Articles about PF (undeadly.org)

1- Firewall Ruleset Optimization
2- Testing Your Firewall
3- Firewall Management

ZERT Analysis of CVE-2006-4668 and Patch Description

The vulnerability in Microsoft’s Vector Graphics Rendering Engine (vgx.dll) exists due to an overzealous for() loop that copies data from a large, dynamically allocated buffer into an inadequate, fixed-size buffer on the stack. The data being copied in this routine is user-supplied as a Vector Markup Language (VML) “fill method” attribute. Legitimate values for the attribute include “none”, “any”, “linear,” and “sigma.”, [Specification draft for VML]. A vulnerable version of the library will copy the user-supplied string without checking its size, allowing a malicious document containing an overly-long fill method string to cause data to be written outside of the destination buffer’s boundaries. The ZERT patch for this vulnerability adds a check to the code before it can begin execution of the described loop. If the length of the user-supplied fill method string is greater than 512 bytes (size of destination buffer), the loop is avoided by making a jump tothe function’s cleanup instructions, and subsequently returns null...

A short instructive article (pdf) from ZERT.

Understanding Cross Site Scripting by Hardik Shah

There are many webapplications which are designed to permit the input of html tags for displaying the html formatted data. These tags can be used by malicious users to attack other users by inserting scripts or malicious applets etc. This called cross site scripting or XSS. Such attacks are result of poor input validations. It uses the combination of html and scripting languages. With the proper combination of html and java script a intruder can misguide the client and perform various attack from DOS (by opening enormous amount of window on client side) or By embedding malicious FORM tags at the right place, an mailicious user may be able to trick users into revealing sensitive information by modifying the behavior of an existing form or by embedding scripts, an intruder can cause various problems. This is by no means a complete list of problems, but hopefully this is enough to convince you that this is a serious problem.

If you are not familiar with xss this article will help to start learning about (pdf format).

Understanding Sql Injection by Hardik Shah

This vulnerability occurs due to lack of proper validation of user entered data in web applications. It may be possible that the programmer is a newcomer and has lack of understanding of such kind of attacks. But in many cases I have seen most of the time programmers are too lazy to consider and apply proper security checks. Most of the programmer believes that client or end user will always give correct input to the application. They even check for some minor validations like empty string or null values etc but they never think of the fact that a user can insert a specially crafted query which reveals all the important information of your machines. With the outsourcing boom many companies started and they have less experienced programmer so such kind of attacks heavily exists in today’ s web applications...

If you are not familiar with sql-injection this article will help to start learning about this type of vulnerabilities (pdf format).

Torpark browser makes Web surfing more anonymous

The browser is free to download at torpark.nfshost.com. It's a modified version of Portable Firefox, an optimized version of the browser that can be run off a USB memory stick on a computer. The Torpark browser uses encryption to send data over The Onion Router, a worldwide network of servers nicknamed "Tor" set up to transfer data to one another in a random, obscure fashion.

Read the article from pcworld through netsec.

See the bigger picture on data security

Don’t let suppliers put the blinkers on – even the best electronic security won’t safeguard your data if the physical aspects of protection have been overlooked.

Read the Article.

Is BGP Update Storm a Sign of Trouble: Observing the Internet Control and Data Planes During Internet Worms

In this paper, we studied BGP update storms during three well-known Internet worms—Code Red, Nimda, and Slammer—and found that while BGP update storms occurred in all three worms, the performance of the data plane degraded during the Slammer worm but did not during the Code Red and Nimda worms. While it is certainly important to pay attention to the occurrence of BGP update storms, our results show that a BGP update storm does not necessarily map to data plane disruption.
Future work includes further investigation on exactly what factors from the control plane caused the data plane degradation during the Slammer worm, especially given that there is no significant degradation during the other two worms. We have also studied the impact on the data plane by artificially introducing routing changes, which we call “mild stress,” and it would be useful to compare the results from both severe stress and mild stress.

Read the article in pdf format and related post on wormblog.

NIST Guide to Intrusion Detection and Prevention (IDP) Systems (DRAFT)

This publication describes the characteristics of IDP technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. There are many types of IDP technologies, which are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDP technologies:
- Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity
- Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves
- Network Behavior Anomaly Detection (NBAD), which examines network traffic to identify threats that generate unusual traffic flows, such as DDoS attacks, scanning, and certain forms of malware
- Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Read the guide in pdf format (2.3 MBs)

Microsoft Windows Security Center: The Voice of Security for Windows Vista

Windows® Security Center (WSC) is a comprehensive security status reporting console that enables Windows Vista™ customers to understand the ongoing security state of their computer, and provides a method for third-party ISVs to evaluate the current security state of the system. Microsoft Corp. first introduced WSC in Windows XP Service Pack 2 and has enhanced its capabilities in Windows Vista based on customer and ISV feedback. Windows Security Center collects information from Microsoft® Windows and third-party security components designed to protect users from computer threats. To provide users with a higher degree of security protection, Windows Security Center now reports the status of security components and provides the capability for direct remediation of unsafe settings for both Windows components and third-party security solutions... Windows Security Center is now a more comprehensive security status reporting console with key benefits for end users as well as third-party software vendors. Users can now better understand the ongoing security state of their computer, no matter which vendor integrating with WSC provides the solution. Third-party providers can now integrate their security software directly with the Windows Security Center to deliver a seamless product experience, while still maintaining a single location for the security status of the computer. In addition, WSC now allows third-party ISVs to evaluate the current security state of the system. These combined benefits make Windows Security Center the voice of security in Windows Vista.

Get the whitepaper from here (doc format).

10 security problems unique to IT

#1: System penetration threats
#2: Internet security realities
#3: Portability of hardware
#4: Proliferation of new communication methods
#5: Complexity of software
#6: Degree of interconnection
#7: Density and accessibility of media
#8: Centralization
#9: Decentralization
#10: Turnover

Read Jeff Relkin's article.

Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

Motivated by the proliferation of wireless-enabled devices and the suspect nature of device driver code, we develop a passive fingerprinting technique that identifies the wireless device driver running on an IEEE 802.11 compliant device. This technique is valuable to an attacker wishing to conduct reconnaissance against a potential target so that he may launch a driver-specific exploit. In particular, we develop a unique fingerprinting technique that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device. We perform an evaluation of this fingerprinting technique that shows it both quickly and accurately fingerprints wireless device drivers in real world wireless network conditions. Finally, we discuss ways to prevent fingerprinting that will aid in improving the security of wireless communication for devices that employ 802.11 networking.

Read the pdf file and related slashdot discussion.

Core Impact Penetrates Deeply

We ran address-book exploits against Opera Software's Opera, Microsoft's Outlook and the Mozilla Foundation's Thunderbird browsers. We left our browsers configured in default states running on systems configured as end-user workstations, with only a passing attempt at changing parameters to make the systems secure. (We made sure the Linux systems were up-to-date and that our Windows XP systems had the latest service pack and patches installed.) Using the address-book modules, we were able to get an agent to automatically enumerate entries from compromised systems. A related module that successfully ran on a compromised Windows XP system allowed us to automatically capture auto-complete passwords stored in Microsoft's Internet Explorer.

A "Core Impact 6" Review by Cameron Sturdevant.

Exploiting the Otherwise Unexploitable on Windows

This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.

An article from Uninformed.

Take a closer look at OpenBSD

OpenBSD is quite possibly the most secure operating system on the planet. Every step of the development process focuses on building a secure, open, and free platform. UNIX® and Linux® administrators take note: Without realizing it, you probably use tools ported from OpenBSD every day. Maybe it's time to give the whole operating system a closer look.

Take a closer look at this article!