Cyber Warfare Quote
"Traceroute works both ways" aka "If the enemy is in the range, so are you."

⁂
Fai_Ryy
PUT YOUR BEARD IN MY MOUTH
"I'm Dorothy Gale from Kansas"
h
Cosimo Galluzzi

Love Begins
Misplaced Lens Cap

❣ Chile in a Photography ❣
No title available
wallacepolsom

oozey mess

@theartofmadeline
let's talk about Bridgerton tea, my ask is open
Jules of Nature
Monterey Bay Aquarium
Peter Solarz
Claire Keane

Kaledo Art

No title available
seen from United States
seen from Türkiye
seen from Italy

seen from Uruguay

seen from Uruguay
seen from United States
seen from United States
seen from Sweden
seen from United States

seen from United States
seen from United States
seen from United States
seen from United States
seen from United States
seen from United States

seen from United States
seen from United States
seen from United States
seen from United States

seen from United States
@metasecurity-blog
Cyber Warfare Quote
"Traceroute works both ways" aka "If the enemy is in the range, so are you."
Microsoft has released their security intelligence report #10.
Here are some of the highlights.
First, Windows 7 is reported to have the lowest infection rate (what a surprise ;-). Second, Brazil is number two (after the U.S.) in terms of the number of reported infected hosts. Third, Trojans (31.6%) and Worms (24.4%) are among the top three in terms of most prevailing threats, way above exploits (7.1%), backdoors (6.6%), and viruses (5.9%)
In case you wanted to read on, the complete report can be found here: http://www.microsoft.com/security/sir/
Security Cartoon of the Day
Highlight: Zeus Trojan Source Code
The Zeus trojan source code has just been released.
Having taken a brief look at the source code, what's interesting is how well commented the source code is. The comments are in Russian, too.
Here is an actual fragment of the source code:
[axed]
/*
Создание списка доступных ботнетов в THEME_DIALOG_ITEM_LISTBOX. IN $currentBotnet - string, имя текущего ботнета или '', если ботнет не определен. IN $advQuery - дополнительные данные в HTTP-запросе смены ботнета. Return - string, ListBox с именем 'botnet' и кнопкой смены ботнета. */ function botnetsToListBox($currentBotnet, $advQuery) { $advQuery = htmlEntitiesEx($advQuery); $botnets = str_replace(array('{NAME}', '{WIDTH}'), array('botnet', 'auto'), THEME_DIALOG_ITEM_LISTBOX_BEGIN).str_replace(array('{VALUE}', '{TEXT}'), array('', LNG_BOTNET_ALL), THEME_DIALOG_ITEM_LISTBOX_ITEM); if(($r = mysqlQueryEx('botnet_list', 'SELECT DISTINCT `botnet` FROM `botnet_list`')))while(($m = @mysql_fetch_row($r)))if($m[0] != '') { $botnets .= str_replace(array('{VALUE}', '{TEXT}'), array(htmlEntitiesEx(urlencode($m[0])), htmlEntitiesEx(mb_substr($m[0], 0, BOTNET_MAX_CHARS))), strcmp($currentBotnet, $m[0]) === 0 ? THEME_DIALOG_ITEM_LISTBOX_ITEM_CUR : THEME_DIALOG_ITEM_LISTBOX_ITEM); } $botnets .= THEME_DIALOG_ITEM_LISTBOX_END.THEME_STRING_SPACE. str_replace(array('{TEXT}', '{JS_EVENTS}'), array(LNG_BOTNET_APPLY, ' onclick="var botnet = document.getElementById(\'botnet\'); window.location=\''.QUERY_STRING_HTML.$advQuery.'&botnet=\' + botnet.options[botnet.selectedIndex].value;"'), THEME_DIALOG_ITEM_ACTION); return $botnets; }
At the same time, there are many parts to the trojan and their code looks rather different, almost like different parts were developed by different people:
/* œÓÚÓÍ ‰Îˇ ‰Îˇ ÒÓÁ‰‡Ìˡ ·˝ÍÓÌÂÍÚ‡. IN p - BCDATA. Return - 0. */ static DWORD WINAPI procConnection(void *p) { CoreHook::disableFileHookerForCurrentThread(true); ThreadsGroup::GROUP group; BCDATA *bcData = (BCDATA *)p; ThreadsGroup::_createGroup(&group); WDEBUG0(WDDT_INFO, "Started."); //œÓÎÛ˜‡ÂÏ ÔÓÚ Ò‚ËÒ‡ DWORD servicePort = 0; if(CWA(kernel32, lstrcmpiA)(bcData->servicePort, "socks") == 0) { servicePort = SERVICE_PORT_SOCKS; } # if(BO_VNC > 0) else if(CWA(kernel32, lstrcmpiA)(bcData->servicePort, "vnc") == 0) { servicePort = SERVICE_PORT_VNC; }
The comments do not really look like Russian to me. This could be one of the libraries used by Zeus, but a more detailed analysis is needed to be sure.
Security Cartoon of The Day
5 Simple Tips to Improve Security of Your Systems
Fail Safely. Ensure systems you have (or design) fail in a secure way. Avoid growing monocultures.
Least Privilege Rule (LPR). When it comes to giving privileges to entities, use LPR. Give a user just enough privileges to do the job required.
Chokepoints [sic]. Establish traffic chokepoints (!=checkpoints) on your network and use them to control potential attacks by only allowing traffic to go through the chokepoints.
Multilayered Defense aka Defense-in-Depth. Do not rely on a single layer of protection. Use multiple ones.
Secure Path-of-Least-Resistance (PLR). Typically, PLR is what attackers leverage to get you exploited. Make sure you know what your PLRs are, and make them more difficult for attackers to exploit (see above).
IDS/IPS and VM/Cloud Migration
How many of you have ever used Clonezilla to move your servers to a VM setup quickly?
What happened to your IDS/IPS? Have those been repositioned accordingly?
To illustrate, if you have a network-based IPS that see traffic between hosts A, B, and C, by inspecting the appropriate LAN segment, once the hosts are moved to a VM environment, you are going to lose that visibility.
As a result, an attacker who compromises VM A can move on to VM B, and VM C, and your network-based IPS is not going to see anything!
But lets say you also had host-based IPS on VM A, VM B, and VM C. Is this going to be sufficient?
Well, not really, because an attacker can break out of the VM into the host OS using one of the known vulnerabilities.
For instance, CVE-2009-1244 (implemented in Canvas as cloudburst since 2009) or the Core Impact's VMware shared folders module let attacker make changes on the host OS of your VM environment from inside your guest VM A, B, or C.
Is there anything you can do?
First thing I'd recommend is positioning your IDS/IPS such that traffic between your VMs can be inspected. You can configure several virtual networks in VMWare to do so.
In terms of protecting host-based IDS/IPS, there is an insightful paper by Garfinkel and Rosenblum on migrating your IDS/IPS outside of VM while retaining visibility:
http://suif.stanford.edu/papers/vmi-ndss03.pdf
It's been a while but I still have not seen a commercial version of this yet. If you know of one, let me know.
Tools: BTv5 and Metasploit v3.7.0 Released
In case you have not noticed, BTv5 and MSF v3.7.0 have just been released.
BTv5:
Details covered in earlier post:
http://metasecurity.tumblr.com/post/5158542397/tool-backtrack-v5-may-0-10th-2011
Metasploit v3.7.0:
35 new exploits, 17 post-exploitation modules, and 15 auxiliary modules have been added since the last release.
http://blog.metasploit.com/2011/05/metasploit-framework-370-released.html
Spotlight: OpenVAS and its NVT feed
So here we have it, an open-source vulnerability assessment framework with over 20,000 network vulnerability tests (NVTs) up to January 2011.
Is it really as exciting as it sounds? Lets see what the NVTs they use look like. Here is a relevant fragment:
# OpenVAS Vulnerability Test # $Id: cvstrac_ticket_title.nasl 10679 2011-04-03 17:08:54Z jan $ # Description: CVSTrac ticket title arbitrary command execution # Copyright (C) 2004 David Maciejak # port = get_http_port(default:80); kb = get_kb_item("www/" + port + "/cvstrac" ); if ( ! kb ) exit(0); stuff = eregmatch(pattern:"(.*) under (.*)", string:kb ); version = stuff[1]; if(ereg(pattern:"^(0\.|1\.(0|1\.[0-3]([^0-9]|$)))", string:version)) security_hole( port );
Looks very much like Nessus.
I've got to say that I've always been somewhat sceptical about the approach used by Nessus and the likes where they perform a vulnerability assessment by merely checking software versions.
This is because the fact that a system reports a particular software version does not necessarily mean the system is vulnerable. In fact, back in the days, many of the people I knew intentionally changed versions in software banners (e.g. Sendmail, FTP servers etc) to mislead potential attackers.
Tool: SWF Reverse Engineering Tools (SWFRETOOLS)
One more toolkit that can be used to understand what an Adobe Flash SWF file does. The toolkit includes the following components:
Flash Dissector: Binary viewer for SWF files
SWF Parser: Build your own tools using this parser
Minimizer: Automatically minimize crashing SWF files
FP Debugger: Trace the Flash Player dynamically
StatsGenerator: Generate stats over SWF files
The latest version of the toolkit can be downloaded at:
https://github.com/sporst/SWFREtools
Security Cartoon of the Day
News Highlights: LastPass Hacked
IOU. http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html
They claim that, if a strong master password was used, users should not be impacted. Tell you what--to me, this feels like an attempt to downplay the seriousness of the issue.
Still, if you were thinking of starting using LastPass, this would be a good time to do it. I am serious (see my earlier post on procrastination).
I would not sign up right away, but after a month or so, I think it would be reasonable. Why?
My hypothesis is that after a major security breach like that, they would actually be more cautious about security for some time.
(An interesting question would be how long do companies remain on "high alert" after a major security breach like that? EMC, anyone?)
While I would not bet on putting critical passwords in the hands of a third-party service like LastPass anytime soon, I think starting to store low importance passwords to, say, Web forms, or some non-essential Web sites would be a good idea.
Wilco.
Tool: Backtrack v5 - May 0+10th, 2011
Gents, mark your calendars--BTv5 is scheduled to be released on May 10th, 2011.
This one will be based on Ubuntu LTS 10.04 with support for both 32- and 64-bit arc-s and KDE4, Gnome, and Fluxbox desktop environments.
This is going to be the first release to include the full source code.
One-liner: Establish a VPN Between Two Hosts Behind NAT (Case 1)
If you've ever tried to connect two hosts A and B that are both behind NAT, you probably know that most solutions require having a third server in the middle with a real IP address.
But what if you do not have access to a server with a real IP address? Can you still connect two hosts that are behind NAT?
Well, turns out that in some cases you can. Here is a one liner that's going to do the trick for you. The one-liner is going to use a free script to punch a hole in NAT called nat-traverse.pl. The script can be downloaded at http://linide.sourceforge.net/nat-traverse.
After downloading and installing the script, run this on host A:
a# ./nat-traverse.pl 7000:`curl checkip.dyndns.org 2>&1|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'|tail -1`:7002 --cmd="pppd updetach noauth passive notty ipparam vpn 10.10.10.1:10.10.10.2"
Run this on host B:
b# ./nat-traverse.pl 7002:`curl checkip.dyndns.org 2>&1|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'|tail -1`:7000 --cmd="pppd nodetach notty noauth"
Here is how it works.
First, you'll want to determine the external IP used by your NAT device. This is done by the following part of the command above:
curl checkip.dyndns.org 2>&1|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'|tail -1
The external IP is then passed as input to the ./nat-traverse.pl script.
The nat-traverse script is going to punch a hole in your NAT device by sending ten UDP packets on ports {7000,7002}, and, if everything works, establish a PPP session (-cmd parameter).
Keep in mind that this approach works for NAT devices that do not change port numbers corresponding to IP addresses.
There are other approaches to address the issue. I'll cover some more approaches and examples later.
Enjoy!
Security Cartoon of the Day
XXXXX SSH Fingerprints: From 2001 to 2011
I intentionally hid the first word to see for how many of you this is going to ring a bell in 2011.
How often do you see this in your day-to-day activity?
$ ssh gameshow@host The authenticity of host ’gameshow (x.y.z.a)’ can’t be established. RSA key fingerprint is 1e:b1:16:4b:47:0c:9c:c2:2f:e2:26:4b:69:b6:66:e1. Are you sure you want to continue connecting (yes/no)?
I personally still see this SSH warning every once in a while, especially when I update an SSH key or add a new host.
Most of us would type 'yes', some of the more paranoid ones would also run:
$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 1e:b1:16:4b:47:0c:9c:c2:2f:e2:29:4b:96:b6:66:e1 /etc/ssh/ssh_host_dsa_key.pub (DSA)
and then eyeball the fingerprint quickly to make sure this is not a Man-in-the-Middle attack.
So everything looks fine, right?
Not quite. If you look more closely, you'll see that some numbers are different (hint-fourth number from the right) that can be used by a Man-in-the-Middle attacker
This is a fuzzy SSH fingerprint. The idea was first described as far back as 2001.
There was even a utility released called 'ffp' to automate fuzzy fingerprint generation:
http://www.thc.org/thc-ffp/
It is 2011 now. Has anything changed? How many people are aware of this attack now?
Has anyone run this through a diff rather than simply eyeballing the string? Duh.
The point of this exercise was not to dust off an old attack, but to highlight the need for us to take into account our legacy.
Some say that the history of Computer Security begins with the polish cryptologists breaking the Enigma code back in 1932.
To me, it all began around 1965 when Mathews from MIT found a first Multics vulnerability, disclosing the contents of a password file by running multiple instances of an editor at the same time with the same temporary file name used.
If the length of a human generation is about 30 years, we almost half way into the second generation, people. I think it is about time for things to get better!
The Art of Security Procrastination
I've recently read an excellent book called "Predictably Irrational" by Dan Ariely.
The thoughts in the book resonated with some recent thoughts I had about how most of us approach security.
There is a view that most people wait until they are pwned before they start taking action to protect themselves.
The relevant quote from Oscar Wilde would be: "I never put off until tomorrow what I can do the day after."
Is it because they perceive the risk of a compromise as low e.g. "this is not going to happen to me"?
Can this be directly correlated with a general tendency to procrastinate that many people have?
One of the examples Dan provides is doing all the required health exams ahead of time to avoid issues in the future.
Most of us understand that health is important, and that prevention is better than cure, right?
Yet getting to a health check requires additional effort, getting up in the morning, fasting, and so forth, so we procrastinate.
One approach could be to make health exams mandatory across the state. According to Dan, this would make us more likely to come to tests.
However, this would also limit our freedom of choice; does not seem like a good thing.
Another approach he examines is agreeing to pay a doctor a deposit of $100 for a test, and getting a refund only if we show up for a test.
According to his experiments, this works much better, at least based on scenarios with MIT students, who tend to procrastinate otherwise.
Can we make people commit to regular security checks by having them make a deposit of say $100 refundable only if they started using, say, LastPass, or another password manager to generate and manage their passwords?
Of course, one can say that health is everything, and information security probably has less of a direct impact on our lives.
Well, come to think of it, we are at a point where we increasingly see that there can be more to a security compromise than just getting a shell or stealing credit card information. Stuxnet, anyone?
Anyway, all psychobabble aside, I think the gist of it is that pain avoidance is a much stronger motivator for most people than pleasure. Would you agree?