HITB SecConf2011 Malaysia (October 10 to 13)

Run as a not for profit, community backed effort, the Hack in The Box Security Conference (HITBSecConf) series has become the ‘must attend’ event in the calendars of security professionals from around the world.
Having started as a small gathering of Malaysian security specialists in 2002, the event has since expanded out of its home base in Kuala Lumpur to Dubai and in 2010, The Netherlands. Our events are put together by a team of dedicated crew and volunteers and through the continued support of our sponsors, HITBSecConf has grown into the largest network security conference in the Asia Pacific and Middle East region!
The main aim of our conferences has always been to enable the dissemination, discussion and sharing of deep knowledge network security information. Our main focus is on new and groundbreaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf events bring together a unique mix of security professionals, researchers, law enforcement and members of the hacker underground under one roof and our flagship event in Malaysia sees over 1000 attendees.
The event runs over a 4 day period with 2 days of intensive hands on training sessions followed by a two-day conference with either three or four concurrent tracks inclusive of a hands on lab session (HITB Labs) and 15 minute lightning talks (HITB SIGINT). The HITB Labs caters for only 50-100 attendees and these sessions are intensive, hands-on presentations that require audience interaction. The HITB SIGINT (Signal Intelligence/Interrupt) sessions on the other hand, are designed to provide a quick 15 minute overview for material and research that's 'up and coming' - stuff that isn't quite ready for the mainstream tracks of the conference but deserve a mention nonetheless.
In addition to the conference tracks, our events are also further enhanced with an open-to-public technology and exhibition area, lock picking villages, hackerspace villages and of course, our ever popular Capture The Flag competition (CTF) !

For more information about agenda and speaker, please see the link below:
http://conference.hitb.org/hitbsecconf2011kul/

CRITICAL LOG REVIEW CHECKLIST FOR SECURITY INCIDENTS

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. To download it, click here:
http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.pdf


General Approach

• Identify which log sources and automated tools you can use during the analysis.
• Copy log records to a single location where you will be able to review them.
• Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
• Determine whether you can rely on logs’ time stamps; consider time zone differences.
• Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
• Go backwards in time from now to reconstruct actions after and before the incident.
• Correlate activities across different logs to get a comprehensive picture.
• Develop theories about what occurred; explore logs to confirm or disprove them.

Typical Log Locations

• Linux OS and core applications: /var/log
• Windows OS and core applications: Windows Event Log (Security, System, Application)
• Network devices: usually logged via Syslog; some use proprietary locations and formats.

What to Look for on Linux

• Successful user login- “Accepted password”, “Accepted publickey”, "session opened”
• Failed user login- “authentication failure”, “failed password”
• User log-off- “session closed”
• User account change or deletion- “password changed”, “new user”, “delete user”
• Sudo actions- “sudo: … COMMAND=…”, “FAILED su”
• Service failure- “failed” or “failure”

What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.Most of the events below are in the Security log; many are only logged on the domain controller.

• User logon/logoff events -Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
• User account changes- Created 624; enabled 626; changed 642; disabled 629; deleted 630
• Password changes- To self: 628; to others: 627
• Service started or stopped- 7035, 7036, etc.
• Object access denied (if auditing enabled)- 560, 567, etc

What to Look for on Network Devices
Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.

• Traffic allowed on firewall- “Built … connection”, “access-list … permitted”
• Traffic blocked on firewall- “access-list … denied”, “deny inbound”; “Deny … by”
• Bytes transferred (large files?)- “Teardown TCP connection … duration … bytes …”
• Bandwidth and protocol usage- “limit … exceeded”, “CPU utilization”
• Detected attack activity- “attack from”
• User account changes- “user added”, “user deleted”, “User priv level changed”
• Administrator access- “AAA user …”, “User … locked out”, “login failed”

What to Look for on Web Servers

• Excessive access attempts to non-existent files
• Code (SQL, HTML) seen as part of the URL
• Access to extensions you have not implemented
• Web service stopped/started/failed messages
• Access to “risky” pages that accept user input
• Look at logs on all servers in the load balancer pool
• Error code 200 on files that are not yours
• Failed user authentication- Error code 401, 403
• Invalid request- Error code 400
• Internal server error- Error code 500 

Other Resources

• Windows event ID lookup: www.eventid.net
• A listing of many Windows Security Log events: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
• Log analysis references: www.loganalysis.org
• A list of open-source log analysis tools: securitywarriorconsulting.com/logtools
• Anton Chuvakin’s log management blog: securitywarriorconsulting.com/logmanagementblog
• Other security incident response-related cheat sheets: zeltser.com/cheat-sheets

Microsoft Security Advisory (981169)- Vulnerability in VBScript Could Allow Remote Code Execution

Microsoft has released a new advisory for vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer.

The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
To see full Microsoft advisory, please see here:
http://www.microsoft.com/technet/security/advisory/981169.mspx

From this vulnerability, attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Note attackers must use social-engineering techniques to convince an unsuspecting user to press the 'F1' key when the attacker's message box prompts them to do so. To trigger vulnerability some user interaction is needed and the victim has to press F1 when MsgBox popup is displayed. It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile
parameter is too long. The vulnerability allows remote attacker to run arbitrary code on victim machine.

This is a POC for this vulnerability:
http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
01 Feb 2007: The vulnerability was discovered.
26 Feb 2010: Public disclosure
01 March 2010: Microsoft Security Advisory (981169)

I tested it in my machine and I understand how this vulnerability works. The screenshots below show some of my testing:
Screenshot 1:

Screenshot 2:

 Screenshot 3:

 Screenshot 4:















Screenshot 5:

Screenshot 6:















Screenshot 7:

Screenshot 8:

FreeBSD 8.0-RELEASE

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8.0-RELEASE. This release starts off the new 8-STABLE branch which improves on the functionality of FreeBSD 7.X and introduces many new features. Some of the highlights:
-Xen Dom-U, VirtualBox guest and host, hierarchical jails.
-NFSv3 GSSAPI support, experimental NFSv4 client and server.
-802.11s D3.03 wireless mesh networking and Virtual Access Point support.
-ZFS is no longer in experimental status.
-Ground-up rewrite of USB, including USB target support.
-Continued SMP scalability improvements in many areas, especially VFS.
-Revised network link layer subsystem.
-Experimental MIPS architecture support.

Please read here for more details:
http://www.freebsd.org/releases/8.0R/announce.html

Windows Vista Security

Hi all,
I know too many people talk about Windows Vista security. Many security researchers and security professionals still talking about security innovations and features in Windows Vista such as User Account Protection, BitLocker Drive Encryption and EFS, Windows Defender, Windows Firewall, Windows Security Center, Internet Explorer 7, and much more.

You can read about Windows Vista research by Symantec Security Response in order to provide a balanced and objective analysis of these improvements. You can read pdf paper about Security Implication of Windows Vista and blog about Vista Security.

You also can read slide presentation about Windows Vista Security Explained presented by Paul Thurrott, News Editor from Windows IT Pro Magazines.