Finjan has released it’s Web Security Trends Report - Q3/2007 (PDF) and I found it quite interesting to read.

One of the innovative research presented in the report is the security model and risk posed by the various widgets which seem to be the hottest trend in GUI design.Either built for WWW, Windows Vista or Macintosh OSX Dashboard,the widgets are everywhere and Finjan found vulnerabilities in widgets and gadgets that enable attackers to gain control of user machines.

This report also presents a detailed analysis of a very special malware : the financial data trojan which gets  activated whenever an user does internet banking or logs in a financial institution website . "Financially-focused crimeware – what happens when a trojan goes phishing" shows step by step all the Crimeware Trojan Workflow :

1. Detect login page to a financial service
2. Send the login credentials to the financial service as well as the crimeware server
3. Crimeware server response contains custom designed page to get more sensitive information (designed for the service provider)
4. Crimeware on infected PC injects the custom page into the browser (which is already connected via SSL to the financial provider)
5. Victim enters sensitive data into customized form
6. Crimeware sends customized form data to crimeware server
7. Crimeware gets the financial service response to the original login credentials and shows them on the browser.

Get a copy of this report here .

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’m reading today that InfoWorld has announced the 2007 Best of Open Source in Security Awards and as far as I can see nothing new showed up in the awards list.

There awards categories include vulnerability scanning, intrusion prevention, anti-virus, anti-spam, firewalls, VPNs, and security testing.

In security, open source rushed in because commercial vendors fell down on the job. As security problems in the enterprise outstripped the capabilities of commercial solutions, a number of talented security researchers stepped into the breach via the open source model.

As expected, the winners within each category are well established, widely used open source applications with milions of daily users. It’s really a tough job for a new OpenSource application to make it to the short list of nominees.

Without further ado, these is the Best of open source in security:

• Network Vulnerability Assessment : Nessus
• Intrusion Prevention : Snort
• Anti-Virus : ClamAv (recently  acquired by SourceFire)
• Anti-Spam : SpamAssassin
• Best Firewall : IPCop
• Best SSL VPN : OpenVPN
• Best Security Testing Resource : OSSTMM

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Catching up with my email I came across a few tools which deserve a seaprate post each so I thought I’ll just dump them in this post so I can pick it up from here. Or not , depending on my availability

Here it goes :

Reflector for .NET
Reflector is the class browser, explorer, analyzer and documentation viewer for .NET. Reflector allows to easily view, navigate, search, decompile and analyze .NET assemblies in C#, Visual Basic and IL.

Security System Analyzer
SSA (Security System Analyzer) is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.

Echo Mirage
Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts

soapUI
soapUI is a free and open source desktop application for inspecting, invoking, developing, simulating/mocking and functional/load/compliance testing of web services over HTTP.

Any good / bad experiences with any of them ?

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

On Aug. 27, WASC released the Script Mapping Project which is intended to be an exhaustive refference on XSS vectors.

The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

What I fail to understand is why WASC didn’t include as a starting point RSnake’s excellent XSS Cheat Sheet. It’s not like they would be the first. OWASP already quotes RSnake’s work  as a valuable resource.

So I would say it’s either re-inventing the WASC-branded wheel of XSS Cheat Sheet or it’s  my blissful ignorance (there are no files released so far). I guess we’ll see how (counter)productive this initiative will prove in time.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Following the Freshmeat email about the release of version ‘3.2.2′ of ‘Tiger security tool’ I decided to install it and see what can be done with this security scanner.

About:
TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection.

Tiger is allready in the main Debian repository and installing is a breeze :

apt-get install tiger 

It’s worth noting that Debian’s TIGER incorporates new checks primarily oriented towards  Debian distribution including:

• md5sums checks of installed files,
• location of files not belonging to packages, check of security
• advisories and analysis of local listening processes.

After a quick manpage browsing I fired tiger eagerly waiting to see the security checks and also the security posture of my system according to best practices and standards.

root@dragos-laptop:~/work/tiger# tiger -l /home/dragos/work/tiger -E -H
Tiger UN*X security checking system
   Developed by Texas A&M University, 1994
   Updated by the Advanced Research Corporation, 1999-2002
   Further updated by Javier Fernandez-Sanguino, 2001-2005
   Covered by the GNU General Public License (GPL)

Configuring…

Will try to check using config for ‘i686′ running Linux 2.6.20-16-generic…
–CONFIG– [con005c] Using configuration files for Linux 2.6.20-16-generic. Using
           configuration files for generic Linux 2.
Tiger security scripts *** 3.2.1, 2003.10.10.18.00 ***
Output Mode is HTML
23:31> Beginning security report for dragos-laptop.
23:31> Starting file systems scans in background…
23:31> Checking password files…
23:31> Checking group files…
23:31> Checking user accounts…
23:31> Checking .rhosts files…
23:31> Checking .netrc files…
23:31> Checking ttytab, securetty, and login configuration files…
23:32> Checking PATH settings…
23:32> Checking anonymous ftp setup…
23:32> Checking mail aliases…
23:32> Checking cron entries…
23:32> Checking ’services’ configuration…
23:32> Checking NFS export entries…
23:32> Checking permissions and ownership of system files…
–CONFIG– [con010c] Filesystem ‘fuseblk’ used by ‘/dev/disk/by-uuid/3AD8049CD8045891′ is not recognised as a local filesystem
23:32> Checking for indications of break-in…
–CONFIG– [con010c] Filesystem ‘fuseblk’ used by ‘/dev/disk/by-uuid/3AD8049CD8045891′ is not recognised as a local filesystem
23:32> Performing rootkit checks…
23:32> Performing system specific checks…
23:36> Performing root directory checks…
23:36> Checking for secure backup devices…
23:36> Checking for the presence of log files…
23:36> Checking for the setting of user’s umask…
23:37> Checking for listening processes…
23:37> Checking SSHD’s configuration…
23:37> Checking the printers control file…
23:37> Checking ftpusers configuration…
23:37> Checking NTP configuration…
23:37> Waiting for filesystems scans to complete…
23:37> Filesystems scans completed…
23:37> Performing check of embedded pathnames…
23:37> Security report completed for dragos-laptop.
Security report is in `/home/dragos/work/tiger/security.report.dragos-laptop.070827-23:31.html’.

The report was loaded with non compliance warnings and failures and that’s why I extracted only the failures :

FAIL [boot02]The configuration file /boot/grub/menu.lst has world permissions. Should be 0600
FAIL [lin013f]The system is not protected against Syn flooding attacks
FAIL [lin014f]The system permits the transmission of IP packets with invalid addresses
FAIL [lin016f]The system permits source routing from incoming packets
FAIL [lin019f]The system does not have any local firewall rules configured
FAIL [dev002f]/dev/log has world permissions
FAIL [logf005f]Log file /var/log/btmp permission should be 660
FAIL [ssh005w]Cannot find a configuration file for SSH.
FAIL [netw020f]There is no /etc/ftpusers file.

Not so bad considering the brutal way I manage my workstation However, I’m very  interested in listening about other experiences you had with this GPL security audit tool

Download Tiger Security Audit and Intrusion Detection Tool

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

CORE GRASP for PHP is a web-application protection software aimed at detecting and blocking injection vulnerabilities and privacy violations.
As mentioned during its presentation at Black Hat USA 2007, GRASP is being released as open source under the Apache 2.0 license and can be obtained from http://grasp.coresecurity.com/.

The present implementation protects PHP 5.2.3 against SQL-injection attacks for the MySQL engine, it can be installed with almost the same effort as the PHP engine, both in Unix and Windows systems, and protection is immediate with any PHP web application running in the protected server.

CORE GRASP works by enhancing the PHP execution engine (VM) to permit byte-level taint tracking and analysis for all the user-controlled or otherwise untrustable variables of the web application. Tainted bytes are then tracked and their taint marks propagated throughout the web application’s runtime. Whenever the web application tries to interact with an DB backend using SQL statements that contain tainted bytes, GRASP analyzes the statement and detects and prevents attacks or abnormal actions.

Well, the first PHP IDS / IPS security tool was released just a couple of months ago. Slowly but steady the protection is moving away from the secure coding of the application into additional, external security layers. Is this such a good thing ?

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

In case you neded a place to start in evaluating the steps required for building a Computer Security Incident Response Team (CSIRT) , look no further. CERT/CC has released the Action List for Developing a Computer Security Incident Response Team (CSIRT) .

This document provides a high-level overview of actions to take and topics to address when planning and implementing a Computer Security Incident Response Team (CSIRT).

It also identifies some common problems teams may encounter in their implementation. The list draws on material presented in depth through CERT training courses and publications, and incorporates lessons learned by staff during their experiences planning and implementing CSIRTs. Use this list as a starting point to plan a CSIRT.

More detailed information can be found in the list of resources at the end of this article. (pdf version)

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

One new word I learned this year from the BlackHat conference is SideJacking.You are vulnerable to this attack whenever you are using a public WiFi hotspot to access your unencrypted HTTP applications (such as webmail) as demonstrated by Robert Graham ,CEO Errata Security .

SideJacking is about sniffing HTTP traffic and cloning whatever cookies are exchanged between the browser and the server. In this way, the attacker can clone your session IDs and eventualy they can hijack your account.

What’s truly scary is how stealth the whole process is : because of the way HTTP works, the server has no way to tell the difference between legit requests and cloned requests. This way you might get the suprise to see some new emails in the "Sent" folder of your webmail and it’s virtually impossible to deny the fact that you sent those emails.

The attack is carried out using a custom made sniffer called Ferret which dumps session data to a file. Hamster is the second tool which reads the Ferret dump and opens up a local proxy which enable you to sidejack  any sniffed session.

This I would call a nice Man-in-the-Middle attack   The tools are released freely on the author’s blog.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

In the wake of the latest PDF / ZIP spam surge, many security analysts and vendors have taken a shot at explaining this phenomenon. It is the case of GFI Software who released an interesting whitepaper called "Attachment spam – the latest trend".

The paper begins with a bit of history in the evolution of spam which could explain why we got to this point today where more than 25% of all spam is carried trough email attachments.

Most of this spam is used for pump-and-dump scams involving the stock market and there is a constant battle between the cyber crooks and the anti-spam companies.

The chronological evolution of this kind of spam was : 

• Embedded images
• Attached PDF, Excel, Word
• Zipped attachments containing the PDF, XLS, DOC

The solution lies in a product that deploys as many anti-spam techniques as possible, including Bayesian filtering and filtering for images/text embedded in different file-type attachments, while at the same time maintaining false positives at a minimum.

Download Attachment spam – the latest trend (PDF)

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

NIST has released a new set of computer security reccomendations in the form of  Draft Special Publication 800-113 - Guide to SSL VPNs.

This publication discusses the fundamental technologies and features of SSL VPNs.

• It describes SSL and how it fits within the context of layered network security.
• It presents a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments.
• It also compares the SSL VPN technology with IPsec VPNs and other VPN solutions.

This information is particularly valuable for helping organizations to determine how best to deploy SSL VPNs within their specific network environments.

Download (PDF) NIST Draft Special Publication 800-113 - Guide to SSL VPNs.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!