Alan Cox warns on security of open-source code

"Things appear in the media, like 'open-source software is more secure, more reliable and there are less bugs.' Those are very dangerous statements," Cox said.... The Software Quality Observatory for Open Source Software (SQO-OSS) is funded by the European Commission and it launched on Monday. Cox told delegates that metrics must not become targets.

Read this in ZDNet UK and Matt Asay's post on this.

The Ten Most Dangerous Online Activities

Most computer users have no idea how dangerous their online behavior is... No matter how many times you warn them, employees still manage to poison their computers with new malware because they "just couldn't resist looking at the attachment." Other common goofs: downloading software for personal use, lowering firewalls to speed up a connection and even leaving their passwords stuck to their laptops...The following is our list of the ten most dangerous things people do online, along with some explanation of the risks associated with each. The list is based on input from information technology professionals and is arranged in descending order of danger...

Read the article.

Hacking anonymity and TOR

TOR is endorsed by the Electronic Frontier Foundation (EFF) and is designed for individuals to circumvent Web censorship in countries such as China, however, the network could be used by criminals or even terrorists. Andrew Christensen, a Danish researcher at PacketStormSecurity.org, decided to see if he could determine who was using TOR by breaking the network's supposed anonymity. His theories about how he might do this appeared last spring in a paper entitled Peeling the Onion (coauthored with Dan Fearch of ScanNet). Now, Christensen's published workable code is in a paper called Practical Onion Hacking...
So are criminals using anonymizing services to arrange crimes over the Internet? Yes, but security experts agree that criminals (and possibly terrorists) have their own methods of anonymizing their Web traffic. So far, the bad guys aren't really using the TOR network...

Read the review and the papers:
1- Peeling the Onion
2- Practical Onion Hacking

Secure Habits - 8 Simple Rules For Developing More Secure Code

This article discusses:
* Using analysis tools and experts to review your code
* Reducing risk using fuzzing and threat modeling
* Keeping bad input out of your applications
* Learning all you can about security concepts

Read the MSDN Magazine/November 2006 article here.

Top 10 [Newcomer] Security Companies to Watch

"In security, you want to be the best. There aren't many customers out there that will brag they have the second-best security solution," says Mark Levine, managing director with Core Capital in Washington, D.C.... Below are 10 security companies we think are worth watching. Some are new to the market, others have reinvented themselves recently, still others are just beginning to make their mark on the corporate mind-set. All of them are worth keeping an eye on:
BitArmor Systems, Cogneto, Cryptolex Trust Systems, Declude, Exploit Prevention Labs, KoolSpan, NetworkStreaming, Savant Protection, Void Communications and Yoggie Security Systems

Read the article here.

Seven steps to increase Linux security

Ask a network administrator in any large organisation to compare Linux with network operating systems like Windows NT or Novell, and chances are he'll admit that Linux is an inherently more stable and scalable solution. Chances are he'll also admit that when it comes to securing the system from outside attack, Linux is possibly the most difficult of the three to work with.

Read the story.

A Reality Check on PatchGuard

Hackers have already broken PatchGuard and can disable it. This means that hackers can already get malicious code into the Windows Vista kernel; while legitimate security vendors can no longer protect it. This presents a serious new risk for consumers and enterprises worldwide. Now, you may ask yourself, if hackers can bypass PatchGuard, why don’t security vendors? We certainly could, if we chose to; however, Microsoft has firmly stated that any attempt to do so will result in an update to PatchGuard, which will detect these attempts. It would be foolish for Symantec to ship a product out to over 200 million desktops that may result in a BSOD on each desktop, if Microsoft decides to update PatchGuard.

Read the post in Symantec security response weblog.
+Update: MS to McAfee: Stop Lying to the Public

Google Hacking Database (GHDB)!

We call them 'googledorks' (gOO gôl'Dôrk, noun, slang) : An inept or foolish person as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe! Stop by our forums to see where the magic happens!

The page is here.

Blobs are Bad

A recent security advisory announced today by Rapid7 explains, "the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root... Here's a good real-life example of why blobs are bad. For those that take the "pragmatic" approach and don't understand what all the fuss is about.

Read the post in undeadly.org, Rapid7 advisory (the bug reporter), related post in kerneltrap and slashdot discussion.

wicrawl

Wicrawl is a simple wi-fi (802.11x) Access Point auditor with a simple and flexible plugin architecture... The goal is to automate the tedious task of scanning wi-fi access points for interesting information. This can be a useful tool for penetration testers looking to “crawl” through massive numbers of APs looking for interesting data...

You can get more information here.

Certification is About Clearing the Hurdles, Not Proving Knowledge

I'm a CISSP, I used to be a CCNA, and soon I'll have the GIAC-GSNA (System and Network Auditor) certification... I don't think certificates are useless, but too many people have the wrong expectations of their usefulness, especially entry level certs. If you use certifications as a gauge of the effort a professional has put into their career advancement, you'll find them useful. But if you're trying to use them as a benchmark of knowledge, expect the lowest common denominator necessary to pass the test. To paraphrase and old joke, what do they call a CISSP who barely passed his test? A CISSP.

Read this weblog post by Martin McKeay.

Security Java/J2EE Code Review - Identifying Web Vulnerabilities by Kiran Maraju

This paper gives an introduction of security code review inspections, and provides details about web application security vulnerabilities identification in the source code. This paper gives the details of the inspections to perform on the Java/J2EE source code. This paper explains the process of identifying vulnerable code and remediation details. This paper illustrates the specific locations of code flows to be checked to identify web application vulnerabilities.

Read the article (in PDF format). In this article Maraju has gathered a list of code review tools for JAVA/J2EE which can be used for security:

1- Escjava
2- Hammurapi
3- Jlint
4- JavaPathFinder
5- JavaPureCheck
6- Checkstyle
7- Pmd
8- Findbugs

I have used GNU/Findbugs and found it useful in java code/bytecode analysis. See FindBugs blog in blogspot.

Exploit Code Hiding in Cache Servers

According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down. Such "infection-by-proxy" code can remain in caches for as long as two weeks, giving it a "life after death" at a time it would conventionally be assumed to have been neutralised. Although caching does not always save copies of everything on a website, it will still store code embedded in html, including programming formats such as Javascript... "What our latest report shows is that current processes to remove such malicious content from the Web are simply not going far enough to combat this very serious and growing threat."

Read the article (in techworld.com) and slashdot discussion and the original report.

More Reasons to Discuss Threats

The word "threat" is popular... I noticed the OWASP is trying to define various security terms as well... OWASP has Wiki pages for attack, vulnerability, countermeasure, and, yes, threat... It might be helpful to look at already published work when thinking about what these terms mean. Good sources include the following...

Read Richard Bejtlich's post.

Vulnerability Type Distributions in CVE

"If 'smashing the stack'-style buffer overflows were the first wave of serious exploitable problems, and heap overflows were the second wave, integer overflows are the third wave," says Thomas Ptacek, a researcher with Matasano Security. "Developers have gotten more careful about the first two problems, so auditors moved on."... Numbers can be used to allocate memory, so an integer overflow can make a buffer overflow attack possible, says Steve Christey, CVE editor and principal information security engineer at Mitre.

Read darkreading story and the original report in Mitre.

Learn Information Gathering By Example

Information Gathering is usually the first done when Penetration testing. It is indeed a very important part in Penetration testing, and no Penetration tester or Internet security enthusiast can be left with out the knowledge of not knowing how to successfully gather information on a target. This white paper goes through the steps and tools you can use in order to successfully gather information on a target web server:
1- Utilizing Search Engines
2- Utilizing NetCraft
3- Using Whois
4- Utilizing NSLookup
5- Brute Forcing DNS Names
6- Performing A Ping Sweep
7- Identifying Firewalls/Routers
8- Gathering Information From Emails
9- Obtaining Information With Scripts

Read the article in PDF format (by Aelphaeis Mangarae).

An Argument for Full Disclosure

No matter who finds a bug or what software/product it’s in, Full Disclosure is the only method that can ensure that the right people know about it without too much hassle. With Full Disclosure,
1- The holes get fixed. Isn’t that what it’s all about?
2- Such vulnerabilities can’t be abused by morally-challenged people.
3- It allows end-users a chance to backup their databases and take preliminary steps to securing their sites.
4- It provides the affected companies with a solution. If the exact bug and the associated steps of reproduction, the affected files/code, and the extent of damage are reported there really isn’t anything much left.
5- It embarrasses the company into taking immediate action and better care.
6- You get the credit you deserve for finding the flaw!

Read the original post.

XSS Scanner

I got an email from another lurker today that I thought was pretty interesting. He’s intending to build a scanner to do some self-pen testing on his own websites and wanted some guidance. He was stuck on one of the three big questions (the others are the calendar or infinite depth issue and the login state issue). His issue was how to know what is bad and what isn’t from a web application security scanning perspective...

Read the post in ha.ckers.org.

What’s in a hacker?

Chiesa is the director of communications at the Institute for Security and Open Methodologies (ISECOM) and he is on a mission to uncover the mysteries of hacker types... According to the study, there are nine types of hackers, which are: “Wannabe lamer”, script-kiddie; cracker; ethical hacker; the quiet, paranoid and skilled hacker (QPS); cyber-warrior; industrial spy; government agent; and military hacker.

Read the story and participate.

Risk Management - Risk Assessment

The purpose of this website is to address identified open problems in the area of Risk Management and to provide a road-map for addressing further open issues at a European level.
This site contributes to solving the following problems:
- low awareness of Risk Management activities within public and private sector organizations;
- absence of a “common language” in the area of Risk Management to facilitate communication among stakeholders;
- lack of surveys on existing methods, tools and good practices.

The website is located here.

Would You Hire a Former Black Hat?

He noted that there are currently many former black hats who are "really, really smart" and "with a bit of nurturing and guidance", were able to transform into good security researchers... "But all other things being equal, I'm not sure if I would hire someone who acquired the knowledge without having acquired it legally," Ducklin said... Mark Bregman, Symantec's senior vice president and chief evangelist, does not believe in hiring former black hat hackers or the equivalent, even if they are or claim to have reformed.

Read the story and related slashdot discussion.

Presentations from 15th Usenix Security Symposium

MP3's, notes and slides are available here (through netsec).