A for-now blog of Araz Samadi

An inside look into building and releasing MS07-017

2007-04-09T12:26:00.000-07:00

As part of that, we not only investigate the specific issue that was reported to us, but any surrounding issues. Customers have told us clearly that they want us to make the security update as comprehensive as possible, they don’t want to have to apply multiple updates to address issues in the same components. So our triaging stage focuses on finding as many related issues as possible... Every vulnerability reported to Microsoft is triaged personally by a member of my team (in this case it was Adrian Stone) and they work on those issues reported to us end-to-end until the point we are able to produce an update that helps protect customers. In many cases, there is a delicate balance we strive to strike between meeting customer needs, our ability to test an update for appropriate quality and protecting customers against possible attacks...

Read the post in MSRC blog.

MOPB full review

2007-04-06T12:23:00.000-07:00

...
--without-iconv
--disable-json
--disable-mbregex
--disable-pdo
--disable-posix
--disable-reflection
--disable-filter
--disable-session
--disable-spl
--without-sqlite
--disable-tokenizer
--disable-libxml, --disable-xml, --disable-dom, --disable-simplexml, --disable-xmlreader & --disable-xmlwriter
...

Read the full story.

Physical Security in Mission Critical Facilities

2007-04-05T12:21:00.000-07:00

Technologies are in place, and getting less expensive, to implement broad range solutions based on the identification principles of What you have, What you know, and Who you are. By combining an assessment of risk tolerance with an analysis of access requirements and available technologies, an effective security system can be designed to provide a realistic balance of protection and cost.

Download the pdf file (25 pages) - through 'netsec.blogspot.com'.

Top Ten Threats for 2007

2007-02-12T04:00:00.000-08:00

1. 100% growth in revenue for cyber crime
2. DDoS in support of phishing attacks
3. Successful DDoS attack against a financial services firm
4. Attacks against DNS are the threat of the year
5. No abatement in identity theft
6. More attacks against wireless networks
7. MySpace grows up and gets secure
8. YouTube abuse threatens site
9. Network infrastructure shows signs of overloading
10. Spread of Windows Vista will have zero impact on the overall threatscape

Read Richard Stiennon's predictions for 2007.

Stack Overflow IRC Lecture

2007-02-02T14:43:00.000-08:00

Title: Stack Overflow IRC Lecture
Author/Lecturer: Aelphaeis Mangarae
Website: http://blackhat-forums.com
IRC: IRC.BlueHell.Org #BHF
Topic: Win32 Stack Based Buffer Overflow Exploitation

You can find it here.

Marcus J Ranum (MJR) and Bruce Schneier on Full Disclosure

2007-01-31T02:41:00.000-08:00

Marcus J Ranum (MJR) says:
- “After 10 years of full disclosure, security has not gotten any better”.
Bruce says:
- “Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.

Haha... See the full battle on securiteam blog.

The best practices for network security in 2007

2007-01-25T12:13:00.000-08:00

Here's my best practice list, in order of importance:
1. Roll out corporate security policies
2. Deliver corporate security awareness and training
3. Run frequent information security self-assessments
4. Perform regulatory compliance self-assessments
5. Deploy corporate-wide encryption
6. Value, protect, track and manage all corporate assets
7. Test business continuity and disaster recovery planning

Read the article (by Gary S. Miliefsky)

INTERNET RESOURCES FOR COMPUTER FORENSICS

2007-01-24T12:11:00.000-08:00

It is Great!

Chinese Prof Cracks SHA-1 Data Encryption Scheme (OR) SHA-1 added to list of "accomplishments"

2007-01-21T09:43:00.000-08:00

The reason for this change is that 41-years old associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has already cracked SHA-1... Professor Wang Xiaoyun, a graduate of Shandong University of Technology's mathematics department, and her research team obtained results by using ordinary personal computers... Wang's method of cracking the encryptions differs from all others. Although encryption analysis usually cannot be done without the use of computers, according to Wang, the computer only assisted in cracking the algorithm. Most of the time, she calculated manually, and manually designed the methods.

Read the article and slashdot discussion.

Open-Source Spying

2007-01-13T06:18:00.000-08:00

Top-secret information is becoming less useful than it used to be. “The intelligence business was initially, if not inherently, about secrets — running risks and expending a lot of money to acquire secrets,” he said, with the idea that “if you limit how many people see it, it will be more secure, and you will be able to get more of it. But that’s now appropriate for a small and shrinking percentage of information.” The time is past for analysts to act like “monastic scholars in a cave someplace,” he added, laboring for weeks or months in isolation to produce a report...

Read the article in nytimes.

"Teaching an Old Dog New Tricks" or "The Problem is Complexity"

2007-01-10T05:54:00.000-08:00

First off, it gave me a much-needed booster-shot of humility about my code. Having a piece of software instantly point out a dozen glaring holes in your code is never fun - but it's an important sensation to savour... More importantly, it showed me that tools like Fortify really do work, and that they find vulnerabilities faster and better than a human... The "many eyes" theory of software quality doesn't appear to hold true, either. FTWK was widely used for almost ten years, and only one of the problems I found with Fortify was a problem I already knew about.

Read Marcus J. Ranum's article here. (He is Chief Of Security for Tenable Security.)

Internet Explorer Unsafe for 284 Days in 2006

2007-01-06T04:18:00.000-08:00

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.

Read this article (by Brian Krebs). It is also discussed at slashdot.com

Five Hackers Who Left a Mark on 2006

2007-01-04T05:33:00.000-08:00

H.D. Moore has always been a household name—and a bit of a rock star—in hacker circles. As a vulnerability researcher and exploit writer, he built the Metasploit Framework into a must-use penetration testing tool...

Read about them!
+ Related discussion in slashdot.

Michal Zalewski on the Wire

2007-01-03T04:02:00.000-08:00

I show that security problems are inherent to the way we design systems, bound to just about any aspect of modern computing; and that only by understanding it can you follow and mitigate threats efficiently... When users have access to more and more bandwidth and computing power, they can more easily carry out brute-force attacks against protocols and algorithms...

Read Federico Biancuzzi's interview with Michal Zalewski about his book. (August 2006)

Top 10 Web Hacks of 2006

2007-01-02T07:30:00.000-08:00

Attacks always get better, never worse. That’s what probably what I’ll remember most about 2006. What a year it’s been in web hacking! There’s never been such a big leap forward in the industry and frankly it’s really hard to keep up... To look back on what’s been discovered RSnake, Robert Auger, and myself collected as many of the new 2006 web hacks as we could find. We’re using the term "hacks" loosely to describe some of the more creative, useful, and interesting techniques/discoveries/compromises. There were about 60 to choose from making the selection process REALLY difficult. After much email deliberation we believe we created a solid Top 10. Below you’ll find the entire list in no particular order. Enjoy!

Read this Top10 in Jeremiah Grossman's blog.

Cookie Stealing Upgrade: Ajax Style

2007-01-01T00:00:00.000-08:00

For those of you that have been living under a good and solid rock lately, AJAX is revolutionizing the way the web works in the fact that it brings desktop-like functionality straight to the web in the form of Javascript and XML (For this tutorial, a working knowledge of XML is not needed.) In other words, AJAX (Asynchronous Javascript and XML) gets rid of pesky page refreshes and coupled with DHTML effects, can lead to quite interesting desktop-like web apps... The property that is much sought after with AJAX is its ability to send arbitrary requests to a server in the form of an XMLHttpRequest...

Read this article in milw0rm.com.

Busy

2006-11-30T01:08:00.000-08:00

Too busy to update...
I will be back in January 1st.

Kevin Mitnick's Security Advice

2006-11-17T23:28:00.000-08:00

Here's my Top 10 list of steps you should take to protect your information and your computing resources from the bad boys and girls of cyberspace:
- Back up everything
- Choose passwords that are reasonably hard to guess
- Use an antivirus product
- Update your OS religiously
- Avoid hacker-bait apps
- Use encryption software
- Install a spyware detection app
- Use a personal firewall
- Disable any system services you're not using
- Secure your wireless networks

Read this in wired.com.

Miniature Computers That Can Break Your Network Wide Open

2006-11-16T23:27:00.000-08:00

One aspect of information security that is often under looked is physical security... Assuming a network has implemented end to end security in the form of 802.1x or a network access control (NAC) solution they all make one major assumption: that a man in the middle attack can’t be executed once the end point has authenticated. For example 802.1x addresses this directly, if the network port detects that the connection is dropped it requires the end point to re-authenticate before it’s allowed to have network access again. If the network hasn’t implemented such a scheme then it becomes trivial to execute a man in the middle attack by physically inserting another computer in between the network equipment and the end machine...

Read this post in riskbloggers by Kurt Seifried.

The A to Z of security - 27 pages

2006-11-15T23:23:00.000-08:00

Antivirus, Botnets, CMA, DDoS, Extradition, Federated identity, Google, Hackers, IM, Jaschan (Sven), Kids, Love Bug, Microsoft, Neologisms, Orange, Passwords, Questions, Rootkits, Spyware, Two-factor authentication, USB sticks/devices, Virus variants, Wi-fi, OS X, You and Zero-day!

Read this article by Natasha Lomas.

Computerworld's Smart Salary Tool 2006 (Online)

2006-11-14T23:20:00.000-08:00

Is your salary on par with what your peers are making? Use our Smart Salary Tool to compare your pay with IT workers in similar jobs, from around the country. Our 2006 survey reports on salaries from nearly 15,000 IT professionals...

See the page.

New Web Application Security Survey

2006-11-13T04:00:00.000-08:00

- Do you use commercial vulnerability scanner products during your assessments?
(Acunetix, Cenzic, Fortify, NTOBJECTives, Ounce Labs, Secure Software, SPI Dynamic, Watchfire, etc.)...
- Do you use open source tools during your assessments?
(Paros, Burp, Live HTTP headers, Web Scarab, CAL9000, Nikto, Wikto, etc.)

Read the original post by Jeremiah Grossman and an answer in ha.ckers.org blog.

Using Perl/Net::SinFP (sinfp.pl) for OS fingerprinting

2006-11-12T03:59:00.000-08:00

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has... Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization technologies, Nmap's approach to OS fingerprinting is becoming to be obsolete...
SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system...

See this security tools' webpage.

MS TechNet: Windows Vista Security Guide Overview

2006-11-11T03:53:00.000-08:00

The Windows Vista Security Guide consists of five chapters, and an appendix that you can use to reference setting descriptions, considerations, and values. The Windows Vista Security Guide Settings.xls file that accompanies this guide provides another resource that you can use to compare the setting values. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.

Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings

Read this useful guide in 7 pages (and the older version for WinXP).

Security threat changing, says Symantec CEO

2006-11-08T03:33:00.000-08:00

"The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers." John Thompson, chairman and CEO of Symantec said.

Read this in infoworld.com.

Hot Skills: BS 7799 opens door to security work

2006-11-07T03:31:00.000-08:00

ISO 27001 is increasing rapidly, and employers are seeking qualified staff, or paying for their own to be trained. There is also a demand for qualified people from security companies, and the organisations that audit and certify ISO 27001 compliance... But working with these standards involves a management, rather than hands-on technical approach, and lacks the glamour of penetration testing. Much of the work consists of ticking boxes and making sure documents have been completed and filed correctly.

Read this article by Nick Langley.

Fuzzers - The ultimate list

2006-11-06T03:28:00.000-08:00

Fuzzer: A fuzzer is a program that attempts to discover security vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered. Fuzzers are often termed Fault Injectors for this reason, they generate faults and send them to an application. Generally fuzzers are good at finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. They do a poor job at finding vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the program to crash.

Read this post.

Google Security and Product Safety

2006-11-04T17:25:00.000-08:00

If you are a Google user and have a security issue to report regarding your personal Google account, please visit our contact page. This includes password problems, login issues, spam reports, suspected fraud and account abuse issues... If you have discovered a vulnerability in a Google product or have a security incident to report, please email security@google.com. Please include a detailed summary of the issue including the name of the product (e.g., Gmail) and the nature of the issue you believe you've discovered... This process of notifying a vendor before publicly releasing information is an industry-standard best practice known as responsible disclosure... Working together helps make the online experience safer for everyone...

Read this in google web-site and a related article in techrepublic.

OS FingerPrinting Paper 1.0 and Satori tool

2006-11-02T20:04:00.000-08:00

I know what you are probably thinking; this is yet another paper on Active and Passive network OS detection and Scanning Techniques OR this is a scare tactic to finally get management to listen. Well it is and it isn’t, on both cases. It started, primarily as a paper on passive fingerprinting, that dips a bit into this and that along the way trying to give you a broad enough understanding of everything that has come before so that the new stuff makes sense. Without understanding how they are doing it, or what has happened in the past, parts of the new ideas or techniques will mean little to you. Perhaps in the end they will mean little to you anyway. I won’t go into the specifics of all of the different types of active/passive OS detection techniques, but I will cover some of the major and unique ones...

Read the article (pdf) by Eric Kollmann.

Satori: Uses WinPCap 3.1 (not tested with 4 beta yet), listens on the wire for all traffic and does OS Identification based on what it sees. Main things it works to identify are: Windows Machines, HP devices (that use HP Switch Protocol), Cisco devices (that do CDP packets), IP Phones (that send out Skinny packets), plus some other things. Still early on, will make many changes and will add whatever features are requested, so just send them with packet captures if possible!

A software created by him.

'Less than zero-day' threats

2006-11-01T03:25:00.000-08:00

The definition of zero-day exploits does not generally include unknown vulnerabilities that also exist and are already being quietly exploited. "Somewhere along the line, our definition of a zero-day attack got changed" to mean only those vulnerabilities that have been made public, Shimel said. "It's time to put the emphasis back on the unknown attacks out there."

Read the article.

Alan Cox warns on security of open-source code

2006-10-31T02:03:00.000-08:00

"Things appear in the media, like 'open-source software is more secure, more reliable and there are less bugs.' Those are very dangerous statements," Cox said.... The Software Quality Observatory for Open Source Software (SQO-OSS) is funded by the European Commission and it launched on Monday. Cox told delegates that metrics must not become targets.

Read this in ZDNet UK and Matt Asay's post on this.

The Ten Most Dangerous Online Activities

2006-10-27T15:43:00.000-07:00

Most computer users have no idea how dangerous their online behavior is... No matter how many times you warn them, employees still manage to poison their computers with new malware because they "just couldn't resist looking at the attachment." Other common goofs: downloading software for personal use, lowering firewalls to speed up a connection and even leaving their passwords stuck to their laptops...The following is our list of the ten most dangerous things people do online, along with some explanation of the risks associated with each. The list is based on input from information technology professionals and is arranged in descending order of danger...

Read the article.

Hacking anonymity and TOR

2006-10-25T16:42:00.000-07:00

TOR is endorsed by the Electronic Frontier Foundation (EFF) and is designed for individuals to circumvent Web censorship in countries such as China, however, the network could be used by criminals or even terrorists. Andrew Christensen, a Danish researcher at PacketStormSecurity.org, decided to see if he could determine who was using TOR by breaking the network's supposed anonymity. His theories about how he might do this appeared last spring in a paper entitled Peeling the Onion (coauthored with Dan Fearch of ScanNet). Now, Christensen's published workable code is in a paper called Practical Onion Hacking...
So are criminals using anonymizing services to arrange crimes over the Internet? Yes, but security experts agree that criminals (and possibly terrorists) have their own methods of anonymizing their Web traffic. So far, the bad guys aren't really using the TOR network...

Read the review and the papers:
1- Peeling the Onion
2- Practical Onion Hacking

Secure Habits - 8 Simple Rules For Developing More Secure Code

2006-10-24T09:38:00.000-07:00

This article discusses:
* Using analysis tools and experts to review your code
* Reducing risk using fuzzing and threat modeling
* Keeping bad input out of your applications
* Learning all you can about security concepts

Read the MSDN Magazine/November 2006 article here.

Top 10 [Newcomer] Security Companies to Watch

2006-10-23T09:28:00.000-07:00

"In security, you want to be the best. There aren't many customers out there that will brag they have the second-best security solution," says Mark Levine, managing director with Core Capital in Washington, D.C.... Below are 10 security companies we think are worth watching. Some are new to the market, others have reinvented themselves recently, still others are just beginning to make their mark on the corporate mind-set. All of them are worth keeping an eye on:
BitArmor Systems, Cogneto, Cryptolex Trust Systems, Declude, Exploit Prevention Labs, KoolSpan, NetworkStreaming, Savant Protection, Void Communications and Yoggie Security Systems

Read the article here.

Seven steps to increase Linux security

2006-10-20T16:18:00.000-07:00

Ask a network administrator in any large organisation to compare Linux with network operating systems like Windows NT or Novell, and chances are he'll admit that Linux is an inherently more stable and scalable solution. Chances are he'll also admit that when it comes to securing the system from outside attack, Linux is possibly the most difficult of the three to work with.

Read the story.

A Reality Check on PatchGuard

2006-10-19T16:12:00.000-07:00

Hackers have already broken PatchGuard and can disable it. This means that hackers can already get malicious code into the Windows Vista kernel; while legitimate security vendors can no longer protect it. This presents a serious new risk for consumers and enterprises worldwide. Now, you may ask yourself, if hackers can bypass PatchGuard, why don’t security vendors? We certainly could, if we chose to; however, Microsoft has firmly stated that any attempt to do so will result in an update to PatchGuard, which will detect these attempts. It would be foolish for Symantec to ship a product out to over 200 million desktops that may result in a BSOD on each desktop, if Microsoft decides to update PatchGuard.

Read the post in Symantec security response weblog.
+Update: MS to McAfee: Stop Lying to the Public

Google Hacking Database (GHDB)!

2006-10-18T04:14:00.000-07:00

We call them 'googledorks' (gOO gÃ´l'DÃ´rk, noun, slang) : An inept or foolish person as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe! Stop by our forums to see where the magic happens!

The page is here.

Blobs are Bad

2006-10-17T16:02:00.000-07:00

A recent security advisory announced today by Rapid7 explains, "the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root... Here's a good real-life example of why blobs are bad. For those that take the "pragmatic" approach and don't understand what all the fuss is about.

Read the post in undeadly.org, Rapid7 advisory (the bug reporter), related post in kerneltrap and slashdot discussion.

wicrawl

2006-10-16T15:53:00.000-07:00

Wicrawl is a simple wi-fi (802.11x) Access Point auditor with a simple and flexible plugin architecture... The goal is to automate the tedious task of scanning wi-fi access points for interesting information. This can be a useful tool for penetration testers looking to “crawl” through massive numbers of APs looking for interesting data...

You can get more information here.

Certification is About Clearing the Hurdles, Not Proving Knowledge

2006-10-15T06:04:00.000-07:00

I'm a CISSP, I used to be a CCNA, and soon I'll have the GIAC-GSNA (System and Network Auditor) certification... I don't think certificates are useless, but too many people have the wrong expectations of their usefulness, especially entry level certs. If you use certifications as a gauge of the effort a professional has put into their career advancement, you'll find them useful. But if you're trying to use them as a benchmark of knowledge, expect the lowest common denominator necessary to pass the test. To paraphrase and old joke, what do they call a CISSP who barely passed his test? A CISSP.

Read this weblog post by Martin McKeay.

Security Java/J2EE Code Review - Identifying Web Vulnerabilities by Kiran Maraju

2006-10-14T06:00:00.000-07:00

This paper gives an introduction of security code review inspections, and provides details about web application security vulnerabilities identification in the source code. This paper gives the details of the inspections to perform on the Java/J2EE source code. This paper explains the process of identifying vulnerable code and remediation details. This paper illustrates the specific locations of code flows to be checked to identify web application vulnerabilities.

Read the article (in PDF format). In this article Maraju has gathered a list of code review tools for JAVA/J2EE which can be used for security:

1- Escjava
2- Hammurapi
3- Jlint
4- JavaPathFinder
5- JavaPureCheck
6- Checkstyle
7- Pmd
8- Findbugs

I have used GNU/Findbugs and found it useful in java code/bytecode analysis. See FindBugs blog in blogspot.

Exploit Code Hiding in Cache Servers

2006-10-13T05:58:00.000-07:00

According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down. Such "infection-by-proxy" code can remain in caches for as long as two weeks, giving it a "life after death" at a time it would conventionally be assumed to have been neutralised. Although caching does not always save copies of everything on a website, it will still store code embedded in html, including programming formats such as Javascript... "What our latest report shows is that current processes to remove such malicious content from the Web are simply not going far enough to combat this very serious and growing threat."

Read the article (in techworld.com) and slashdot discussion and the original report.

More Reasons to Discuss Threats

2006-10-12T09:44:00.000-07:00

The word "threat" is popular... I noticed the OWASP is trying to define various security terms as well... OWASP has Wiki pages for attack, vulnerability, countermeasure, and, yes, threat... It might be helpful to look at already published work when thinking about what these terms mean. Good sources include the following...

Read Richard Bejtlich's post.

Vulnerability Type Distributions in CVE

2006-10-11T06:29:00.000-07:00

"If 'smashing the stack'-style buffer overflows were the first wave of serious exploitable problems, and heap overflows were the second wave, integer overflows are the third wave," says Thomas Ptacek, a researcher with Matasano Security. "Developers have gotten more careful about the first two problems, so auditors moved on."... Numbers can be used to allocate memory, so an integer overflow can make a buffer overflow attack possible, says Steve Christey, CVE editor and principal information security engineer at Mitre.

Read darkreading story and the original report in Mitre.

Learn Information Gathering By Example

2006-10-10T08:18:00.000-07:00

Information Gathering is usually the first done when Penetration testing. It is indeed a very important part in Penetration testing, and no Penetration tester or Internet security enthusiast can be left with out the knowledge of not knowing how to successfully gather information on a target. This white paper goes through the steps and tools you can use in order to successfully gather information on a target web server:
1- Utilizing Search Engines
2- Utilizing NetCraft
3- Using Whois
4- Utilizing NSLookup
5- Brute Forcing DNS Names
6- Performing A Ping Sweep
7- Identifying Firewalls/Routers
8- Gathering Information From Emails
9- Obtaining Information With Scripts

Read the article in PDF format (by Aelphaeis Mangarae).

An Argument for Full Disclosure

2006-10-09T11:04:00.000-07:00

No matter who finds a bug or what software/product it’s in, Full Disclosure is the only method that can ensure that the right people know about it without too much hassle. With Full Disclosure,
1- The holes get fixed. Isn’t that what it’s all about?
2- Such vulnerabilities can’t be abused by morally-challenged people.
3- It allows end-users a chance to backup their databases and take preliminary steps to securing their sites.
4- It provides the affected companies with a solution. If the exact bug and the associated steps of reproduction, the affected files/code, and the extent of damage are reported there really isn’t anything much left.
5- It embarrasses the company into taking immediate action and better care.
6- You get the credit you deserve for finding the flaw!

Read the original post.

XSS Scanner

2006-10-08T10:44:00.000-07:00

I got an email from another lurker today that I thought was pretty interesting. He’s intending to build a scanner to do some self-pen testing on his own websites and wanted some guidance. He was stuck on one of the three big questions (the others are the calendar or infinite depth issue and the login state issue). His issue was how to know what is bad and what isn’t from a web application security scanning perspective...

Read the post in ha.ckers.org.

What’s in a hacker?

2006-10-05T23:57:00.000-07:00

Chiesa is the director of communications at the Institute for Security and Open Methodologies (ISECOM) and he is on a mission to uncover the mysteries of hacker types... According to the study, there are nine types of hackers, which are: “Wannabe lamer”, script-kiddie; cracker; ethical hacker; the quiet, paranoid and skilled hacker (QPS); cyber-warrior; industrial spy; government agent; and military hacker.

Read the story and participate.

Risk Management - Risk Assessment

2006-10-03T02:28:00.000-07:00

The purpose of this website is to address identified open problems in the area of Risk Management and to provide a road-map for addressing further open issues at a European level.
This site contributes to solving the following problems:
- low awareness of Risk Management activities within public and private sector organizations;
- absence of a “common language” in the area of Risk Management to facilitate communication among stakeholders;
- lack of surveys on existing methods, tools and good practices.

The website is located here.

Would You Hire a Former Black Hat?

2006-10-02T06:46:00.000-07:00

He noted that there are currently many former black hats who are "really, really smart" and "with a bit of nurturing and guidance", were able to transform into good security researchers... "But all other things being equal, I'm not sure if I would hire someone who acquired the knowledge without having acquired it legally," Ducklin said... Mark Bregman, Symantec's senior vice president and chief evangelist, does not believe in hiring former black hat hackers or the equivalent, even if they are or claim to have reformed.

Read the story and related slashdot discussion.

Presentations from 15th Usenix Security Symposium

2006-10-01T00:41:00.000-07:00

MP3's, notes and slides are available here (through netsec).

Articles about PF (undeadly.org)

2006-09-30T13:00:00.000-07:00

1- Firewall Ruleset Optimization
2- Testing Your Firewall
3- Firewall Management

ZERT Analysis of CVE-2006-4668 and Patch Description

2006-09-29T01:00:00.000-07:00

The vulnerability in Microsoft’s Vector Graphics Rendering Engine (vgx.dll) exists due to an overzealous for() loop that copies data from a large, dynamically allocated buffer into an inadequate, fixed-size buffer on the stack. The data being copied in this routine is user-supplied as a Vector Markup Language (VML) “fill method” attribute. Legitimate values for the attribute include “none”, “any”, “linear,” and “sigma.”, [Specification draft for VML]. A vulnerable version of the library will copy the user-supplied string without checking its size, allowing a malicious document containing an overly-long fill method string to cause data to be written outside of the destination buffer’s boundaries. The ZERT patch for this vulnerability adds a check to the code before it can begin execution of the described loop. If the length of the user-supplied fill method string is greater than 512 bytes (size of destination buffer), the loop is avoided by making a jump tothe function’s cleanup instructions, and subsequently returns null...

A short instructive article (pdf) from ZERT.

Understanding Cross Site Scripting by Hardik Shah

2006-09-28T23:12:00.000-07:00

There are many webapplications which are designed to permit the input of html tags for displaying the html formatted data. These tags can be used by malicious users to attack other users by inserting scripts or malicious applets etc. This called cross site scripting or XSS. Such attacks are result of poor input validations. It uses the combination of html and scripting languages. With the proper combination of html and java script a intruder can misguide the client and perform various attack from DOS (by opening enormous amount of window on client side) or By embedding malicious FORM tags at the right place, an mailicious user may be able to trick users into revealing sensitive information by modifying the behavior of an existing form or by embedding scripts, an intruder can cause various problems. This is by no means a complete list of problems, but hopefully this is enough to convince you that this is a serious problem.

If you are not familiar with xss this article will help to start learning about (pdf format).

Understanding Sql Injection by Hardik Shah

2006-09-27T05:50:00.000-07:00

This vulnerability occurs due to lack of proper validation of user entered data in web applications. It may be possible that the programmer is a newcomer and has lack of understanding of such kind of attacks. But in many cases I have seen most of the time programmers are too lazy to consider and apply proper security checks. Most of the programmer believes that client or end user will always give correct input to the application. They even check for some minor validations like empty string or null values etc but they never think of the fact that a user can insert a specially crafted query which reveals all the important information of your machines. With the outsourcing boom many companies started and they have less experienced programmer so such kind of attacks heavily exists in today’ s web applications...

If you are not familiar with sql-injection this article will help to start learning about this type of vulnerabilities (pdf format).

Torpark browser makes Web surfing more anonymous

2006-09-20T17:32:00.000-07:00

The browser is free to download at torpark.nfshost.com. It's a modified version of Portable Firefox, an optimized version of the browser that can be run off a USB memory stick on a computer. The Torpark browser uses encryption to send data over The Onion Router, a worldwide network of servers nicknamed "Tor" set up to transfer data to one another in a random, obscure fashion.

Read the article from pcworld through netsec.

See the bigger picture on data security

2006-09-19T23:44:00.000-07:00

Don’t let suppliers put the blinkers on – even the best electronic security won’t safeguard your data if the physical aspects of protection have been overlooked.

Read the Article.

Is BGP Update Storm a Sign of Trouble: Observing the Internet Control and Data Planes During Internet Worms

2006-09-18T00:08:00.000-07:00

In this paper, we studied BGP update storms during three well-known Internet worms—Code Red, Nimda, and Slammer—and found that while BGP update storms occurred in all three worms, the performance of the data plane degraded during the Slammer worm but did not during the Code Red and Nimda worms. While it is certainly important to pay attention to the occurrence of BGP update storms, our results show that a BGP update storm does not necessarily map to data plane disruption.
Future work includes further investigation on exactly what factors from the control plane caused the data plane degradation during the Slammer worm, especially given that there is no signiﬁcant degradation during the other two worms. We have also studied the impact on the data plane by artiﬁcially introducing routing changes, which we call “mild stress,” and it would be useful to compare the results from both severe stress and mild stress.

Read the article in pdf format and related post on wormblog.

NIST Guide to Intrusion Detection and Prevention (IDP) Systems (DRAFT)

2006-09-16T23:15:00.000-07:00

This publication describes the characteristics of IDP technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. There are many types of IDP technologies, which are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDP technologies:
- Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity
- Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves
- Network Behavior Anomaly Detection (NBAD), which examines network traffic to identify threats that generate unusual traffic flows, such as DDoS attacks, scanning, and certain forms of malware
- Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Read the guide in pdf format (2.3 MBs)

Microsoft Windows Security Center: The Voice of Security for Windows Vista

2006-09-15T23:21:00.000-07:00

Windows® Security Center (WSC) is a comprehensive security status reporting console that enables Windows Vista™ customers to understand the ongoing security state of their computer, and provides a method for third-party ISVs to evaluate the current security state of the system. Microsoft Corp. first introduced WSC in Windows XP Service Pack 2 and has enhanced its capabilities in Windows Vista based on customer and ISV feedback. Windows Security Center collects information from Microsoft® Windows and third-party security components designed to protect users from computer threats. To provide users with a higher degree of security protection, Windows Security Center now reports the status of security components and provides the capability for direct remediation of unsafe settings for both Windows components and third-party security solutions... Windows Security Center is now a more comprehensive security status reporting console with key benefits for end users as well as third-party software vendors. Users can now better understand the ongoing security state of their computer, no matter which vendor integrating with WSC provides the solution. Third-party providers can now integrate their security software directly with the Windows Security Center to deliver a seamless product experience, while still maintaining a single location for the security status of the computer. In addition, WSC now allows third-party ISVs to evaluate the current security state of the system. These combined benefits make Windows Security Center the voice of security in Windows Vista.

Get the whitepaper from here (doc format).

10 security problems unique to IT

2006-09-14T22:36:00.001-07:00

#1: System penetration threats
#2: Internet security realities
#3: Portability of hardware
#4: Proliferation of new communication methods
#5: Complexity of software
#6: Degree of interconnection
#7: Density and accessibility of media
#8: Centralization
#9: Decentralization
#10: Turnover

Read Jeff Relkin's article.

Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

2006-09-13T21:55:00.000-07:00

Motivated by the proliferation of wireless-enabled devices and the suspect nature of device driver code, we develop a passive ﬁngerprinting technique that identiﬁes the wireless device driver running on an IEEE 802.11 compliant device. This technique is valuable to an attacker wishing to conduct reconnaissance against a potential target so that he may launch a driver-speciﬁc exploit. In particular, we develop a unique ﬁngerprinting technique that accurately and efﬁciently identiﬁes the wireless driver without modiﬁcation to or cooperation from a wireless device. We perform an evaluation of this ﬁngerprinting technique that shows it both quickly and accurately ﬁngerprints wireless device drivers in real world wireless network conditions. Finally, we discuss ways to prevent ﬁngerprinting that will aid in improving the security of wireless communication for devices that employ 802.11 networking.

Read the pdf file and related slashdot discussion.

Core Impact Penetrates Deeply

2006-09-12T22:05:00.000-07:00

We ran address-book exploits against Opera Software's Opera, Microsoft's Outlook and the Mozilla Foundation's Thunderbird browsers. We left our browsers configured in default states running on systems configured as end-user workstations, with only a passing attempt at changing parameters to make the systems secure. (We made sure the Linux systems were up-to-date and that our Windows XP systems had the latest service pack and patches installed.) Using the address-book modules, we were able to get an agent to automatically enumerate entries from compromised systems. A related module that successfully ran on a compromised Windows XP system allowed us to automatically capture auto-complete passwords stored in Microsoft's Internet Explorer.

A "Core Impact 6" Review by Cameron Sturdevant.

Exploiting the Otherwise Unexploitable on Windows

2006-09-11T23:04:00.000-07:00

This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.

An article from Uninformed.

Take a closer look at OpenBSD

2006-09-10T21:24:00.000-07:00

OpenBSD is quite possibly the most secure operating system on the planet. Every step of the development process focuses on building a secure, open, and free platform. UNIX® and Linux® administrators take note: Without realizing it, you probably use tools ported from OpenBSD every day. Maybe it's time to give the whole operating system a closer look.

Take a closer look at this article!

On Vacation

2006-07-30T08:50:00.000-07:00

I am on vacation until september 10.

NTLMv2 and LMCompatibilityLevel

2006-07-28T23:35:00.000-07:00

Although Windows Vista has not been released yet, it is worthwhile to point out some changes in this operating system related to these protocols. The most important change is that the LM protocol can no longer be used for inbound authentication—where Windows Vista is acting as the authentication server. Windows Vista will no longer store the LM hash by default. Acting as a client, Windows Vista also makes a change to outbound protocols by setting LMCompatibilityLevel to 3 by default. In other words, NTLMv2 will finally be the default protocol for non-domain authentication. In the next scheduled release of the Windows Server platform, code-named "Longhorn Server," a lot of work has been done to reduce the need for NTLM altogether. In Windows Server 2003, NTLM, and sometimes even LM, is used in many cases, such as in clusters. In the next version of the operating systems many of these protocols will finally be turned off by default.

Read Jesper Johansson's article in technet and the related weblog post.

Biometric Security

2006-07-27T09:56:00.000-07:00

Will there be a "biometric-of-choice", i.e. a technology dominating all biometric systems? The answer is most likely no. The reason is that no biometric trait is fully universal, permanent and unique at the same time. Today's most accurate technologies are based on characteristics of eyes and fingers that are highly unique and permanent in structure, but not completely universal. At the same time, none of the fully universal characteristics (e.g. faces and DNA) are sufficiently unique to distinguish between monozygotic twins. Faces are even highly variant with time.

Read Biometric Security whitepaper (pdf file - 111 pages - 1708 KBs) by Bori Toth.

Internet Drive-By Shootings

2006-07-26T10:43:00.000-07:00

The key requirement is that the attacker must be able to force the user to execute a small piece of Javascript code. There are a number of ways this can happen:
* Embed Javascript into a Flash-based banner ad
* Send an email to each user with a link to a web site
* Post a link inside blog comment spam
* Post a link inside a web forum comment
* Exploit a XSS issue to embed Javascript into a trusted web site
* Trigger a PostBack link into a high-profile blog
* Flood popular sites with bogus referrers

Read this post from metasploit blog.

No compensation for 'responsible disclosure': Microsoft

2006-07-25T23:43:00.000-07:00

Microsoft has said it will not offer money to security researchers for responsibly disclosing vulnerabilities in its products... "I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under 'responsible disclosure' or pay off my mortgage; which one do I choose?" asked Ingram.

Read zdnet.com.au article.

ISMS Implementation Guide

2006-07-24T22:37:00.000-07:00

Various other tools that can be used for risk assessment are:
Asset Track

CRAMM

Riskwatch

RA2 art of risk

Exrisk

Risk Point

The document is in PDF format by Vinod Kumar Puthuseeri.

Auditors and Security Policies

2006-07-23T23:53:00.000-07:00

For years auditors have simply asked for something and they've received it. In today's corporate environment, Security plays a large role in determining whether the auditors' requests are compliant with security policies, standards, and guidelines. Each security manager has the responsibility to assist with audits as a means of protecting the organization as well as its employees, customers, and shareholders while not weakening system defenses. This requires patience as the auditors learn how to work within the new constraints we've imposed on them, and it's our job as security professionals to assist as much as possible in training our auditors on secure means to get the information they need.

Read Tom Olzak's weblog post.

Cash for Exploits

2006-07-22T23:35:00.000-07:00

Among the security firms who do business with bug writers are 3Com/TippingPoint's Zero Day Initiative, iDefense, and Digital Armaments. "They typically pay between $2,000 and $10,000 for these so they are able to better protect their clients from these exploits and work with vendors to help them develop protections," Maynor says.

Read darkreading article (through ha.ckers)

Required Attributes of Security Solutions

2006-07-21T21:42:00.000-07:00

Jesper Johansson writes:

I've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situation.

Biological Approaches to Computer Security Course (2005)

2006-07-20T21:36:00.000-07:00

Course on the applicability of biological metaphors to computer security. Computer immunology, autonomic computing, and computer homeostasis are compared with traditional approaches to authentication, integrity, and intrusion detection. Relevant background biology will be presented. Students will design and critique new security mechanisms.

See the 'Daily class outline' in the page to find interesting articles. (through netsec)

Windows Vista Network Attack Surface Analysis

2006-07-19T22:35:00.000-07:00

The network stack in Windows Vista was rewritten from the ground up. In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects. This may provide for a more stable networking stack in the long term, but stability will suffer in the short term. Despite the claims of Microsoft developers, the Windows Vista network stack as it exists today is less stable than the earlier Windows XP stack. We have identified several implementation flaws in the 5270 Windows Vista build and even more in earlier builds, though these have been fixed in 5384. While it is reassuring that Microsoft is finding and fixing these defects, we expect that vulnerabilities will continue to be discovered for some time. A networking stack is a complex piece of software that takes many years to mature.

Read the pdf file and see their weblog post on this. See CNET News.com and Dailytech articles.

Internet Security Glossary, Version 2

2006-07-18T22:21:00.000-07:00

$ security: ...
Parker suggests that providing a condition of system security may involve the following six basic functions [Park]; however, these functions overlap to some extent:
- "Deterrence": Reducing an intelligent threat by discouraging action, such as by fear or doubt. (See: attack, threat action.)
- "Avoidance": Reducing a risk by either reducing the value of the potential loss or reducing the probability that the loss will occur. (See: risk analysis. Compare: "risk avoidance" under "risk".)
- "Prevention": Impeding a security violation by using a countermeasure.
- "Detection": Determining that a security violation is impending, is in progress, or has recently occurred, and thus make it possible to reduce the potential loss. (See: intrusion detection.)
- "Recovery": Restoring a normal state of system operation by compensating for a security violation, possibly by eliminating or repairing its effects. (See: contingency plan, main entry for "recovery".)
- "Correction": Changing a security architecture to eliminate or reduce the risk of reoccurrence of a security violation or threat consequence, such as by eliminating a vulnerability.

Someone asked me about a good security glossary. See Internet Security Glossary, Version 2; 20 March until 20 September 2006; Obsoletes: RFC 2828, FYI 36

Wireless Networking for Small Businesses - Security Considerations

2006-07-17T23:50:00.000-07:00

Unauthorized wireless network access is probably one of the biggest threats to small and medium sized businesses. This is described as a user from outside the company using the network. Unauthorized access can be something as simple as a neighboring business using the wireless LAN to access the Internet. If the unauthorized user is just surfing the Internet it would not present a very big problem except for potentially slowing your network down...

InfosecWriters pdf article by Rusty Morgan. See also wikipedia page on wireless security.

Comments on SANS CDX Briefing

2006-07-16T23:29:00.000-07:00

1- Know the Network and Keep it Simple: Each additional device is another avenue of attack. The entire team must understand the network. Troubleshooting is easier with a simple design.
2- Deny by Default Policy: Only allow what is absolutely necessary. It's easier than blocking known bads.
3- Remove Unnecessary Services, Software, and User Accounts: What is the role of the computer? Remove unnecessary software completely.
4- Plan for Contingencies: All networks will eventually have a problem.

Read this in Richard Bejtlich's blog.

Why Information Security is Hard - An Economic Perspective

2006-07-15T11:44:00.000-07:00

In an ideal world, the removal of perverse economic incentives to create insecure systems would depoliticize most issues. Security engineering would then be a matter of rational risk management rather than risk dumping. But as information security is about power and money, the evaluator should not restrict herself to technical tools like cryptoanalysis and information flow, but also apply economic tools such as the analysis of asymmetric information and moral hazard.

'Why Information Security is Hard - An Economic Perspective' by Ross Anderson - pdf file - (through netsec blog )

Predicting the Number of Vulnerabilities that will be found in a Software

2006-07-14T22:03:00.000-07:00

Want to know how many flaws will be in the next version of a software product? Using historical data, researchers at Colorado State University are attempting to build models that predict the number of flaws in a particular operating system or application... In an analysis to be presented at a secure computing conference in September... The latest research focuses on fitting an S-shaped curve to monthly vulnerability data, positing that a limited installed based and little knowledge of new software limits the finding of vulnerabilities in a just-released application, while exhaustion of the low-hanging fruit makes finding vulnerabilities in older products more difficult... The models used for prediction of future vulnerabilities assume that defect density--the number of software flaws per 1,000 lines of code--remains the same between software versions... (SecurityFocus.com, Page 1 and Page 2)

I choose this title: 'Predicting the Number of Vulnerabilities that will be found in a Software'. The real number of vulnerabilities exist in the software is not countable/predictable. By the way I think they count the number of vulnerabilities discovered in first few months of the release and predict the next months based on statistical methods. Not too bad.

Intrusion Detection Systems in Hospitals

2006-07-13T00:21:00.000-07:00

As technology in the hospital environment continues to evolve and move forward, Intrusion Detection Systems must be an instrumental part of an organizations security posture. There is too much at risk, legally and organizationally, to not be aware of vulnerability exploits, attacks, and other threats. These are the kinds of things that we must monitor and track to ensure the integrity of our systems. Intrusion Detection is one tool that should be deployed to help maintain this integrity... Once we have an Intrusion Detection Solution in place, we must be ever vigilant in maintaining them to insure optimal performance. IDS is a ever evolving arena so we must do everything that we can to insure what we have works as efficiently and effectively as possible. Even with the most effective system possible, we are only helping to eliminate the risk. As stated by Cuvusoglu, Mishra, and Raghunathan, “even the best IDSs could only detect about 80% of the attacks”. Great care in the selection and placement of IDS in a hospital environment must be taken to fully realize it’s benefits. ('Intrusion Detection Systems in Hospitals: What, Why, and Where.')

I am aware of some famous HISs (Hospital Information Systems) developed and being used in Iran, and I must say that they are so poor in security side. Islamic Republic of Iran Ministry of Health and Medical Education is working on an 'Integrated Health Information System' which will be distributed country-wide and I wish it would be better than that HISs.

Detailed Visual Guide To Penetration Testing

2006-07-12T01:03:00.000-07:00

Security Investigator writes:

What's that? You really want a visual guide to penetration testing?... Something that could be printed out and be your all-in-one guide to penetration testing?... This is a must see!

See this. YAMR (Yet Another Must Read)!

Basic Journey of a Packet

2006-07-11T05:52:00.000-07:00

The purpose of this introductory article is to take a basic look at the journey of a packet across the Internet, from packet creation to switches, routers, NAT, and the packet's traverse across the Internet. This topic is recommended for those who are new to the networking and security field and may not have a basic understanding of the underlying process. ('Basic journey of a packet')

TCP/IP is a boring topic full of detailed explanations that you ask yourself 'So What?'. If you are a new comer, you should oblige yourself to learn it; So you must start from somewhere and this is an elementary somewhere!

Google Indexing Executable Files

2006-07-10T09:44:00.000-07:00

Claudiu Spulber's original post:

See this, search for "Signature: 00004550" and you'll see about 200,000 results of executable files being indexed... Anyway, this must be a bug. I mean what use is from having the executable files indexed, as in the View as HTML section there is no relevant information. Plus this is a security risk, even a high one. Because sites full of spyware might use this redirect bug to have spyware executables indexed and when the user will click it automatically installing all the malware in the world.

googlesystem's detailed explanation:

Google indexes the file's headers and if you look at the cache, you'll see something like this:
WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 3b7dc821
Symbols Pointer: 00000000

Websense security labs blog explains how they have used this to find malicious Web sites (no direct link to the post):

We queried not only for the NT signature, but also for unique identifiers within the PE file format that would allude that the file was potentially malicious... Our results show that we were able to collect thousands of pieces of malicious binaries, mostly posted to newsgroups with false names that would normally trick a user, we found many on forum sites, as well as regular personal, educational, compromised, and underground sites. We also found several pieces of spyware on poker and casino sites. We found variants of the Bagel, and Mytob worms, various trojans, and many other malicious binaries... It should also be noted that although this is also a useful tool for other security research experts to discover malicious code, the potential for malcode authors to use it is also there.

And finally this article ('Google's Binary Search Helps Identify Malware') in pcworld:

Google has seen this happen "on occasion," and is making an effort to shield users from this malicious software, a Google spokeswoman said... "I think the 'tricking your browser into running an executable file' trick is a little old," said Long, who wrote the book Google Hacking for Penetration Testers. "There are other more elegant attacks to worry about."

To index, or not to index: that is the question!

Is Effective Security Possible?

2006-07-09T00:58:00.000-07:00

Roger A. Grimes' article ('Effective security isn't easy, but it is possible') introduces some fundamental points about security that are really useful. Mike Rothman's post ('Effective security - within reach?') about Roger's is useful too. But my question is: 'what is effective security?'

Roger Grimes says:

There are many companies -- small and large, five-person businesses and Fortune 100 conglomerates -- that follow these rules. And they live without a world of malware and malicious hackers. When I visit them, they tell me that it’s been years since a significant malicious event happened to their environments.

If he thinks that effective security's definition is the above paragraph he makes a mistake. DOD dictionary of military terms defines 'security' as:

1. Measures taken by a military unit, activity, or installation to protect itself against all acts designed to, or which may, impair its effectiveness. 2. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. 3. With respect to classified matter, the condition that prevents unauthorized persons from having access to official information that is safeguarded in the interests of national security.(DOD: security)

For a more practical definition Federal Standard 1037C (Telecom Glossary 2000) says:

1. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. 2. With respect to classified matter, the condition that prevents unauthorized persons from having access to official information that is safeguarded in the interests of national security. 3. Measures taken by a military unit, an activity or installation to protect itself against all acts designed to, or which may, impair its effectiveness. (FS-1037C)

Wikipedia's simple and clear definition of effective security is:

A secure system is a system which does exactly what we want it to do and nothing that we don't want it to do even when someone else tries to make it behave differently. (wikipedia.org - security)

Is 'effective security' something different from 'security'?
- If the answer is negative, then: "Effective security isn't easy and it is NOT possible." Just think about 0-day exploits, underground exploits and so on. 100% security is not possible (at least for now).
- If the answer is positive, he should tell me what 'effective security' is. 'Practicable security' in my idea is 'the maximum or best security you can do on a network using all of the resources available for securing it.' When you do 'practicable security' it may be not so 'effective' against hostile acts. I have no idea about 'effective security'.

The next question is: 'Is it possible to make the network secure enough only by using the points he has recommended?'. For example consider that the software A is naturally insecure, B is secure and you cannot change A software to become a secure one. The company is using A and doesn't want to switch to B. 'Is my effort (based on his article) makes the network secure enough when there are some insecure softwares running on it?'

How to Bypass BIOS Passwords

2006-07-08T01:52:00.000-07:00

BIOS passwords can be add extra layer of security for desktop and laptop computers, and are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. BIOS passwords can also be a liability if a user forgot their passwords, or if a malicious user changes the password. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in an a typical warranty. However, there are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS password on most systems. ('How to Bypass BIOS Passwords')

See also Elf Qrin's article and i-hacked article (mirrored from abmice.techtarget.com). Also check this and this from computerhope. They are all similar but I was hesitate to choose one!

HP Active Countermeasures (HPAC) Service

2006-07-07T11:41:00.000-07:00

I was aware of HP's 'Active Countermeasures' since 2005. I believe that HP-UX is a very insecure unix (compared to other famous ones) but they want to be active in securing other servers with various operating systems. Believe it or not, HP is planing to give penetration testing service to costumers:

The HPAC team will use hacking techniques to gain control of clients' systems. They will use exploit code for known vulnerabilities found on the Internet, or write their own exploit code. The HPAC team won't fix problems themselves, but will alert customers and work with them if necessary until the issue is resolved. We're most concerned with 'wormable' vulnerabilities — ones that can be exploited using worms, as they have the largest impact on business," said Brown. ('HP: Hacking techniques help security')

Yes, they will write their own exploit code if necessary. First mr.scriptkiddy registers for the service. Then he monitors/logs to see what is performed on his machine by HPAC. Then he has the HPAC's-only-for-testing-purpose exploit code. Finally he uses it against other machines. HP will be his fresh source of new exploits.

SSH/OpenSSH for New Comers

2006-07-06T11:18:00.000-07:00

One of my friends (Modjtaba) has sent a post in his persian computer weblog about OpenSSH and how blindly some sudo-sysadmins are using it. His post encouraged me to seek some basic tutorials about SSH/OpenSSH and found these for beginners:

- openssh.com: official site
- aperiodic.net: Simple SSH Tutorial Outline
- suso.org: SSH Tutorial for Linux
- openbsd.org: ssh man page
- netbsd.gw.com: ssh man page
- jakilinux.org: SSH tricks
- linuxjournal.com: The 101 Uses of OpenSSH part1
- linuxjournal.com: The 101 Uses of OpenSSH part2
- suominen.com: Getting started with SSH
- linuxjournal.com: Eleven SSH Ticks
- wikipedia.org: SSH
- wikipedia.org: OpenSSH
- ibm.com: OpenSSH key management, Part 1
- ibm.com: OpenSSH key management, Part 2
- ibm.com: OpenSSH key management, Part 3
- windowsecurity.com: SSH
- csociety.org: SSH slides by Seth Heckard
- gatech.edu: Secure Shell (SSH) Tutorial

may help someone...

Using Fuzzing to Detect Security Vulnerabilities

2006-07-05T07:48:00.000-07:00

Besides all the advantages that the fuzzing techniques offer, it is important to note it is not a universal method for security vulnerability detection. In order to detect a certain security vulnerability, the target application has a set of specific conditions for which the fuzzing tool might not be used. In cases like this, some other methods have to be applied, depending on the type of a security vulnerability that is being analyzed. When network applications are being discussed, it is important to note that the fuzzing technique is very useful for general testing of the application stability as tests like these can be destructive.

Leon Juranic's article (through Gadi Evron's post in securiteam blogs). It is a practical article.

AJAX Security (XMLHTTPRequest and IFrame objects)

2006-07-04T04:40:00.000-07:00

Ajax security will be an important topic in the near future (despite being a several year old technology). Web-based applications are going to be rewritten using Ajax technology. But in my opinion there is a little difference between classic web-based application and an Ajax-based one in security considerations. The danger happens when you want to do server-side checking (input validations, ...) in client-side (using Ajax or javascript in general). We will not encounter new exploiting mechanisms, instead existing techniques will be performed more using Ajax because Ajax increases the complexity of the code.

This article from it-observer.com worth reading. This article from securityfocus, this one, this, this, this and finally Max Kieler's post to find related links.

Power Users in Windows are Potential Administrators

2006-07-03T09:22:00.000-07:00

Jesper Johansson's post:

Power Users are simply Administrators who have not made themselves Administrators yet. There are access control lists, privileges, and other settings all over the OS that allow them to do so. Making someone a power users only makes it marginally more difficult to shoot yourself in the foot. It does not actually limit their privileges, nor does it protect them from malware, which can typically run just fine with Power User privilege.

and Mark Russinovich's detailed explanation:

I’d now finished the major phase of my investigation and just confirmed what everyone has been saying: a determined member of the Power Users group can fairly easily make themselves full administrator using exploits in the operating system and ones created by third-party applications.

I felt over the time that microsoft is reducing power of 'power users group' step by step and pushing it down to not be so close to 'Administrators'. By the way I must say that putting someone in 'power users group' is better than giving him the Administrative privileges; And then I must emphasize that 'Power Users in Windows are Potential Administrators' again. Mark Russinovich's post is really informative and insightful. Yet another must read (YAMR).

Penetration Tester Hiring Made Easy!

2006-07-02T08:57:00.000-07:00

A useful post 'Get Hired as a Penetration Tester ' in 'A Day in the Life of an Information Security Investigator' blog.

I had something similar to this in my mind to find security collaborators in my security projects; But this will help me a lot. On the other hand it has a list of useful security and penet-test tools and also a list of famous security certifications. A must read.

Update: see also penetration-testing.com

IPsec and 'Server and Domain Isolation (windows)'

2006-07-01T06:06:00.000-07:00

You can mitigate some of the risks associated with unauthorized and potentially unfriendly access to your network and its resources by creating an isolated network... To isolate the authorized and managed computers from the other computers on your network, you can create an isolated network; a set of network nodes whose grouping is independent of the physical network topology. [1-] You can create an isolated network based on the Physical layer of the Open Systems Interconnection (OSI) model, in which you run a separate cabling system for the isolated network... [2-] You can also create an isolated network based on the Data Link layer of the OSI model, in which you use Layer 2 switches and virtual LAN (VLAN) technology to create logical network segments by grouping computers regardless of their physical connection to a set of switches. With VLAN technology, you can also create an isolated network based on the Network layer of the OSI model, in which you create logical subnets and define the routing between the subnets. [3-] With the Microsoft® Windows® operating systems, you can logically isolate your domain and server resources to limit access to authenticated and authorized computers. Windows-based network isolation occurs at the Network layer of the OSI model [He means based on IPsec, not a new invention as you may feel from the text!]... (Server and Domain Isolation main page Microsoft)

These links are enough, no need to my explanation:
+ Improving Security with Domain Isolation: Microsoft IT implements IP Security (IPsec)
+ James Morey blog IPsec and Domain Isolation; Related posts: 1, 2, 3
+ IPsec in wikipedia
+ An Illustrated Guide to IPsec
+ OpenBSD: IPsec man page see also isakmpd(8)
+ NetBSD: IPsec man page see also racoon(8)

100% Undetectable Rootkit based on Hardware Virtualization Technologies

2006-06-30T00:30:00.000-07:00

The Blue Pill technology does not rely on any bug [like buffer overflow] of the underlying operating system [,but just exploits some design flaw]. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform... This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica. (Joanna Rutkowska's Blog)

I decided to implement Blue Pill on AMD64 processor and I spent my time on doing this... Indeed it *seems* possible to implement Blue Pill on Intel VT, but I haven't done this yet... Also, at Black Hat there will be another presentation, by Dino Dai Zovi, about VT based malware. But I don't know if (and how) Dino's work is similar to Blue Pill or not. (her blog's comments)

Generic detection could be written for the virtual machine technology, then Blue Pill can be detected, but it also means that Pacifica is "buggy."... Blue Pill does *not* rely on any bug in Pacifica neither in OS... Blue Pill uses only the documented features of Pacifica.. (her blog's comments)

Blue Pill is being developed exclusively for COSEINC Research and will not be available for download... Papers about blue pill (and more details) will be available after SyScan and Black Hat USA conferences... or to get more details you have to either come to SyScan or Black Hat ;) (her blog's comments)

I think it is not theoretically new. It is something like defective firmwares, CPU-level instead. [I don't want to separate the words 'bug' and 'flaw'.] Sure this is a security flaw (bug) but not something like buffer-overflows. This bug is here because of poor design. If buffer overflow is like a break in a wall(!), these bugs are similar to lack of the wall itself!

I also think that '100% undetectable' is unreal. By the way we will wait for the presentation.

See Kurt Wismer's post: 'the blue pill is NOT 100% undetectable'

Secure Browsing Mode (SBM v1.2)

2006-06-29T04:39:00.000-07:00

It is widely accepted today that web applications are inherently insecure. A lot of energy was invested in the past years into making web applications more secure, but there is only so much we can do with the fundamentally insecure foundation. This brief document proposes a set of possible browser improvements that would allow us to establish, gradually, a secureenvironment for web applications.

As you know TCP/IP is insecure because the creators didn't think about its future growth. It is badly designed if you believe in security. If we want to be pragmatic and not make dreams about some better alternative for TCP/IP - which is impossible at least for now -, we can work on some minor security improvements in some parts for example web applications. Read this article (pdf file) written by Ivan Ristic. This article's main goal is to:

1. Reduce impact of insecure web applications by making the client devices more
security-savvy.
2. Create new, well-designed, standards to replace current insecure practices

I alse saw a presentation pdf file named "Case Studies in Finding Previously Unknown Vulnerabilities in Web Applications" in Kenneth Belva's Blog
which lists the main points to consider while developing webbased applications - but in the opposite aspect!

'Detailed Exploit' Published for Critical Windows Flaw (RASMAN)

2006-06-28T07:12:00.000-07:00

In an unusual move, Microsoft has released a formal security advisory to warn of the publication of "detailed exploit code" that targets a critical Windows vulnerability. (eweek)

Read this eweek article. See mataspolit response to microsoft's move.

Although this exploit (microsoft Bulletin MS06-025) mostly affects Win2K (critical) and its hardly enough for win2K3 or XP (important) but the way microsoft choosed to response is odd and funny even if microsoft afraids that this may cause writing a world-spreed worm. I believe in "full disclosure" philosophy that its final result is to force the programmers to write safer codes - instead of praying for regular security patches. I also don't prefer "responsible disclosure" because it is not so effective -and cutting- compared to the former.

Fuzzers and Fuzzing (Fuzz testing)

2006-06-27T06:17:00.000-07:00

Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct...
However, fuzz testing is not a substitute for exhaustive testing or formal methods: it can only provide a random sample of the system's behavior, and in many cases passing a fuzz test may only demonstrate that a piece of software handles exceptions without crashing, rather than behaving correctly. Thus, fuzz testing can only be regarded as a proxy for program correctness, rather than a direct measure, with fuzz test failures actually being more useful as a bug-finding tool than fuzz test passes as an assurance of quality. (wikipedia)

[I wrote this post to answer someone's question.] While seeking an intro article to help you start learning something, wikipedia.org and del.icio.us worth checking. I also recommend This wiki for fuzzers. It is a good gateway if you follow the links.

See also:
http://del.icio.us/search/?all=fuzzer
http://del.icio.us/tag/fuzzing
http://en.wikipedia.org/wiki/Fuzzing
http://en.wikipedia.org/wiki/Black_box_testing

Where is Nessus 3+ going?

2006-06-26T02:40:00.000-07:00

No more source code!! Binary packages only (now):

- Linux : Fedora FC4 & 5, Red Hat Enterprise 3 & 4, SuSE 9.3 & 10, Debian 3.1 (i386)
- FreeBSD : FreeBSD 5 & 6 (i386)
- Solaris : Solaris 9 & 10 (sparc)
- Mac OS X : Mac OS X 10.4 (intel & ppc)
- Windows : Windows 2000, XP and 2003 (32 bits)

Yes, windows! Nessus(beta) for windows! Not OpenBSD, not NetBSD... Sure windows is more important compared openbsd - if you see from a scriptkiddy's point of view.

F******