to account for it," a Facebook spokesman said via email.
"The content returned when we crawl a shared link is only one of many signals we use to combat spam and abuse on Facebook. We know that this content can change between visits, and therefore can't always be trusted, and our systems account for that," he added.
Earlier this year, Facebook signed a partnership with Web of Trust (WOT), an organization that maintains a community-driven spam URL block list. However, it's well-known that blacklisting is not very efficient and there can be a significant window of exposure between the time when a URL starts being spammed and the time when it's flagged by such a system.
At the very least, content cloaking can be a powerful social engineering technique. A link with a .jpg termination accompanied by a thumbnail can look harmless enough to trick a lot of users into clicking on it.

Facebook and Websense are not the only ones with this problem. Google+ and Digg are also vulnerable to cloaking attacks, but other sites such as Twitter have developed strong protections against them.

Source: http://www.networkworld.com/news/2011/100711-facebooks-url-scanner-is-vulnerable-251737.html

OWASP Zed Attack Proxy (ZAP) 1.33

2011-10-04T01:03:00.000-07:00

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
The current version of ZAP is is 1.3.3

For more information about ZAProxy:
http://code.google.com/p/zaproxy/

JBoss, JMX Console, misconfigured DeploymentScanner

2011-10-03T19:52:00.000-07:00

Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner

Date: Oct 3 2011
Author: y0ug codsec.com
Version:
Tested on: Linux
CVE : CVE-2010-0738

POC against misconfigured JBoss JMX Console
It use the addUrl method in DeploymentScanner module

More information
http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf
http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html

You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
( only if you want to use reverse_shell("ip", "port") )

The JSP shell is not mine is available every where
I add a -b param that build the war contener to do this you need java
Is a fast POC coded this morning for fun so maybe it don't cover all case/version

Usage:
Build the war contener (need java)
# ./jboss -b
Hack
# ./jboss http://www.vuln.com:8080

For more information, please refer to this ExploitDB link:
http://www.exploit-db.com/exploits/17924/

You also can refer to this whitepaper,JBOSS Exploitation:
http://www.exploit-db.com/download_pdf/17915

WAVSEP - Web Application Vulnerability Scanner Evaluation Project

2011-10-03T18:04:00.000-07:00

A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.
This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
Additional information can be found in the developer's blog: http://sectooladdict.blogspot.com/
Project WAVSEP currently includes the following test cases:

Vulnerabilities:

Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST )
Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST )
Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST )

False Positives:

7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
10 different categories of false positive SQL Injection vulnerabilities (GET & POST)

Additional Features:

A simple web interface for accessing the vulnerable pages
Sample detection & exploitation payloads for each and every test case
Database connection pool support, ensuring the consistency of scanning results

Although some of the test cases are vulnerable to additional exposures, the purpose of each test case is to evaluate the detection accuracy of one type of exposure, and thus, “out of scope” exposures should be ignored when evaluating the accuracy of vulnerability scanners.

To see more information and download this tool:
http://code.google.com/p/wavsep/downloads/list

Arachni v0.3 is out!

2011-10-03T17:59:00.000-07:00

Arachni - a dramatic improvement in the detection accuracy of Reflected XSS exposures, and a dramatic improvement in the detection accuracy of SQL Injection exposures (verified on mysql).

Arachni uses various techniques to compensate for the widely heterogeneous environment of web applications.
This includes a combination of widely deployed techniques (taint-analysis, fuzzing, differential analysis, timing/delay attacks) along with novel technologies (rDiff analysis, modular meta-analysis) developed specifically for the framework.
This allows the system to make highly informed decisions using a variety of different inputs; a process which diminishes false positives and even uses them to provide human-like insights into the inner workings of web applications.

Version v0.3 has just been released and it includes a lot of goodies including:

A new custom-written, lightweight Spider
Add-on support for the WebUI
- Scan scheduler
- AutoDeploy -- Convert any SSH enabled Linux box into a Dispatcher
Improved accuracy of differential analysis audits
Improved accuracy of timing attack audits
Highly optimized timing attacks

For more information about this scanner, please see this link:
http://arachni.segfault.gr/news

To download Arachni:
https://github.com/Zapotek/arachni/downloads

HITB SecConf2011 Malaysia (October 10 to 13)

2011-10-03T05:15:00.000-07:00

Run as a not for profit, community backed effort, the Hack in The Box Security Conference (HITBSecConf) series has become the ‘must attend’ event in the calendars of security professionals from around the world.
Having started as a small gathering of Malaysian security specialists in 2002, the event has since expanded out of its home base in Kuala Lumpur to Dubai and in 2010, The Netherlands. Our events are put together by a team of dedicated crew and volunteers and through the continued support of our sponsors, HITBSecConf has grown into the largest network security conference in the Asia Pacific and Middle East region!
The main aim of our conferences has always been to enable the dissemination, discussion and sharing of deep knowledge network security information. Our main focus is on new and groundbreaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf events bring together a unique mix of security professionals, researchers, law enforcement and members of the hacker underground under one roof and our flagship event in Malaysia sees over 1000 attendees.
The event runs over a 4 day period with 2 days of intensive hands on training sessions followed by a two-day conference with either three or four concurrent tracks inclusive of a hands on lab session (HITB Labs) and 15 minute lightning talks (HITB SIGINT). The HITB Labs caters for only 50-100 attendees and these sessions are intensive, hands-on presentations that require audience interaction. The HITB SIGINT (Signal Intelligence/Interrupt) sessions on the other hand, are designed to provide a quick 15 minute overview for material and research that's 'up and coming' - stuff that isn't quite ready for the mainstream tracks of the conference but deserve a mention nonetheless.
In addition to the conference tracks, our events are also further enhanced with an open-to-public technology and exhibition area, lock picking villages, hackerspace villages and of course, our ever popular Capture The Flag competition (CTF) !

For more information about agenda and speaker, please see the link below:
http://conference.hitb.org/hitbsecconf2011kul/

Twitter’s t.co URL spoofing.

2011-10-03T04:38:00.000-07:00

I saw this article from LY_GS Security Weblog. I'm not sure whether this bug still exploitable or not, but I think Twitter's team has fixed this vulnerability. You can refer to these blog for more information:
http://blog.12k.nl/post/10604842941/twitters-t-co-url-spoofing-updated-again

http://ximen.es/?p=534

Armitage - Cyber Attack Management Tool (Metasploit)

2011-10-03T04:19:00.000-07:00

Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework.
Advanced users will find Armitage valuable for managing remote Metasploit instances and collaboration. Armitage's red team collaboration features allow your team to use the same sessions, share data, and communicate through one Metasploit instance.
Armitage makes Metasploit usable for security practitioners who understand hacking but don't use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.

Please refer to Armitage manual here:
http://www.fastandeasyhacking.com/manual

Armitage Screencast:
http://www.fastandeasyhacking.com/media

JBOSS Exploitation

2011-10-02T18:17:00.000-07:00

Whitepaper called JBoss Exploitation. This paper goes into detail on popping a shell on open JMX consoles.
http://www.exploit-db.com/download_pdf/17915

Android 2.0 ,2.1, 2.1.1 WebKit Use-After-Free Exploit

2011-03-14T17:49:00.000-07:00

This is the exploit used in my Austin bsides presentation that returns a shell.

The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith@exploitscience.org

Spyware compromises 150,000+ Symbian devices

2011-02-24T10:24:00.000-08:00

A new variant of spyware "Spy.Felxispy" on Symbian devices causing privacy leakage has recently been captured by the National Computer Virus Emergency Response Centre of China.

According to NetQin Mobile, there are more than a dozen variants of the spyware since the first was spotted, and the latest has affected 150,000+ devices.

Once installed, the spyware will turn on the Conference Call feature of the device without users' awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation.

"The Conference Call feature allows more than two parties to join a conversation, and it's easily available to most smart-phone users. The privacy stealers exploit the vulnerability of this feature for financial purposes. The privacy protection on mobile devices becomes more important than ever," said Dr. Zou Shihong, Vice President of R&D from NetQin.

NetQin Cloud Security Centre detects that the spyware can remotely turn on the speaker on the phone to monitor sounds around users without the users' awareness. Apart from that, the spyware is also capable of synchronizing the messages the user received and delivered to the monitoring phone. These performances will compromise users' privacy.

The privacy stealers usually install the spyware on the phone or send MMS containing the spyware to users to lure them to click. As the spyware is artfully disguised, users will easily be trapped.

NetQin warns that smart-phone users are exposed to more mobile security threats than ever and users should always be cautious whenever performing operations on their mobile devices.

To stay safe, NetQin experts give the following tips in using your phone:

1. Never click open MMS from unknown numbers as they may get your phone infected. Instead, delete them upon receipt.
2. Be on alert for unusual behavior on your phone, such as unusual SMS.
3. Don't leave your phone out of your sight in public environments.
4. Install a trusted security application to protect your phone from security threats.

Article taken from HELP NET SECURITY

Arachni v0.2.2.1 is out!

2011-02-24T08:21:00.000-08:00

Updated: Added link to CDE package.
Update #2: Watch the new WebUI v0.1-pre screencast on Vimeo.

Hello good people,
I’m very glad to announce the release of the v0.2.2.1 version of the Arachni framework which bears a lot of new features, improvements, optimizations and a brand new, although experimental, Web user interface.
There are new plugins, new modules, new system components, support for high-level meta-analysis using meta-module components, a brand new HTML report and much more.
Acknowledgements

Before continuing, I’d like to thank all the people who helped make this release as good as it turned out to be.
First and foremost, I’d like to thank Christos Chiotis (of Survive the Internet ) for volunteering his time, designer talent and good taste in order to create the new HTML scan report.
I’d also like to thank Matt and Michelangelo for their relentless testing and plethora of feature suggestions.

If you don’t feel like installing anything at all you can download the self-contained Linux CDE package from the downloads section.
The CDE package will allow you to run Arachni out of the box without requiring installation or any sort of root access.
ChangeLog
- Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (New)
   - Basically a front-end to the XMLRPC client
   - Support for parallel scans
   - Report management
   - Can be used to monitor and control any running Dispatcher
- Changed classification from "Vulnerabilities" to "Issues" (New)
- Improved detection of custom 404 pages.
- Reports updated to show plug-in results.
- Updated framework-wide cookie handling.
- Added parameter flipping functionality ( cheers to Nilesh Bhosale )
- Major performance optimizations (4x faster in most tests)
   - All modules now use asynchronous requests and are optimized for highest traffic efficiency
   - All index Arrays have been replaced by Sets to minimize look-up times
   - Mark-up parsing has been reduced dramatically
   - File I/O blocking in modules has been eliminated
- Crawler
   - Improved performance
   - Added '--spider-first" option (New)
- Substituted the XMLRPC server with an XMLRPC dispatch server (New)
   - Multiple clients
   - Parallel scans
   - Extensive logging
   - SSL cert based client authentication
- Added modules (New)
   - Audit
      - XSS in event attributes of HTML elements
      - XSS in HTML tags
      - XSS in HTML 'script' tags
      - Blind SQL injection using timing attacks
      - Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
      - Blind OS command injection using timing attacks (*nix, Windows)
   - Recon
      - Common backdoors    -- Looks for common shell names
      - .htaccess LIMIT misconfiguration
      - Interesting responses   -- Listens to all traffic and logs interesting server messages
      - HTML object grepper
      - E-mail address disclosure
      - US Social Security Number disclosure
      - Forceful directory listing
- Added plugins (New)
   - Dictionary attacker for HTTP Auth
   - Dictionary attacker for form based authentication
   - Cookie collector    -- Listens to all traffic and logs changes in cookies
   - Healthmap -- Generates sitemap showing the health of each crawled/audited URL
   - Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
   - WAF (Web Application Firewall) Detector
   - MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
      - AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
      - TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.
           It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
      - Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
- New behavior on Ctrl+C
   - The system continues to run in the background instead of pausing
   - The user is presented with an auto-refreshing report and progress stats
- Updated module API
   - Timing/delay attacks have been abstracted and simplified via helper methods
   - The modules are given access to vector skipping decisions
   - Simplified issue logging
   - Added the option of substring matching instead of regexp matching in order to improve performance.
   - Substituted regular expression matching with substring matching wherever possible.
- Reports:
   - Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (New)
   - New HTML report (Cheers to Christos Chiotis for designing the new HTML report template.) (New)
   - Updated reports to include Plug-in results:
      - XML report
      - Stdout report
      - Text report

I sincerely hope that you enjoy and find it useful, if you have any suggestions or problems don’t hesitate to open a ticket @ https://github.com/Zapotek/arachni/issues.

Cheers,
Tasos “Zapotek” Laskos (Lead Developer)

To download this tool, please click this link:
https://github.com/Zapotek/arachni/zipball/v0.2.2.1
To watch a video about this tool:
http://vimeo.com/19928281

Emergency Message to all Inj3ct0r Users

2011-02-22T00:56:00.000-08:00

Dear Inj3ct0r users =]

Inj3ct0r blocked the domain again. =\
Nothing! Inj3ct0r Team will live forever. Our new domain : http://www.1337day.com/
Official sources with Inj3ct0r.com is:
http://twitter.com/inj3ct0r
http://www.facebook.com/inj3ct0rs

mr.inj3ct0r@gmail.com
if the domain is unavailable, Inj3ct0r project is available at http://77.120.120.218/
------------------------------------------------

Unavailable :
inj3ct0r.com , inj3ct0r.org , inj3ct0r.net , 0xr00t.com , 0x0day.com, 1337db.com
------------------------------------------------

Help us financially. We will be very happy.
As more domains will be closed the more we'll register ;)
Please distribute this message on their blogs!
Underground h4x0r forever!

//r0073r
# 1337day.com [2011-02-21]

How to Get Rapidshare Premium Account

2011-02-21T02:25:00.000-08:00

Today I will show how you can earn money online and that too without much difficulty. Just follow the steps given below:

1. Create a Paypal Premium Account( Don’t Worry its free) https://www.paypal.com/ . When asked for credit card details simply say cancel. You do not need to fill it.

2. Then Go to the following link:

http://www.AWSurveys.com/

3. On joining this website, you will get 27 USD just for writing 7 simple surveys which will take not more than 30 minutes.

4. Now the only problem is that the minimum payout limit for this website is 75 USD. But you can earn 1.25 USD on referring this website to your friend.

5. So you just take the referral link from this website and paste it on your facebook status. Don’t forget to mention about it benefits so that your friends register through that link.

6. Suppose you have 500 friends on facebook and out of them only 10% register through your link then also you earn 62.5 USD which gets added to 27 USD that you had earned from surveys. Thus the total 89.5 USD crosses the Payout limit.

7. Now you can get that money into your Paypal Account use it not only to buy your own Rapidshare premium account but also for buying other stuff online.

8. That’s it. So Simple and I swear it works.

Update: Some people have a compliant that Awsurveys doesn’t pay them what they have earned and that it is a SPAM. I would like to tell you that I have already used this website earlier and I had received the payment every time. I am not saying that these guys are lying about their experience with Awsurveys but there are few reasons why they may not have received the payment. The only problem with this website is that it doesn’t communicate with the user if he is violating any terms and conditions instead of that it just cancels their payments. When you request some payout from this website, they have a policy to verify if the accounts that were referred by the user are not fraudulent and they remove the amount gained from these fraudulent accounts from the total amount in your account. Sometimes the reduced amount is less than the amount redeemed by the user and their harsh policy is to cancel the whole payment without even reimbursing the remaining amount. Now you might be thinking how to avoid this? One advice i would give you is to keep atleast 20-25 USD in excess when you are redeeming the amount. In this way you are making sure that even if there were 15 accounts which the website found to be fraudulent still the total wont get below the amount requested by you. Another condition is of the maximum amount that one can redeem in a year. A user can redeem at max 550 USD in one year if you request for payout more than that then hey will just cancel that payment without reimbursing the money in your account. I already faced the latter one which indicates that I have atleast earned upto 550 USD

Article from Hungry Hackers (Hacking Truth)

Pyrit Tool- GPU Cracker for Attacking WPA/WPA2 PSK Protocols

2011-02-20T22:45:00.000-08:00

Pyrit allows to create massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world's most used security-protocols.

WPA/WPA2-PSK is a subset of IEEE 802.11 WPA/WPA2 that skips the complex task of key distribution and client authentication by assigning every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from the master key to encrypt and authenticate following traffic. The "shortcut" of using a single master key instead ofper-user keys eases deployment of WPA/WPA2-protected networks for home- and small-office-use at the cost of making the protocol vulnerable to brute-force-attacks against it's key negotiation phase; it allows to ultimately reveal the password that protects the network. This vulnerability has to be considered exceptionally disastrous as the protocol allows much of the key derivation to be pre-computed, making simple brute-force-attacks even more alluring to the attacker. For more background see this article on the project's blog.

The author does not encourage or support using Pyrit for the infringement of peoples' communication-privacy. The exploration and realization of the technology discussed here motivate as a purpose of their own; this is documented by the open development, strictly sourcecode-based distribution and 'copyleft'-licensing.

Pyrit is free software - free as in freedom. Everyone can inspect, copy or modify it and share derived work under the GNU General Public License v3+. It compiles and executes on a wide variety of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-, alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors.

Attacking WPA/WPA2 by brute-force boils down to to computing Pairwise Master Keys as fast as possible. Every Pairwise Master Key is 'worth' exactly one megabyte of data getting pushed through PBKDF2-HMAC-SHA1. In turn, computing 10.000 PMKs per second is equivalent to hashing 9,8 gigabyte of data with SHA1 in one second. The following graph shows various performance numbers measured on platforms supported by Pyrit.

You can see Youtube how to use this tool:
http://www.youtube.com/watch?v=HY9Y99bOyhE

To download the latest Pyrit 0.40, please see this link:

http://code.google.com/p/pyrit/downloads/list

For more information about this Pyrit tool, please see the link below:

http://code.google.com/p/pyrit/

Inguma - Penetration Testing Toolkit

2011-02-10T05:40:00.000-08:00

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits.
While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing. Inguma is still being heavily developed so be sure to stay current and check back for news and updates.

You can see more details about Inguma and documentations here:
http://code.google.com/p/inguma/

Mantra - Free and Open Source Browser Based Security Framework

2011-02-10T05:29:00.000-08:00

The Mantra is a powerful set of tools to make the attacker's task easier. The beta version of Mantra Security Toolkit contains following tools built onto it. You can also always suggest any tools/ scripts that you would like see in the next release.

Access Me
Add N Edit Cookies+
Chickenfoot
CookieSwap
DOM inspector
Domain Details
Firebug
Firebug Autocompleter
Firecookie
FireFTP
Firesheep
FormBug
FoxyProxy
Google Site Indexer
Greasemonkey
Groundspeed
HackBar
Host Spy
HttpFox
iMacros
JavaScript Deobfuscator
JSview
Key Manager
Library Detector
Live HTTP Headers
PassiveRecon
Poster
RefControl
Refspoof
RESTClient
RESTTest
Resurrect Pages
Selenium IDE
SQL Inject ME
Tamper Data
URL Flipper
User Agent Switcher
Vitzo WHOIS
Wappalyzer
Web Developer
XSS Me

You can download Mantra from this link:
http://www.getmantra.com/download/index.html

Cybercrime investigation center beefed up

2011-01-24T07:18:00.000-08:00

The prosecution has decided to bolster its cybercrime investigation center to better cope with hacking and other illegalities on the Internet.

It will assign an additional 25 investigators to its cybercrime squad which is currently comprised of eight officers, the Seoul Central District Prosecutors' Office said Sunday.

The cybercrime investigation center tracks down hackers, electronic commerce fraud, the leak of private information, and other crimes that are committed on the Internet.

“We expect this enforcement of investigations will provide a great leverage for the cybercrime investigation center to crack down on all kinds of crimes on the Internet,” a prosecution official said.

Its move comes as the number of cybercrimes jumped to 164,536 cases in 2009 from 136,819 in 2008.

Article from: The Korea Times

FBI Investigating Gawker Media Hack

2010-12-16T12:06:00.000-08:00

The FBI confirmed to PC World that it is investigating the recent intrusion by a group of hackers into Gawker Media's servers last weekend. The hack exposed more than 200,000 reader e-mail addresses and passwords, and the data is now circulating online as a peer-to-peer torrent file. An FBI representative declined to comment further about the ongoing investigation; however, Gawker Media founder and CEO Nick Denton was scheduled to meet with federal authorities on Monday, according to The New York Post .

On Sunday, an online hacker collective calling itself Gnosis broke into the servers of Gawker Media, which owns a variety of popular online blogs including Deadspin, Fleshbot, Gawker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku and Lifehacker. The hackers obtained the e-mail addresses and passwords for the company's employees, and the source code for Gawker Media's content management system. Gnosis hackers also obtained the login credentials for readers who were registered to leave comments on Gawker Media websites.

Gawker Media said most user login information was encrypted, but Gnosis managed to crack the credentials for more than 200,000 accounts. The exposed login information is now part of a data dump contained in a torrent file available on peer-to-peer file sharing networks.

It's not entirely clear what inspired the attack against Gawker, but a person claiming to represent Gnosis recently told the blog Mediaite that the hacker group broke into the company's servers because of Gawker's "outright arrogance." Previously, it was suggested the Gawker hack was related to the company's ongoing feud with members of 4chan, an online message board. The Gnosis representative said there was no connection between the hacker group and 4chan.

Despite the potentially criminal acts perpetrated by Gnosis hackers, more high-minded hackers (among software engineers the term hacker refers to someone who is a programming expert) were coming to the defense of Gawker Media users. Readers of Y Combinator's Hacker News -- a news aggregator and discussion thread for technology start-up entrepreneurs and software engineers -- banded together to create an automated e-mail program to alert the 200,000 people whose e-mails and passwords were exposed by Gnosis.

If arrested, it's not yet clear what charges those responsible for breaking into Gawker's servers would face.

This article is taken from NetworkWorld.

ESF Exploit Next Generation® SQL Fingerprint™

2010-10-15T22:32:00.000-07:00

SQL Server fingerprinting can be a time consuming process. It involves a lot many trial and error methods to fingerprint the exact SQL Server version. Intentionally inserting an invalid input to obtain a typical error message or using certain alphabets that are unique for a certain server are two of the ways to possibly fingerprint a server. But, when it comes to the Microsoft SQL Server fingerprinting, Exploit Next Generation® SQL Fingerprint™ (f.k.a. Microsoft SQL Server Fingerprint Tool) tool is the best!

The Exploit Next Generation® SQL Fingerprint™ (ESF) is a powerful tool which performs version fingerprinting for:

   1. Microsoft SQL Server 2000;
   2. Microsoft SQL Server 2005; and
   3. Microsoft SQL Server 2008.

The Exploit Next Generation® SQL Fingerprint™ uses well-known techniques based on several public tools that are capable to identify the Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of showing only the "raw version" (i.e., Microsoft SQL Version 10.00.2746), the Exploit Next Generation® SQL Fingerprint™ shows the mapped Microsoft SQL Server version (i.e., Microsoft SQL 2008 SP1 (CU5)).

The strengths of Exploit Next Generation® SQL Fingerprint™ are:
   1. It uses both TCP and UDP protocols to determine the Microsoft SQL Server version, making it much more reliable than any other public or commercial tool.
   2. It is capable to identify multiple Microsoft SQL Server instances and their TCP communication ports.
   3. It does not require any authentication method to identify the Microsoft SQL Server version.
   4. It uses probabilistic algorithm to identify the Microsoft SQL Server version, combining both TCP and UDP fingerprint.

SQL Server fingerprinting is necessary before performing any kind of penetration testing on database server and if you find its Microsoft SQL Server then this tool will surely help identifying granular level findings to further exploit database.

To download ESF:
http://code.google.com/p/esf/downloads/list

OWASP Zed Attack Proxy Project

2010-10-15T22:17:00.000-07:00

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The current version of ZAP is 1.0.0 and it can be downloaded from the Google Code page.

Some of ZAP's features:
    * Intercepting proxy
    * Automated scanner
    * Passive scanner
    * Spider

Some of ZAP's characteristics:
    * Easy to install (just requires java 1.6)
    * Ease of use a priority
    * Comprehensive help pages
    * Under active development
    * Open source
    * Free (no paid for 'Pro' version)
    * Cross platform
    * Involvement actively encouraged

ZAP is a fork of the well regarded Paros Proxy.

You can download ZAP v1.0 here:
http://code.google.com/p/zaproxy/downloads/detail?name=ZAP_1.0.0_installer.exe
http://code.google.com/p/zaproxy/downloads/detail?name=ZAP_1.0.0b_installation.tar.gz

Social Engineering 101 (Q&A)

2010-08-18T00:58:00.000-07:00

One of the more interesting events at this year's Defcon hacker conference in Las Vegas late last month was a social-engineering contest that targeted big companies like Microsoft, Google, and Apple. Participants pretending to be headhunters and survey takers were able to trick employees at the companies into giving out information over the phone that if it landed in the wrong hands could be used to sneak malware onto machines at the company or otherwise get access to the company's data.
The contest proved a number of things. That it is easy for strangers to get potentially sensitive information over the phone if they have a good ruse. That workers at companies, even tech companies that spend a lot of time and resources protecting their networks from hackers, were practically handing over the keys to the data storerooms without knowing it. And that humans are the weakest link in the security ecosystem and yet many corporations fail to recognize that.

To read more, please see here:

http://news.cnet.com/8301-27080_3-20013901-245.html

Easy Method: Blind SQL Injection

2010-05-16T07:16:00.000-07:00

Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather than getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.

The attacker provides your database application with some malformed data, and your application uses that data to build a SQL statement using string concatenation. This allows the attacker to change the semantics of the SQL query. People tend to use string concatenation because they don’t know there’s another, safer method, and let’s be honest, string concatenation is easy, but it’s wrong step. A less common variant is SQL stored procedures that take a parameter and simply execute the argument or perform the string concatenation with the argument and then execute the result.

Nowadays, it is very easy to perform Blind SQL injection compare to a few years ago because a lot of SQL injection tools available on the Internet. You can download it from security website or hacker website and use it to test for MySQL, MSSQL or Oracle. By using these automated tools, it is very easy and fast to find holes or bugs for SQL injection or Blind SQL injection from a website.

In this article, I will show you how to find and perform Blind SQL injection testing using several tools. By using these methods, you can complete your testing in less than 10 minutes and it is very useful method especially for penetration testers or security consultants who have to complete their penetration testing in certain period of time. You can finish your penetration testing and get the better results using the simple methods.

You can download my article from The Exploit Database:
http://www.exploit-db.com/download_pdf/12622

Xplico 0.5.7: VoIP tapping and phone numbers

2010-05-14T08:45:00.000-07:00

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on.

This release introduces improvements in the SIP and RTP dissectors. In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets). DEFT 5.1 Live distribution contains this version.
You can download source code and Ubuntu 10.04 package here.

More about Xplico:
http://sourceforge.net/projects/xplico/files/
http://www.xplico.org/

Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

2010-05-14T07:57:00.000-07:00

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation. OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.
You can download Suricata v0.9 here:
http://www.openinfosecfoundation.org/download/suricata-0.9.0.tar.gz

For more details, please refer here:
http://www.openinfosecfoundation.org/

Thieves Flood Victim’s Phone With Calls to Loot Bank Accounts

2010-05-14T07:50:00.000-07:00

Bank thieves have rolled out a new weapon in their arsenal of tactics — telephony denial-of-service attacks that flood a victim’s phone with diversionary calls while the thieves drain the victim’s account of money.
A Florida dentist lost $400,000 from his retirement account last year in this manner, and the FBI said the attacks are growing.
A spokeswoman for the Communication Fraud Control Association — a telecom industry organization — told Threat Level that although fraudulent transfers have been halted in a number of cases, the losses are increasing.
“I know it’s in the millions,” said Roberta Aranoff, executive director of the CFCA. “It has exceeded a million dollars easily.”
Last November, Robert Thousand Jr., a semi-retired dentist in Florida, received a flood of calls to several phones. When he answered them, he heard a 30-second recording for a sex hotline, according to the St. Augustine Record.
In December, he discovered that $399,000 had been drained from his Ameritrade retirement account shortly after he’d received the calls. About $18,000 was transferred from his account on Nov. 23, with a $82,000-transfer following two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000 each on Dec. 2 and 4. The thieves withdrew the money in New York.
Thousand’s son, who shares his name, received similar harassing calls, though his financial accounts were not touched. Thousand did not respond to a request from Threat Level for comment.
The FBI says the calls were a diversionary tactic, meant to tie up Thousand’s line so that Ameritrade couldn’t reach him to authenticate the money transfer requests. FBI spokesman Bryan Travers said AT&T, Thousand’s phone carrier, contacted the agency’s New Jersey office to help investigate the matter. The agency has since seen at least 16 similar cases since November, most of them occurring in the last few weeks.
In some cases, the victims simply heard dead air when they answered their phone or heard a brief advertisement or other recorded message. Some victims had to change their phone numbers to halt the harassing calls.

The perpetrator who targeted Thousand created a number of VoIP accounts, which were used with automated dialing tools to flood the dentist’s home, business and cellphone with calls.
Generally in these cases, Travers said, the thief obtains the victim’s account information through some other means — perhaps through a phishing attack or other method — and then contacts the financial institution to change the victim’s contact information. In this way, the institution will call the thief instead of the victim to verify a money transfer request.
Many banks, however, now contact customers at their previous phone number when contact information on their account has changed.
But with these attacks, the institution’s calls are prevented from reaching the victim, whose phone is tied up with a flood of diversionary calls.
AT&T spokesman Marty Richter told Threat Level that the perpetrators then generally contact the financial institution posing as the victim to complain that a requested money transfer hasn’t gone through. When the institution discloses that it tried unsuccessfully to contact the victim to authenticate the transfer, the perpetrator says he’s been having phone troubles and verifies that the transfer should proceed.
Richter says that other telecommunication companies have been alerted to the problem and are warning customers when they call to complain about harassing calls that the issue may be related to their financial accounts. The victims are warned to place fraud alerts on their financial and credit bureau accounts and block any electronic fraudulent money transfers that may be in the works.
“This may appear to some people that they’re just having a connect issue with their phone carrier,” he said, “and we want to alert them that this may not be the case.”
Travers said that in most cases so far, the victims have acted quickly enough to prevent money from being drained from their accounts, but he says there may be many other cases that haven’t yet been reported to the FBI. He urged consumers who may have been victims to contact the FBI.

Facebook Rolls Out New Login Security Features

2010-05-14T07:48:00.000-07:00

Facebook is now one of the most popular targets for phishers, hackers and scammers. According to the Associated Press, however, Facebook is in the process of rolling out some new security features that will protect its users from malicious attacks, spam and phishing scams. For a while now, Facebook already offered users the ability to be notified when an account was accessed from a computer or device they hadn't used before. Now, Facebook will also alert users of unusual activity on their accounts and allow users to register their devices with Facebook.

Update: Facebook just confirmed these new security updates on its blog. We have updated this post with more information.
Suspicious Logins

If somebody tries to access your account from the other side of the world, for example, Facebook will now notify you that something is amiss with your account and add an additional layer of authorization to the log-in process. According to Facebook, these additional verification methods could include asking for a your birth date (you did enter your real birth date on Facebook, didn't you?) or asking you to identify a friend in a picture and answering a standard security questions if you previously provided one.

To read more details, please refer here:
http://www.readwriteweb.com/archives/facebook_rolls_out_new_security_features_to_fight_hackers.php

Howto: DNS Enumeration

2010-04-29T08:58:00.000-07:00

A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.

The first step of penetration testing or more accurately called information security testing is information gathering. Information gathering is part of the preparatory pre-attack phase and involves accumulating data regarding a target's environment and architecture, usually for the purpose of finding ways to intrude into that environment. Information gathering can reveal system vulnerabilities and identify the ease with which they can be exploited. This is the easiest way for attacker to gather information about computer systems and the companies they belong to. The purpose of this phase is to learn as much as you can about a system, its remote access capabilities, its ports and services, and any specific aspects of its security.

Using a combination of tools and techniques, attackers can take an unknown entity and reduce it to a specific range of domain names, network blocks, subnets, routers, and individual IP addresses of systems directly connected to the Internet, as well as many other details pertaining to its security posture. Although there are many types of information gathering techniques, they are primarily aimed at discovering information related to the following environments: Internet, intranet, remote access, and extranet.

To read more details, you can download my article here:

http://www.exploit-db.com/download_pdf/12389

http://www.packetstormsecurity.org/filedesc/dns-enumeration.pdf.html

Manual Verification of SSL/TLS Certificate Trust Chains using Openssl

2010-04-25T05:45:00.000-07:00

I found two article about verification of SSL/TLS certificate Trust Chain by using manual verification technique.

Part One:
http://blog.taddong.com/2010/04/manual-verification-of-ssltls.html
Part Two:
http://blog.taddong.com/2010/04/manual-verification-of-ssltls_24.html

To read more, please refer to this link:

http://isc.sans.org/diary.html?storyid=8686

CRITICAL LOG REVIEW CHECKLIST FOR SECURITY INCIDENTS

2010-04-16T16:09:00.000-07:00

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. To download it, click here:
http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.pdf

General Approach

Identify which log sources and automated tools you can use during the analysis.
Copy log records to a single location where you will be able to review them.
Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
Determine whether you can rely on logs’ time stamps; consider time zone differences.
Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
Go backwards in time from now to reconstruct actions after and before the incident.
Correlate activities across different logs to get a comprehensive picture.
Develop theories about what occurred; explore logs to confirm or disprove them.

Typical Log Locations

Linux OS and core applications: /var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats.

What to Look for on Linux

Successful user login- “Accepted password”, “Accepted publickey”, "session opened”
Failed user login- “authentication failure”, “failed password”
User log-off- “session closed”
User account change or deletion- “password changed”, “new user”, “delete user”
Sudo actions- “sudo: … COMMAND=…”, “FAILED su”
Service failure- “failed” or “failure”

What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.Most of the events below are in the Security log; many are only logged on the domain controller.

User logon/logoff events -Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes- Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes- To self: 628; to others: 627
Service started or stopped- 7035, 7036, etc.
Object access denied (if auditing enabled)- 560, 567, etc

What to Look for on Network Devices
Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.

Traffic allowed on firewall- “Built … connection”, “access-list … permitted”
Traffic blocked on firewall- “access-list … denied”, “deny inbound”; “Deny … by”
Bytes transferred (large files?)- “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage- “limit … exceeded”, “CPU utilization”
Detected attack activity- “attack from”
User account changes- “user added”, “user deleted”, “User priv level changed”
Administrator access- “AAA user …”, “User … locked out”, “login failed”

What to Look for on Web Servers

Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication- Error code 401, 403
Invalid request- Error code 400
Internal server error- Error code 500

Other Resources

Windows event ID lookup: www.eventid.net
A listing of many Windows Security Log events: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Log analysis references: www.loganalysis.org
A list of open-source log analysis tools: securitywarriorconsulting.com/logtools
Anton Chuvakin’s log management blog: securitywarriorconsulting.com/logmanagementblog
Other security incident response-related cheat sheets: zeltser.com/cheat-sheets

How to choose your Information Security Training

2010-04-16T13:36:00.000-07:00

Article taken from: http://www.offensive-security.com/blog/offsec/questions-information-security-training-provider/

In the past couple of years, the economy has struck hard on organizations seeking to educate their employees. Training budgets have been cut down, and choosing the right course that will give you real Return on Investment is not an easy job. This is especially true in the offensive InfoSec arena, where training standards and qualifications are weakly defined. So how can you make sure your getting your money’s worth ?

Welcome to our “10 questions you should be asking your InfoSec Training Provider“.

1. What are the objectives of the training ?

What will the training do for you ? Anyone promising you that you will be a “hardcore penetration tester” or a “security expert” after their 5 day class has never run a pentest, or otherwise has no clue what they are talking about. Learning *any* profession in 5 days is unrealistic, let alone one as complex as IT Security, or penetration testing. This is one of the first questions I ask before attending a training… its allows me to set my goals for the course and gives me a baseline for my expectations.

2. What topics does the course cover ?

Always read the syllabus of the course you want to attend, before you attend it. Try finding other people who have taken the class, (if possible) and get their opinion. Try to see if the syllabus follows a reasonable methodology, or if it’s just a collection of topics. If you see a list of 1500 tools on the syllabus – expect to spend around 0.6 minutes per tool.

3. Who is your trainer ?

Are they well known in their field ? Do they have training experience ? Are they involved in the security community ? Do they practice what they preach? Although these are 4 separate questions, they all relate to one thing – the ability of the trainer to provide the goods you paid so dearly for. Finding a GOOD InfoSec trainer is NOT easy. Most computer genii are usually lacking in their social skills – something a good trainer must have.

4. What previous reviews does the class have ?

Running a few internet searches for the name of your class, or the name of the trainer is a must. Find out what people have to say about their experiences – during and after the class. Although you can’t believe *everything* on the internet, taking an average of all the reviews will usually give you a solid idea of what you are getting into.

5. What is the ratio of students to trainers ?

How many students will there be in the class ? Some training providers cram more than 30 students in one class – often with a single instructor. During a 5 day period, a trainer can’t give personal attention to 30 people, no matter what. In general, smaller classes mean a more intimate environment, more attention from the trainer, and a more productive and engaging experience.

6. What is the ratio between theory and hands-on exercises ?

Remember the famous saying “In theory, there is no difference between theory and practice – But in practice, there is”. If you don’t exercise what you learn, you are less likely to retain or understand it as nothing replaces practical experience. Ask for a rough ratio estimate for “theory VS exercise” for your class – anything above 40% class-time spent on exercises is a good sign. Of course, this greatly depends on the quality of the exercises too.

7. How often is the course updated ? Is the material relevant to modern day situations ?

Learning methods and techniques on antiquated systems will bring you little benefit in the real world. Hacking a Windows 2000 SP4 machine with RCP DCOM doesn’t cut it any more. On the other hand, don’t expect to learn “Bypassing Windows 7 Stack Protection” in an introductory buffer overflows course. You need to gauge the balance between these two elements carefully.

8. What are the pre-requisites for the class ?

How should you prepare yourself for the class? Do you need to refresh your knowledge on certain topics? Nothing is more frustrating than coming to a class, and then lagging behind because you are not up to par with the class requirements. Not good for your learning experience, and not good for your self esteem – on the other hand “no pre-requisites required” might indicate lack of depth. If the pre-requisites were defined well by the training provider, it’s definitely a good resource to use to evaluate the relevancy of the course to you.

9. Is there a certification involved ? What is it’s value ?

The “value” of a certification can be measured in the real world using two main indicators:

The “market value” of the certification – how popular is this certification in the workforce ? Is the certificate recognized and appreciated by the industry ? And of course, will it help you get a (better) job ?

The “practical value” of the certification – or as Eddie Murphy would say “WHAT HAVE YOU DONE FOR ME LATELY?”. What real world skills does the certificate prove? If it proves you can memorize 100 questions, you might not be up to the job when confronted with a real world scenario.

10. What post training benefits are provided?

What ongoing benefits will you get from the training provider, if any ? Is there a continuation path for the training ? Will the trainers be available for future questions or issues that may arise ? Is there a student community you can join, to discuss the course with other student ? Or in other words, what kind of “post customer service” can you expect ?

These 10 questions should cover all the important elements you should verify before committing your valuable time and limited training budget to any service provider. The average person only gets a limited number of training opportunities per year, therefore you should always maximize the return you receive.

Proof of Concept for MS10-006 SMB Client-Side Bug

2010-04-16T13:28:00.000-07:00

This is a technic to automate with no user interaction at all SMB client side bug exploitation targeting the Domain Master Browser (DMB) or PDC (only the PDC can be a DMB)which is basicaly the perfect target in a pentest. Targeting the DMB is perfect, simply because if you control that box, you'll control all computer joined to this box tree.

Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.

It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.

There's two way to automate SMB client side bug;

NBNS Spoofing (require some "kind" of user interaction in some way, anyways in a corporate network it works pretty well)

Browser Protocol Abusing (the funny one)

In this case I will cover a form of Browser Protocol Abusing.

To see more details:
http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html

Top 5 Security No Brainers for Businesses

2010-04-14T10:28:00.000-07:00

Occasionally folks forget about covering the fundamentals of security and start off down a rabbit hole following some shiny new technology that turns out to be just a rat hole. With today's limited security budgets you need to be sure that you've adequately covered your highest risk areas before moving on to other things. The high-risk areas are, of course, not the same for everyone and will change on you fairly frequently. The bad guys are always mixing it up; the attacks we see prevalent today are not those that we saw just a few years ago. Thus the reason for this article, to take a look at the top 5 security solutions you can put in place today to cover the widest scope of current and emerging threats. In many respects these solutions are considered obvious "no brainers". But, you'd be surprised by how many companies (big and small) that don't have them in place. Many times it is the obvious that temporarily escapes us (or at least escapes those holding the purse strings ☺)
These 5 items working together will stop more cyber attacks on your data, network and users than any other 5 items in the marketplace today. There are lots of other very useful security solutions on the market but when it comes to picking the top five most effective and readily available ones here are my choices:
Firewall – The keystone of network defense for a decade or more is still required for solid foundational security. Its job is still fairly simplistic; control what data flows can go where. Without firewalls in place to drop unwanted flows, your job of protecting your assets increases exponentially. Firewalls need to be present at your external perimeters but also inside of your network for secure segmentation of data. Deploying firewalls internally is a relatively new best practice. It is largely driven by the dissolution of any sense of a tangible, reliable network border that can differentiate trusted network traffic from untrusted external network traffic anymore. Our nice clean Internet border of old just doesn't exist anymore in modern networks. What has also recently changed is that firewalls are getting smarter and more granular in there definition of data flows. It is now common for a firewall to be able to control a data flow based on the type of application or even application function it represents. For example, a firewall can block a SIP voice call based on what number was dialed.
Secure Router (FW, IPS, QoS, VPN) – Routers are everywhere in most networks. By tradition they have been used just as traffic cops for flows. But modern routers can do so much more than that! Routers are chock full of security features, sometimes even more so than a modern firewall. Most routers in the industry today are capable of robust firewalling features, some semblance of useful IDS/IPS functionality, robust quality of service and traffic management tools and of course strong Virtual Private Network data encryption features. The list doesn't stop there either. The power of modern routers to add to the security of your network is commonly overlooked today. With modern vpn technology it is fairly straight-forward to start encrypting all of the data crossing your WAN links, but very few people do so. It is also too atypical that folks use the firewall functions and IPS features in their routers. Turn 'em on and see your security posture improve!
Wireless WPA2 – This is the no-brainer of them all. If you aren't using WPA2 wireless security then stop what you are doing and form a plan to start doing so. Many other methods of wireless security are not secure and can be compromised in minutes. Don't make it easy for the bad guys, turn on WPA2 with AES encryption today.
Email Security – We all know email is currently the top attack vector used by black hats. Viruses, malware and worms all love to use email as their propagation method. Email is also the top way we loose most of our sensitive data. On top of the threats and data loss we experience through email we also have simple junk mail, spam. About 90% of all email sent today is spam! A good email security solution will get rid of the junk and filter out the malicious stuff as well. It is likely that if you are getting a lot of spam through your current system then you are getting even more malware through it. The thought process being that the spam features in email security gateways is usually the focus, core competency of the product. So if it is not doing its job dropping spam then it certainly isn't doing its job catching malware and data leakage.
Web Security – Threats coming from port 80 and 443 are rising faster than any other threat vector today. The expanding complexity of web based attacks necessitates that a company deploy a robust web security solution. Simple URL filtering has been with us for years and it is a core component to web security for sure. However, web security needs more than just URL filtering it needs AV scanning, malware scanning, IP reputation awareness, dynamic URL categorization techniques and Data leakage prevention functions. Attackers are compromising high profile sites at such an alarming rate that if we just relied on URL white list, black list filtering we'd have nothing left in the white list anymore! Any web security solution has to be able to dynamically scan web traffic to make a decision on its validity. Of all the solutions listed here, it is in web security where taking the risk of deploying a cutting edge, best of breed solution will pay of the most. The other solutions on the list are, for the most part established and mature. Web security solutions bells and whistles are coming out as fast as the hackers are building new attacks. Well ok, not quite that fast.
What are your thoughts on my choices for top 5 security no brainers? Think I got it wrong or right? If you had to add a sixth one what would it be?
If your company doesn't have all of these 5 in place today, go bang on some doors and raise the roof on awareness! Don't let it all burn!

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

Article taken from: http://www.networkworld.com/community/node/59971

How security professionals monitor their kids

2010-04-14T10:25:00.000-07:00

April 12, 2010 (CSO) Cell phones, texting, IM, e-mail, Facebook, MySpace -- kids are interconnected today in ways hardly imagined two decades ago. But these technology-based communication platforms also enable new forms of an age-old parenting strategy: monitoring your kids.
Who are they talking to? What are they talking about? Are they going where they said they are going?
Most of us with children think about this stuff. But parents who work by day as security professionals live in a heightened state of risk awareness, and also have the expertise and the tools to monitor kids' behavior and communication in many ways.
[Also see: Social media risks: The basics]
Is it any easier to put the proper measures in place to ensure your child's security since you already have an expertise in this area? Or do you go overboard because of you are hyperattuned to risk? And what is the right balance of freedom and guidance to provide for kids?
Turns out it was tricky issue before social networking, and remains tricky now. Here are views and strategies collected from an array of security professionals.

'Spying' on your kids?

Martin McKeay, a CISSP and security consultant who maintains a popular network security web site and blog, recently found out how divided security professionals are on the issue of monitoring children. McKeay, the father of two boys aged 8 and 10, received an intriguing message recently from someone on a mailing list who wanted his opinion.
"It asked 'What kind of software can I use to spy on my children and read their every email?'" said McKeay, who was slightly taken aback by the wording and the person's obvious, no-bones-about-it attitude that they intended to pry into their kids' lives without warning or limit.
"I consider that going over the top. So I went on Twitter and asked other people: 'How do you think this should be handled? Is it through monitoring software, or parental relationships?'" McKeay recounted. "With rare exceptions, most people said both. But there were some strong opinions about monitoring what your kids do."
McKeay said he was surprised that his responses, mostly from other security professionals, revealed many were willing to do at least some covert monitoring with software programs without the kids' knowledge or consent. The majority felt open and frank discussion, along with some disclosed parental control with products such as Net Nanny, and other similar programs that block web sites and monitor activity, was the best approach.
But he estimates about 25 percent of those who answered his question thought monitoring all actions without telling their kids they were doing so was OK.
"I kind of expected in the security community that more people would realize some of the dangers of that kind of secret monitoring. But I guess when it comes to your kids, most people seem to be more concerned with keeping them safe online than the potential impact on the relationship."
By danger, McKeay means loss of trust when the child realizes he is being "spied on," as he puts it. He believes secret, and also open-but-excessive, monitoring of a child's activities infringes on a kid's privacy rights and will set parents up for potential damage to the relationship with their children in the future. He also thinks leaving them no room to make mistakes means they won't learn the security skills they need when navigating the dangers of the internet.

To see full article, read here:
http://www.computerworld.com/s/article/print/9175373/How_security_professionals_monitor_their_kids?taxonomyName=Security&taxonomyId=17

apache.org incident report for 04/09/2010

2010-04-14T10:19:00.000-07:00

apache.org incident report for 04/09/2010

Apache.org services recently suffered a direct, targeted attack against our infrastructure, specifically the server hosting our issue-tracking software.

The Apache Software Foundation uses a donated instance of Atlassian JIRA as an issue tracker for our projects. Among other projects, the ASF Infrastructure Team uses it to track issues and requests. Our JIRA instance was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS.
Password Security

If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.

JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords.

Bugzilla uses a SHA-256, including a random salt. The risk for most users is low to moderate, since pre-built password dictionaries are not effective, but we recommend users should still remove these passwords from use.

In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them.
What Happened?

On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:

ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]

Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.

At the same time as the XSS attack, the attackers started a brute force attack against the JIRA login.jsp, attempting hundreds of thousands of password combinations.

On April 6th, one of these methods was successful. Having gained administrator privileges on a JIRA account, the attackers used this account to disable notifications for a project, and to change the path used to upload attachments. The path they chose was configured to run JSP files, and was writable by the JIRA user. They then created several new issues and uploaded attachments to them. One of these attachments was a JSP file that was used to browse and copy the filesystem. The attackers used this access to create copies of many users' home directories and various files. They also uploaded other JSP files that gave them backdoor access to the system using the account that JIRA runs under.

By the morning of April 9th, the attackers had installed a JAR file that would collect all passwords on login and save them. They then sent password reset mails from JIRA to members of the Apache Infrastructure team. These team members, thinking that JIRA had encountered an innocent bug, logged in using the temporary password sent in the mail, then changed the passwords on their accounts back to their usual passwords.

One of these passwords happened to be the same as the password to a local user account on brutus.apache.org, and this local user account had full sudo access. The attackers were thereby able to login to brutus.apache.org, and gain full root access to the machine. This machine hosted the Apache installs of JIRA, Confluence, and Bugzilla.

Once they had root on brutus.apache.org, the attackers found that several users had cached Subversion authentication credentials, and used these passwords to log in to minotaur.apache.org (aka people.apache.org), our main shell server. On minotaur, they were unable to escalate privileges with the compromised accounts.

About 6 hours after they started resetting passwords, we noticed the attackers and began shutting down services. We notified Atlassian of the previously unreported XSS attack in JIRA and contacted SliceHost. Atlassian was responsive. Unfortunately, SliceHost did nothing and 2 days later, the very same virtual host (slice) attacked Atlassian directly.

We started moving services to a different machine, thor.apache.org. The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine.

By April 10th, JIRA and Bugzilla were back online.

On April 13th, Atlassian provided a patch for JIRA to prevent the XSS attack. See JRA-20994 and JRA-20995 for details.

Our Confluence wiki remains offline at this time. We are working to restore it.
What worked?

Limited use passwords, especially one-time passwords, were a real lifesaver. If JIRA passwords had been shared with other services/hosts, the attackers could have caused widespread damage to the ASF's infrastructure. Fortunately, in this case, the damage was limited to rooting a single host.
Service isolation worked with mixed results. The attackers must be presumed to have copies of our Confluence and Bugzilla databases, as well as our JIRA database, at this point. These databases include hashes of all passwords used on those systems. However, other services and hosts, including LDAP, were largely unaffected.

What didn't work?

The primary problem with our JIRA install is that the JIRA daemon runs as the user who installed JIRA. In this case, it runs as a jira role-account. There are historical reasons for this decision, but with 20/20 hindsight, and in light of the security issues at stake, we expect to revisit the decision!
The same password should not have been used for a JIRA account as was used for sudo access on the host machine.
Inconsistent application of one time passwords; We required them on other machines, but not on brutus. PAM was configured to allow optional use of OPIE, but not all of our sudoers had switched to it.SSH passwords should not have been enabled for login over the Internet. Although the Infrastructure Team had attempted to configure the sshd daemon to disable password-based logins, having UsePAM yes set meant that password-based logins were still possible.
We use Fail2Ban for many services, but we did not have it configured to track JIRA login failures.

To see full article, please read the link below:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010

How to unwrap PL/SQL

2010-04-14T10:03:00.000-07:00

The Oracle wrap utility can be used to obfuscate PL/SQL code, to ensure it can't be easily read. The wrapping process for Oracle 9g described by Pete Finnigan, but for 10g and 11g it still remains a bit of a mystery.
To see pdf file about How to Unwrap PL/SQL, see the link below:
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Finnigan.pdf

The unwrapping steps for 10g are nicely described in the Oracle Hacker's Handbook, but the actual substitution table needed to decode the package is omitted. A lot of people seem to know how to do it though, there is even an online unwrapper available. See the link below:
http://hz.codecheck.ch/UnwrapIt/Unwrap.jsp
A Russian-made closed source tool is also available, but tends to upset virus scanners.To download unwrap.py, please click the link below:
http://www.teusink.net/unwrap.py

For more details, please refer here:
http://blog.teusink.net/2010/04/unwrapping-oracle-plsql-with-unwrappy.html

Netsparker® Community Edition

2010-04-13T05:25:00.000-07:00

We are proud to announce Free Netsparker® Community Edition. It's a free edition of our False Positive free scanner Netsparker for the community so you can start securing your website now. It's user friendly, fast, smart and as always False Positive Free.

Netsparker® Community Edition shares many features with Netsparker® Professional and just like Netsparker Professional, Community Edition is also False Positive Free. It can detect SQL Injection and Cross-site Scripting issues better than many other scanners (if not all), and it's completely FREE.

http://www.mavitunasecurity.com/communityedition/

Very powerful! Nice!! Try it lorr...better than other scanner

Introducing Meta-Information XSS

2010-04-07T13:41:00.000-07:00

A few months back I was playing around with DNS text records and started thinking about what I could include in them. Given that so much of my time is spent with web application security, my first attempt was a simple XSS. Then I just needed a web page to display the information, I started looking at websites that allow you to perform DNS resolution and websites that verify SPF filters. None of these websites filtered the data. This lead me to start looking at other types of meta-information (or metadata) we access, manipulate and view on a daily basis but never really consider as potentially harmful. Other places that came up included: Whois data, SSL Certificate info, and Server Banners (SMTP/HTTP). I'm sure there are others but these are the ones I looked at.

As I was looking into contacting the various websites, I started thinking about how you could classify this type of XSS. While data has to be provided in some of the requests, you aren't providing the attack, so it's not really reflected. At the same time nothing is stored on the server to be displayed to future users (at least nothing malicious), so it's not really persistent. It's also definitely not DOM based. That lead to the conclusion that this needed a new classification and I decided to go with Meta-Information Cross Site Scripting or miXSS (pronounced my-XSS).

To download whitepaper and presentation:
http://blog.ncircle.com/blogs/vert/archives/2010/04/introducing_metainformation_xs.html

Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

2010-04-02T07:20:00.001-07:00

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst’s workstation via firewire, USB, or eSATA. The unit is compatible with Logicube’s Dossier imager and Logicube’s second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I’ve not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be happy to do a write up.)

If you’ve ever analyzed a PDF, you’ve probably used a tool created by Didier Stevens. Didier has figured out a way to make certain PDF readers execute embedded binaries. Check out his explanation in Good Reads.

Disk encryption in various forms is becoming more common when it comes to incident response and forensics. In response to its customer’s requests, Passware has updated their flagship product to handle TrueCrypt. Their product also has support for BitLocker.

To read more:
http://blogs.sans.org/computer-forensics/2010/04/01/digital-forensics-case-leads-gear-pdfs-abuse-defeating-truecrypt/

Sharing vs. your privacy on Facebook

2010-04-02T07:18:00.000-07:00

(CNN) -- Facebook is, by its nature, a social experience.

But as the undisputed king of social networking expands ways for its users to interact, it's raising more questions about how much of their information is made available to people they don't know.

In some cases, users may not even realize it's happening.

One example is the hundreds of thousands of developers approved by Facebook to create games, quizzes and other applications. Some of those developers are able to access basic information about users after a Facebook friend has started using their application.

Facebook provides pages of instructions on how people can tighten up their privacy settings to hide their personal information from other users and outside applications.

But some observers say that too many of the site's estimated 400 million users don't know how to do so.

Microsoft researcher and social-media analyst Danah Boyd, speaking at last month's South by Southwest Interactive festival, said none of the "non-techy" users she talked to about their privacy settings knew how they were configured.

"I ask them what they think their settings are and then ask them to look at their settings with me. I have yet to find someone whose belief matched up with their reality," said Boyd, a keynote speaker at the Austin, Texas festival. "That is not good news."

In January, Facebook announced that 35 percent of its users had tweaked their privacy settings after a December change that made more information public.

To be sure, that represents millions of users. But Boyd said that can't possibly be all the people who want at least some of the privacy features that Facebook's new default settings changed.

"Are there Facebook users who want their content to be publicly accessible? Of course," she said. "But 65 percent of all Facebook users? No way."

For Facebook, it's a balancing act. The site wants to give users the privacy they've come to expect, but at the same time make information available to create experiences that will compete with other emerging applications such as Foursquare and Twitter.

Twitter, as well as photo sharing sites such as Picasa, default to open access, making them more accessible by outside applications and search engines. Facebook's material that is public can also be searched -- for example, by Google's new social search feature -- while private material cannot.

"The experience that we're trying to provide through the Facebook platform is fundamentally a social one," said Simon Axten, a manager on Facebook's public policy team. "There are some really interesting and useful applications that have come out of that development that really allow people to have a social experience that involves the people that they are friends with."

Axten said the rules of the road for developers are pretty strict. Basically, developers are instructed to collect only the data they need for their application. Anything else could land them in trouble, he said.

For example, an application that lets users send friends an electronic greeting card might need to know their birthday or anniversary. Games that require players to work together must know which other friends play the game so it can send them alerts when they need to act.

Axten said Facebook can take "a spectrum of actions" when it discovers inappropriate use of people's information -- from warning developers who may not realize they're misusing the data to disabling a developer's access to the site.

No application can access a user's most sensitive data, such as contact information, according to Facebook. And the site announced late last year that they're working on a new approval process that will require an application to more specifically state what information it wants to access.

Mike Rasmussen is president of Republic of Fun, a game company with a crowdsourcing app on Facebook that lets users give feedback and advice on current games and, in the near future, to suggest new ones. He said Facebook's list of rules for developers is a strict one.

"Developers, if they were creative, could certainly abuse it," he said. "But with Facebook, it's almost not worth it. They make it so easy to get what you really need, unless you're being malicious."

Rasmussen said his application stores a single identifier for users and does not even keep their names. He said he's only heard "second- or third-hand" about developers getting into trouble for pushing the boundaries.

Evan Brown, a Chicago technology and intellectual-property attorney, said he's not familiar with any legal cases involving private information gathered by a Facebook developer.

He said Facebook's rules governing outside developers are designed so the site may legally expel a developer easily.

"They have the sole discretion to determine what the crime is, and they have the sole discretion to determine the punishment," said Brown, who blogs about Internet legal issues.

Facebook's Axten said a team monitors complaints, which users can file simply by clicking a link that's on every Facebook application. The team also regularly monitors popular and fast-growing applications and conducts random checks, he said.

And of course there are personal settings. A user can click the "Account" tab at the top right of their Facebook home page, then scroll down to "Application Settings" and "Privacy Settings" to make changes.

Increasing awareness about that ability is what Facebook and other social-networking sites need to work harder on, Boyd said.

"While you want your services to go viral, help users walk through the value proposition first," she said. "Not through a video, but through an experience."

Article from: http://www.cnn.com/2010/TECH/ptech/04/01/facebook.developers.privacy/index.html