Network Security World Updates

Final post

2005-11-21T20:14:00.000-08:00

This blog will have no more posts, any security/tech stuff I will be posting on my other blog (namely http://aggarwalnakul.blogspot.com) itself.

Thanks for visiting.

Scholarships Offered For IT Security

2005-09-29T00:41:00.000-07:00

Post-graduate students working on information-security research projects can
qualify for a scholarship of up to $12,500.
The International Information Systems Security Certification Consortium Inc. (Palm Harbor, Fla.) said Tuesday (Sept. 27) it will offer one-year scholarships of up to $12,500 each to four qualifying full-time post-graduate students. Qualified candidates must be pursuing an advanced degree in information security at any
accredited university worldwide.
Applications must be submitted by Nov. 30, 2005.

from EE times via http://www.securitypipeline.com/171201217

Phishing Updates...

2005-09-05T13:46:00.000-07:00

There has been an interesting discussion going on at google groups ... Yahoo - a "Phisher-friendly" domain. The discussion is quite interesting since according to SpamHaus Project details, there has been large number of phishing attacks are going on using yahoo registered servers. Till now, they have found 18 SBL listings under the domain name of yahoo.com
[SBL: The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams]

ADDED on 6th Sep...
Richard Cox, chief information officer of Spamhaus, told an audience of politicians, security experts and law enforcement officials that Yahoo has just under 5,000 domains hosted and registered with the words 'bank', 'eBay' and 'PayPal' within the domain names.Most of those are used as phishing sites.
Read Complete Article

"According to security outfit Postini, there was a 90 per cent reduction in the number of phishing emails in August and the number of viruses dropped by 30 percent from July."
-- INQUIRER
But this doesnt seems the same for September. Why? read below.

While US is suffering from Katrina Hurricane, the scammers/phishers are seeing an oppurtunity for money theft and effecting the PC's via malware installation or viruses. Computer security firm Sophos also warned of an e-mail circulating with news stories inside about the disaster. Clicking on the links in the e-mail takes users to a site that attempts to load virus code onto a user's computer. Articles by Security Pipeline and E-commerce news

Phishing part2..

2005-08-26T12:29:00.000-07:00

I got a new link from Bjorn borg (a researcher from sweden working in this field), a complete tutorial on Phishing.
http://www.pisa.org.hk/event/phishing_exposed.pdf

More news:
1) August 26, 2005 -- Brazil Pinches 85 Phishers
2) August 25, 2005 -- Microsoft to Expand Anti-Phishing Tool

Phishing Survey

2005-08-25T16:39:00.000-07:00

Phishing

Definition:
Phishing is the "art" of fooling people using social engineering and technical subterfuge by sending fake emails, or spam which seems as send by some known organization redirecting them to fake pages; hence getting unauthorized access to people's username, passwords, credit card account information etc.
“Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc.” This is a social engineering attack that targets vulnerable online consumers and, depending on the particular scam, uses weaknesses and exploits in email and web browsers.”

Term origin: It’s derived from fishing where a fisherman uses a lure to attract fish in the same way that the attackers use an email to attract online consumers. Finally the ‘f’’ from fishing has been substituted for with ‘ph’ to form “phishing”. This is in recognition of the original hacking method phreaking. (Dictionary meaning - “phreaking” is where a hacker would take over someone else’s phone line and use it for their own use, including hacking into other computers.)

First incident of Phishing was reported as early as 1998. An example
==
Sector 4G9E of our data base has lost all I/O functions. When your account logged onto our system, we were temporarily able to verify it as a registered user. Approximately 94 seconds ago, your verification was made void by loss of data in the Sector 4G9E. Now, due to AOL verification protocol, it is mandatory for us to re-verify you. Please click 'Respond' and re-state your password. Failure to comply will result in immediate account deletion.
====

A number of examples of phishing with ebay and paypal especially can be seen here.
From individuals or small groups in the starting stage, Phishing has now reached to very advanced stage. Large amount of bulk emails are send everyday, and hacking is going at large scale. Latest being hack of eBay login page, ATM card numbers etc.

Statistics:
The main targets are financial institutions and e-commerce companies, particularly online banks. The top four targets according to the Anti-Phishing Work Group in April 2004 were Citibank, eBay, PayPal and US Bank. The Anti-phishing Workgroup states that 5% of attacks result in identity theft26. A Gartner survey of 5000 estimated the damage from Phishing in 2003 cost US Banks and credit card companies $1.2 billion in 20033. Actual losses are much lower, monetary values of losses are difficult to obtain but Paypals loss rate from fraud is 0.33%. Australian banks have recently put aside $2 million to cover losses from phishing¹. British banks estimated they lost ₤1 million through phishing scams².

Technology:
A web server, a bulk mailing tool, a form e-mail and a database of e-mails would be enough to mount a phishing scam.
The email is branded to look like it’s from the particular financial institution or e-commerce
site and the ‘from’ address is spoofed to appear from that domain. It usually includes an URL, which appears to be linking back to the appropriate site, however the actual link points to the ghosted website.

Techniques:
1) Email
2) Ghost Website (eg. http://www.paypa1.com/)
3) Hiding/spoofing the address bar
a) No SSL padlock
b) javascript
4) Adding Subdomain to the main site
5) PopUp Windows
6) Use of Malware – Trojans, Viruses and Botnets
7) Phishing through Compromised web servers
8) Port redirection -- removing the possibility of backtrack by web server also by redirecting the web server to another web-server.
9) Using botnets

In geek terms, these are done via
1) DNS poisoning
2) Pharming (a guide from NGS softwares )
3) All the antiviruses has inbuilt capabilities to filter spams and some of the phishing attacks.

A white paper from McAfee(PDF:5) gives a detailed graphical and detailed explanation about the current phishing attacks methods. IT even comments
existing counter measures and tells what McAfee has to provide.

COUNTER-MEASURES

1) Phishing scams can be reported through consumer alerts or real-time detection and then companies updates their respective customers about the same and even post about them on their websites.
2) Toolbars – There exist a lot of toolbars and plugins for all the major browsers. A graph with their properties can be seen here:

Source: Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks
3) All the antiviruses has inbuilt capabilities to filter spams and some of the phishing attacks.

RESEARCH:
A lot of research has been encouraged bcoz of the stats as we have seen above. These are briefings of some of them:

1) this paper has introduced a new scheme namely, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields. [PDF:2]

2) A contribution of this paper is the description of what we term a context aware phishing attack. [PDF:3]

3) They define five properties of an ideal HIP (Human Interactive Proofs) to detect phishing attacks. The challenge must:
1) be easy for a particular class of computers to pass,
2) be hard for other computers to pass, even after observing a number of successful authentications,
3) produce results that are easy for a human to verify,
4) use a protocol that is publicly available, and
5) not require the user to have specialized tools.
[PDF:4]

4) Complete technical and detailed specs of how phishing is done [PDF:5]

A brief intro about Microsoft Phishing Filter (from Microsoft site)
• Phishing Filter is a feature in Internet Explorer 7.0 that helps determine whether a Web site is legitimate or a so-called phishing Web site.

• Phishing Filter uses three checks to help protect users from phishing scams:
1. It compares the addresses of Web sites that a user attempts to visit to the addresses of sites that have been reported as legitimate. This list is stored on the user's computer.
2. It analyzes sites that a user attempts to visit by checking those sites for characteristics common to phishing sites.
3. If the user chooses, Phishing Filter sends the addresses of Web sites that a user attempts to visit to Microsoft to be checked against a frequently updated list of reported phishing sites.

Future Solutions:
1) Tumbleweed Communications already have a digital signing solution ready to go to market.
2) Microsoft's Caller-ID,
3) the Sender Policy Framework (SPF), and
4) Yahoo! Domain Keys proposals.
5) The Internet engineering Task Force (IETF) has also published an IETF draft to stop source address spoofing.
6) Another area that will become more prominent is the near real-time detection of phishing scams using email scanning and filtering, trademark searches, monitoring of DNS registrations, scanning of front pages.

SOME LINKS:
Detailed explanation of Existing methods and tools
https://antiphishing.kavi.com/events/Conference_Notes/phishing-sfectf-report.pdf
Latest Alert(25/08/2005) --WSLabs, Phishing Alert: Bank of Montreal
http://www.honeynet.org/papers/phishing/
http://antiphishing.org/
http://www.phishreport.net/
http://www.honeynet.org/papers/phishing/details/phishing-background.html
Microsoft Antiphishing Technology
http://crypto.stanford.edu/SpoofGuard/
Identity Theft Via Online Resumes
Identity Theft From servers

Pdfs used:
(1) An analysis of Phishing and possible mitigation strategies
(2) The Battle Against Phishing: Dynamic Security Skins
(3) Modeling and Preventing Phishing Attacks
(4) Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks
(5) Anti-Phishing: Best Practices for Institutions and Consumers

All of these pdf’s can be searched from http://scholar.google.com/

Cyber security

2005-08-16T23:32:00.000-07:00

A lots lots of research is going on in this field. A lot of approaches and technology exists. Most people use one of multiples of them while some of them are research oriented.

1) Firstly most people do use IDS/IPS's and Firewalls at their gateways and web-servers to protect from "bad" people.

2) Many tools exist which tells to which exploits your web server is vunerable to (eg. Cenzic Hailstorm, Nikto - Web Vulnerability Scanner, )

3) Many tools exists which checks the web-applications you have built, and tells the exploits and weaknesses in them. (a tutorial for the same)

4) Then browser based insecurity like exploitation of browser bugs for malware and spyware installation (including phishing attacks, botnets formation, hacking of secret user information etc.). Most of these bugs are fixed/updated regularly by the respective vendors. So, one needs to patch them regularly.

5) Use of honeypots to diverge the focus of hackers is another method used in cyber secure methods.
While research use of honeypots is in the field of generating "hackers" information, the style and way of hacking and the getting info about attacks people have to face in near future.

6) Honeymonkey is new field in this field of security(by M$).Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one.
Honeymonkeys are the chain of computer systems with different patch levels which "patrol" the web to get list of servers which actually exploit the browser vunerabilities and do spyware installtion.

7) New kind of attacks in web include phishing attacks (new in the sense no proper secure approach exists as yet). While much research is going on in this field most of counter attack measures are incorporated in browsers itself.
Even the Latest IE version7, they have implemented the object oriented approach known as CURI. While a lot of plugins for firefox against fishing already exists.

MORE tools and links:
WebGoat is a full J2EE web application designed to teach web application security lessons.

Sygate and ZoneLabs also offering HIP

2005-08-10T10:55:00.000-07:00

Sygate Technologies has unveiled its own form of double-agent on Monday introducing Sygate Enterprise Protection (SEP) 5.0, software with device agents that do double duty by delivering both host intrusion prevention (HIP) and network access control (NAC) to millions of networked devices.
SEP 5.0 now offers

Sygate can block the transfer of data to unauthorized removable media devices including USB keys, iPods, CD/DVD Burners, PCMCIA hard drives, etc
Sygate blocks exploits that target known operating system vulnerabilities such as the RPC DCOM buffer overflow
Sygate’s protection includes the ability to block the exploit of known vulnerabilities in applications such as email, web browsers, and word processors, ensure that only authorized executables and .DLLs
Sygate’s intrusion prevention capabilities include the ability to block known network-based worm and web server attacks

On the contrary, zoneLabs has also launched their new version of firewall i.e. ZoneLabs 6.0 which features

Updates, scans and removes spyware from your PC; integrated with our award-winning antivirus so you can easily manage both in a single, powerful operation.
Goes beyond traditional PC firewalls to protect your entire computer – including your operating system and programs – from hackers, spyware, and other Internet threats
Keeps your computer updated with the latest intelligence on Internet threats gathered from Zone Labs experts and the ZoneAlarm user community.
Protects you from identity theft and online profiling.
Quarantines suspicious attachments to help defend against unknown viruses; automatically halts outbound messages to keep you from accidentally infecting others.
Automatically blocks phishing and junk emails from entering your inbox, protecting you from dangerous scams and annoying spam.
Automatically detects wireless networks and secures your PC from hackers and other Internet threats wherever you're connected—at home or on the road.

Read more from
http://www.securitypipeline.com/168600444?CID=RSSfeed &&
Zone labs on site

Lets see who wins .. while I had tried both and liked both. But in terms of security I prefer sygate but it slows comp like hell while doing some networking stuff. In that way, ZoneLabs is not a bad option.

Signature matching

2005-08-10T10:49:00.000-07:00

In the month of June, I got a project on "signature matching" in network intrusion detection. I know much work has been done already in this field and work is still going on. It forms an important and versatile part of most IDS tools like snort, bro etc.
My main work was to study exisiting methods and implement the best one. What I did first was googling via google and scholar, citeseer etc. and find few papers to begin with.While I got to know two techniques for matching patterns

simple string matching
matching via DFA transitions

Simple string matching is just not the simple iterative i.e. n^2 process to be followed but much research has been done into it already. Their are many efficient ways of doing this in software. ( you can get a lot of papers from scholar)
While much more efficient ways exist in hardware which makes it widely applicable when it comes to inline matching in real time.

While signature matching via DFA is much more interesting since it assumes good knowledge of automata theory, definite finite automata and regular expressions. The problem with this approach is in formation of DFA itself which explodes with the current number of signatures which needs to be incorporated into IDS. The solution to this problem is "Incremental generation of DFA's" which involves the DFA formation just at the stage of mathcing and not once hardcoded and making trasnsitions over it.

The comparsion of the two approaches has been shown in the technical paper of "BRO" which uses the 2nd approach and compares the results with snort which uses the 1st approach. The results shows both the tools are at par with each other but snort havign a upper hand at some points.
But am inclined towards the 2nd approach, and working on it currently lets see if this can give better results.

HAcking with Google vs. Google Hack HoneyPot

2005-08-06T11:53:00.000-07:00

Part1 : Dangerous google
"Dangerous Google – Searching for Secrets", this is the name of the tutorial pdf i got from www.hacking.pl dont remember the exact link now.
I have (may be you too) must have read a lot of articles on tweaks in google. But a lot more has been explained in this tutorial by the author, Michał Piotrowski.

Some of the google operators are:
site:
intitle:
allintitle:
inurl:
allinurl:
filetype:
numrange:
link:
inanchor:
allintext:
+ "search"-- ordering the results in order of no. of occurences of search string
- "search"
* and . -- wildcards for words and a character respectively
-- or
""
=======
A lot of query tables to get access to know about vunerable servers have been disclosed too like:

Google queries for locating various Web servers
Queries for discovering standard post-installation Web server pages
Querying for application-generated system reports
Error message queries
Google queries for locating passwords
Searching for personal data and confidential documents
Queries for locating network devices

And most important of all is the link at the end. Which is the "Google Hacking Database (GHDB)!" , which is called 'googledorks' (gOO gÃ´l'DÃ´rk, noun, slang) : An inept or foolish person as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe! Stop by our forums to see where the magic happens!

Ya I got the link in the history...
http://www.haking.pl/en/attachments/google_en.pdf

Part2: Google Hack HoneyPot
The reply to hackers, who use google to get information which they are not supposed to do, is Google Hack Honeypot(GHH).
GHH is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence.

The project also uses the above defined GHDB for getting signatures. The project is active project and keeps updating the signature database.

Lets see who web developers react to this project?

Secure Software Development by Example

2005-08-05T13:08:00.000-07:00

Below is the epitome of the article on Secure Software Development by Example to be Published in Ju;y/August 2005 edition of "Security & Privacy" Magazine.
Authors:
Axelle Apvrille and Makan Pourzandi
Ericsson Research Canada

Summary:
"When trying to incorporate security into a program, software developers face either too much theoretical information that they can’t apply or exhaustive and discouraging recommendation lists. This article gives an overview of security concerns at each step of a project’s life cycle."

The tutorial is very basic and describes the implementations of all the secure techniques you have learnt (or you can learn now too) in all stages of you software development. Authors not only discusses the "buffer overflow" handling but also others like environment security issues, misunderstanding of Algo's, misjudging the worst case scenario for implemented algorithms, choice of langauge for particular project etc. which most of other tutorials donot do. Tutorial provides an methodical, step-by-step procedure to be followed using an real-world example.

There are five stages of project namely analysis, design, implementation, testing, and maintenance. hence security must be applied in every stage.
Applying Security:
First step is the analysis and understanding of security model i.e. defining the environment and typical threats possible to your software and all sort of other inputs and threats to it.Hence defining a "security policy" and corresponding "risk evaluation" factor incases of trading-off between multiple tweaks to the same threat.
After implementation of the security policies comes the step of "testing". While a lot of tools exists but none of them provides the "complete testing". What they can do is "code review" or just trying different (random) inputs etc. One should try every kind of random and arbit cases which are possible, try execution in different environments and even with different surrounding security. Also,authors final conclusion regarding security is, "code review is the best tool for security testing."
A must READ article for project/software developers.

Link to the Complete Article

Phishing phishing everywhere..

2005-08-05T10:17:00.000-07:00

"If you are in the business of phishing, you obviously are looking for money. Scam, business, money. So it comes as no surprise that 80% of phishing is targeted at financial institutions. That is where a lot of money is, eh?"
--- http://www.spamroll.com/

At the same page, author has given link for latest and greatest email hoaxes as given by sophos.

A good link for updating and getting fundaes for people interested in spam and phishing.

Future worms could evade a network of early-warning sensors

2005-08-05T09:42:00.000-07:00

The 04 Aug dated article "Worms could dodge Net traps" states "Future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken, according to new research."

This is the epitome of the papers[1,2,3] presented at Usenix Security Symposium this thursday.

1) But the Wisconsin researchers discovered that the sensor maps furnish just enough information for someone to create an algorithm that can map the location of the sensors "even with reasonable constraint on bandwidth and resources," John Bethencourt, one of the paper's authors, said in his presentation.

2) "If the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data," a team of computer scientists from the University of Wisconsin wrote in its award-winning paper titled "Mapping Internet Sensors with Probe Response Attacks."

3) Researchers from Japan came to a similar conclusion in a paper titled "Vulnerabilities of Passive Internet Threat Monitors." They noted that sensor attackers can identify the location of sensors without the aid of a "complete list of sensor addresses." They also devised several algorithms that managed to pinpoint the sensors "in surprisingly short time."

Be ready for more servere attacks and future. :)

First "Windows Vista Virus" found

2005-08-04T13:15:00.000-07:00

Checkout F-secure Weblog

"An Austrian virus writer has published five simple viruses targeting Microsoft MSH in a virus writing magazine.

MSH, or Microsoft Command Shell, is a command line interface and scripting language. It's basically a replacement for shells such as CMD.EXE, COMMAND.COM or 4NT.EXE and will ship in 2006. As a command-line front end, MSH resembles many Unix shells quite a bit."

Google - The hacker's new tool.

2005-08-04T12:57:00.000-07:00

Yes, u heard it right, google search results can provide you valuable information regarding the network topology of some of the large networks, sql and other databases passwords, cracks/serial numbers of any programs, even you can find ways and tools of hacking the major softwares such as microsoft products, maya (one of the best 3d softwares), all games etc.

The source article is Google now a hacker's tool which describes the briefings of the Google Hacking for Penetration Testers presentation by Johnny Long at Black Hat Conference, USA 2005.

They have given explained it using example of "NASA", in which googling offers an insight into the structure of Nasa's (the U.S. National Aeronautics and Space Administration's) internal network.

Phishers on rocking spree after ATMs its eBay

2005-08-04T12:35:00.000-07:00

A flaw has been discovered on eBay's Web site that would have allowed fraudsters to successfully redirect the sign-on process to a phishing site.
In recent article Phishers hack Ebay at PCWorld.com, the end result has been told that users will be giving away information and allowing phishers to hijack their accounts, either as a way of laundering money or for launching fake auctions.

In another article Phishers cash in on ATM cards, Phishing attacks have led to an estimated $2.75 billion in losses related to ATM and debit cards over the past 12 months, according to a new Gartner report.
Phishing is on a steep rise and hot buzzword in security world. While the worms/viruses attack has gone down, this is going up.

"How to Break Web Security" - Upcoming WebCast

2005-08-03T12:49:00.000-07:00

Date/Time: August 9th, 1:00 p.m. EST
Requirements: Web browser, phone connection and Internet connection (high-speed preferred)
Presenter: Dr. James A. Whittaker, Ph. D - Chief Scientist and Founder of Security Innovation (bio)
Audience: IT Security Managers, CSO's, Security Architects, IT Directors, IT and Security Professionals, Security Experts, Chief Security Architects, CIO

Topics covered will be :

Why the web is different and what this means to testing
How to think about security vulnerabilities in web apps
Techniques for information gathering, client-side attacks, state attacks, data attacks, language attacks, server attacks, authentication attacks
Some thoughts on web services, privacy on the web and tool support

Find vunerability Get Paid

2005-08-03T07:45:00.000-07:00

Yes!! its true..
checkout Zero Day Initiative, a new kind of partnership between 3com and TippingPoint to support research in security area.
Homepage says
"The Zero Day Initiative (ZDI), founded by 3Com and TippingPoint, a division of 3Com, represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The program's goal is threefold:
1. reward independent security research
2. promote and ensure the responsible disclosure of vulnerabilities
3. provide 3Com's TippingPoint division customers with the world's best security protection"

Process is properly defined in this image

Hacking "hacking tools"

2005-08-03T07:39:00.000-07:00

Defcon: Poking holes in hacking tools, article at news.com.com security blog states that The Shmoo Group has found loopholes and bugs worth exploitation even in hacking tools such as Metasploit, Kismet etc.

Since long I too have been thinking of the same. That if bugs exist in all softwares then why not in tools such as network scanners and hacking tools. And this read just made me happy.

After "Blue Hat" its Regular Hacker Conferences

2005-08-03T01:17:00.000-07:00

In March 2005, Microsoft invited several hackers to its headquarters for the first time. The meeting was dubbed "Blue Hat" as a nod toward the Black Hat security conference where researchers annually discuss security issues. and now Microsoft is mulling over plans to create a regular hacker conference with the aim of discussing flaws in the company's software products.
checkout article
Another proof to support the fact "Microsoft too serious about security issues in its products"

Bluetooth eavesdropping

2005-08-02T12:12:00.000-07:00

Martin Herfurt, in his article Introducing the Car Whisperer at What The Hack about the tool The Car Whisperer exposed one more Bluetooth security flaw.

What this tool does is it allows people equipped with a Linux Laptop and a directional antenna to inject audio to, and record audio from bypassing cars that have an unconnected Bluetooth handsfree unit running. Since many manufacturers use a standard passkey which often is the only authentication that is needed to connect.

Its time to tell people how poorly they are driving :-?

Windows Vista and IE7

2005-08-02T02:51:00.000-07:00

As the date of launch of Windows new Version, Windows Vista (originally codenamed "Longhorn") approaches, people are getting excited. Daily a lot of articles on its security, features, compatibility issues are being written.

Some of the links

Me too getting excited for the new Vista.
New news. IE7 wont pe passing the Acid2 test..
(P.S. : Acid test)
"We fully recognize that IE is behind the game today in CSS support. We've dug through the Acid2 test and analyzed IE's problems with the test in some great detail, and we've made sure the bugs and features are on our list--however, there are some fairly large and difficult features to implement, and they will not all sort to the top of the stack in IE7." says Chris Wilson, lead program manager for the web platform in IE.

linux magazine podcast

2005-08-01T00:11:00.000-07:00

The latest buzzword in the market is iPod and the Podcasting. and many new podcasting technology has been released lately including Odeo

Even the everything about linux, the Linux Magazine has released the "FIrst Linux Magazine Podcast". Sounds cool.

Black hat conference

2005-07-31T04:03:00.000-07:00

Black Hat conference, USA 2005 was great one especially after the Michael Lynn presentation on "Cisco IOS Security Architecture" which exposed the CISCO IOS flaw which can lead to DDOs attacks and can give router complete access. The bug is not as serius as CISCO keeps saying and has filed suit against the researcher. Checkout my earlier post

Other one was the highlighting of RFID and VoIP security threats

A lot of other security issues, bugs and holes has been discussed and presented too.
http://news.com.com/Black+Hat+Hunting+bugs%2C+finding+holes/2009-7348_3-5808386.html?tag=nefd.top
http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#USA-2005

Malicious Bot attacks and Botnets

2005-07-30T05:35:00.000-07:00

After virus, worms and trojans, the other malwares affecting most of the people and networks are Bots. Bots when they form a network among themselves by spreading on a range or network or comps are known as Botnets.

They are responsible for:
1) Heavy DDos attacks
2) Mass spamming mails
3) Installing key logging software for getting secret user information
4) Infecting computers to viruses and other malware.

How they spread
1) As email attachments
2) via IRC file transfer mechanisms
3) Attacking vunerable web servers and changing the scripts to execute "bot" scripts on client machines
4) using P2P connections and file sharing mechanisms
5) don’t replicate or spread on their own, but they can use the worms’ functionality to do so.

Statistics:
1) We see as many as 60,000 come on in a day,” said Alfred Huger, Symantec Security Response’s senior director of engineering.
2) “Security investigators have even found one botnet of 100,000 computers,” Ullrich chief technology officer for the Internet Storm Center, which detects, analyzes, and disseminates information about Internet-related security problems notified.
3) “In 2003, there were only 750 [malicious] bots reported. In 2004, there have already been over 2,300. There is a potential for a 400 percent increase in 2004 and 2005 over what we have seen. If that’s the case, we could see up to 12,000 variants of bots appear in 2005,” said iDefense's Dunham.

A detailed report about the future and their current existence has been published in IEEE magzine.

Windows Security

2005-07-30T04:56:00.000-07:00

2 recent articles on Eweek talks about promising efforts from Microsoft and of course new Windows version namely Windows Vista in security field.
In the newer version, one will be able to work in Limited account and do administrative works by enterting password whenever will be asked for. (similar to putting root password in linux for security reasons) This feature has been named "User Account Protection".
A lot of advanced secure features in IE7, windows firewall and antispyware products will be available too. Checkout some of them here

"Microsoft has tools that will be in Visual Studio 2005 to do static code analysis," says Ozzie whose Groove Networks is now part of Microsoft. Even Microsoft is offering tools such as PreFast, Prefix and FXCop to weed out code vulnerabilities, and Microsoft developers cannot check in their code into the corporate code tree without running it through these tools, Gates said. Gates even said that Microsoft Research, which turned out the Microsoft code security tools, is "the best investment the company ever made,".
Checkout Gates and Microsoft steps against hackers and exploits.

Network companies Q2 revenues

2005-07-29T22:05:00.000-07:00

A lot of companies Quater 2 financial results (the one ended June 30, 2005) has been declared recently, most of them listed on LightReading.
Most of companies reported growth and promising results with good profits.

While for NetLogic, greater demand for knowledge-based processors and growth in the company's total addressable market led to the stronger-than-expected second quarter revenue.
Sprint driven by solid execution across each of its business units, reported record quarterly earnings from continuing operations which are reflected in second quarter 2005.
Covad while hasnt shown much growth though ended the second quarter of 2005 with approximately 554,400 broadband lines in service, an increase of 7,000 lines from the first quarter of 2005. More than one-third of the line growth was from sales of business T1 services.
Many other has been listed too.

Many others can be checkout too at Lightreading.com

Cisco Flaws and Disclosure Issues

2005-07-28T05:01:00.000-07:00

Gr8 post and article..
Must readme for cisco IOS vendors and customers :x

New Info (Edited: 30th july)
Cisco Reveals 'Black Hat' Flaw i.e. another DOS vunerability found in the Cisco's IOS in which the code execution can provide the router access to the hacker :) but will work only if router has been configured for IPv6.

Firefox and Phishing..

2005-07-17T08:27:00.000-07:00

Much work is going on for fighting with phishing the latest buzzword in internet fraud. Even some firefox extensions has been developed.
Checkout :
Outfoxed - http://getoutfoxed.com/
TrustBar - http://trustbar.mozdev.org/
Spoofstick - http://www.corestreet.com/spoofstick/
Netcraft Toolbar - http://toolbar.netcraft.com/ (This one is the BEST)
[ source : SecurityFocus mailing list ]

Some stats about phishing market

Zlib Buffer Overflows..

2005-07-17T08:17:00.000-07:00

Recently, A lot has been discussed on the Zlib[1] buffer overflow vunerability.
Florian Weimer (from his recent post[3] at buqtraq@securityfocus[2] mailing list) have created Clamav signatures which can be used to detect copies of vulnerable zlib versions. (Giving credit to Mark Adler for providing data)

"This is useful mainly for discovering statically linked zlib copies in program binaries, which must be patched separately.

The Clamav signature database is available form:
http://www.enyo.de/fw/security/zlib-fingerprint/
" -- Florian
He claims Clamav should be significantly faster. Furthermore, clamscan can look inside certain archive formats used for software distribution (mainly .tar.gz and Debian packages, RPM packages aren't supported at the moment, AFAICS).

This buffer overflow error when processing a malformed data stream, which could be exploited by attackers to execute arbitrary code via a specially crafted compressed stream embedded within network communication or an application file format. (CAN-2005-2096[4])
This can further be used for Denial of Service (DoS) attack

Links:
[1] http://www.zlib.net/
[2] http://www.securityfocus.com/archive/1
[3] http://www.securityfocus.com/archive/1/404971/30/60/threaded
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

Netflow for IDS

2005-07-16T07:37:00.000-07:00

Just read this mail on securityfocus mailing lists...
NEtflow data also provides valuable information of IDS information. A lot of tools has been listed on SecurityWizardry.com.
Surely worth checkout for NEtflow users...

Holidays!!

2005-07-16T07:30:00.000-07:00

these days at home enjoying holidays...:)
will be posting some new stuff soon (may be arnd 26th)

till then cya. njoi

Network Traffic Analysis through Images

2005-07-13T11:10:00.000-07:00

In a recent 2005 paper, Seong Soo Kim and A. L. Narasimha Reddy from Texas A&M University has harnessed the image and video processing technology for simultaneous detection, identification and visualization of attacks and anomalous traffic in real-time by passively monitoring packet headers.

In their novice approach, they emphazied on "scene change analysis" and "motion prediction".
Their representation allows simple visualization of traffic data as each sample is seen as a frame in a video sequence.Traffic data can then be efficiently stored through such techniques as video compression.

They have even provided comparison statistics with other IDS, here Snort. Netviewer, the name of their tool performs quantative analysis and reports the suspicious IP addresses and the pattern of abnormality in an aggregated fashion.

An interesting work. I really liked it.

Spyware effecting the way people use Internet

2005-07-12T04:26:00.000-07:00

In the latest report released by PEW INTERNET & AMERICAN LIFE PROJECT about "Spyware: The threat of unwanted software programs is changing the way people use the internet." starts off with statistics like:

Nine out of ten internet users say they have adjusted their online behavior
out of fear of falling victim to software intrusions.
Overall, 91% of internet users say they have made at least one change in their online behavior to avoid unwanted software programs.
The definitions of spyware and adware may not be clear to many internet users, but many believe that surveillance and unwanted software are serious threats to users’ security and privacy.
Four in ten internet users have had spyware, adware, or both.

the major changes has been summerized as :

81% of internet users say they have stopped opening email attachments unless they are sure these documents are safe.
48% of internet users say they have stopped visiting particular Web sites that they fear might deposit unwanted programs on their computers.
25% of internet users say they have stopped downloading music or video files from peer-to-peer networks to avoid getting unwanted software programs on their computers.
18% of internet users say they have started using a different Web browser to avoid software intrusions.

Some statistics about the knowledge of internet users are:

88% of internet users say they have a good idea what “spam” means.
78% of internet users say they have a good idea what “firewall” means.
78% of internet users say they have a good idea what “spyware” means.
68% of internet users say they have a good idea what “internet cookies” means (by comparison, 43% of internet users said they knew what an “internet cookie” was in 2000).
52% of internet users say they have a good idea what “adware” means.
29% of internet users say they have a good idea what “phishing” means (described as “internet phishing, spelled with a P-H at the beginning”). Fully 15% of internet usersvolunteered that they had never heard the term before.

You can better understand the basics with statistical analysis on "spyware and their effect in day to day work and user privacy". This is a P2P perspective i.e. spyware considered are from P2P applications and their effect on network.

A lot of tools are available for spyware removal. a Long list is available here.
Also, the list of their features, feature comparison and price listing at TopTenReviews shows Spyware Eliminator is the best one currently. But this site hasn't compared Microsoft Windows AntiSpyware. I have tried this one and Ad Aware professional trial version. I found both good but Microsoft product is seriously worth a try.

Buffer Overflow or Stack Smashing

2005-07-12T04:16:00.000-07:00

Buffer Overflows are one of the most common vulnerabilities.

Problem: C++ and other programming languages (those derived from C++), do not automatically perform bounds-checking when passing data. When variables are passed, extra characters could be written past the variable's end.

Occurence:when the attacker intentionally enters more data than a program was written to handle.

Consequence: result in the program crashing or allowing the attacker to execute their own code on the target system.

Pre-requisites: Basic knowledge of assembly is required. An understanding of virtual memory concepts, and experience with gdb are very helpful but not necessary.

Tutorial Links:

http://www.linuxsecurity.com/content/view/119087/49/
http://www.linuxsecurity.com/content/view/118881/49/
http://www.insecure.org/stf/smashstack.txt
http://www.watchguard.com/infocenter/editorial/135136.asp

Semantec + Veritas

2005-07-12T02:44:00.000-07:00

Symantec merged with Veritas on 24rth June, 2005.
Symantec had revenues last year of $1.9 billion, while Veritas saw revenues of $2.0 billion.

With little public explanation of the underlying reasoning, investors' confidence in the deal sank along with its value, which dropped from $13.5 billion to as little as $9 billion before finally closing at about $11 billion on June 24. That made it, by a hair, the largest software merger to date, barely eclipsing the $10.6 billion acquisition of PeopleSoft completed at the end of last year by Oracle.

Thompson, Symantec CEO said that this merge leads to birth of "purple" elephant and it aims at providing better and more secure information systems with constant data backups

Phrack Ends....

2005-07-11T22:51:00.000-07:00

[-]=====================================================================[-]

+++++++++++++++++++++++++++
=: P H R A C K - F I N A L :=
+++++++++++++++++++++++++++

...a glorious era comes to an end. #63 will
be _our_ last PHRACK RELEASE -- EVER...

FINAL CALL FOR PAPERS * FINAL CALL FOR PAPERS * FINAL CALL FOR PAPERS

-----------------------------------
Deadline: 10 July 2005 at 11:59pm
http://www.phrack.org/cfp_final.txt
-----------------------------------

Phrackstaff is pleased to bring you _our_ LAST EVER CALL FOR PAPERS for
the FINAL RELEASE of PHRACK.

We are preparing for a hardcover and ezine release at a major hacker
convention near you!

[-]========================================================[-]

This is at the homepage of famous hacking magzine, PHRACK. This is their last edition but the site will be up for 2 more years after this last edition.
=(( :((

new WLAN security tools

2005-07-11T22:14:00.000-07:00

In the past 2 weeks, 2 new tools have been launched gives administrators new ways to inventory authorized wireless devices; spot attacks; and even spot rogue devices lurking in unsuspected places, a process known as wardriving.

1) AirDefense, of Atlanta, unveiled AirDefense Mobile, a WLAN (wireless LAN) which retails for $995
2) WiFi Watchdog 5.0 from Newbury Networks, will be out in an early release at the end of the summer and commercially available in September. Pricing starts at $14,995.

While former using 802.11a,b and g protocol while latter uses location technology and behavior patterns for intrusion prevention and detection, client protection, and containment of rogue access points.

Future of C++

2005-07-11T10:48:00.000-07:00

While this post doesnot belongs to this blog but being a C++ fan couldn't stop myself from writing it here :)

Bjarne Stroustrup, the father of C++, has written an essay [PDF] on the features in the new C++ version named as C++0x standard (also available at C/C++ Users Journal. In his essay, he argues that new features should make C++0x significantly better than current C++ version making it more compatible and easier for beginners.

Strengthening Digital Signaures

2005-07-09T14:30:00.000-07:00

via randomized hashing.. sounds interesting!!!!.
The original draft seemed to me as sort of extention to univeral class of hash functions which defines the hash functions and key generation is random depending upon on some random parameters. But there is paper which says 100% perfect hashing is possible thru those functions depending upon ur choice of random parameter.

Lets see where this one leads?

Web Application Firewalls

2005-07-09T13:17:00.000-07:00

Just went through the article Why Don't You Like Web Application Firewalls?".
Really good points dicussed by Mark Curphy and especially about the "Imperva" product and foundstone technologies.
Checkout the demo of Validator .NET Here
Hey!! some more interesting stuff .. Vaidator.NET even handles Layer 7 (Application) DDoS attacks. (very helpful in cases of valid DDOS attack traffic)

In the mean time, found another interesting article on IE bug exploitation. I was ROFL after reading it :)
checkout Miscreants encrypt files, hold them for ransom

Network World's test of endpoint security products

2005-07-08T02:36:00.000-07:00

Vernier Networks/PatchLink combination topped the list which included

Check Point,
Cisco ,
Citadel,
InfoExpress,
Senforce,
Trend Micro and
Vernier Networks (in cooperation with PatchLink)

Checkout Article at network world.

De-perimeterisation.

2005-07-08T02:27:00.000-07:00

thats the term coined by Jericho Forums. Accordign to them the increasing demand and use of B2B applications and e-commerce needs no firewalls at perimeters at boundaries since they effect the performance of these applications. Checkout what they are upto and how they provide the alternate solution since perimeter security is the indespensible need in security terms in current situation.

On the other hand leading market analysts and firewalls vendors says its nearly impossible that perimeter firewall is not there in near future.checkout their views here

So, what are your views?

Today's Hackers

2005-07-08T02:04:00.000-07:00

"Code for Cash, Not Chaos" -- Marc Sachs, volunteer director of the SANS Institute's Internet Storm Center.

A quite good article about the change in thinking of hackers. They now no more go more attaining fame by creating chaos (effecting millions/billions of people all over the world) rather aiming to get money for their work (:D).
Article also discusses on seriousness in microsoft camp over security issues since they have been recieving constant banging from people in this regard since long.
checkout article Here

RPC/DCOM vunerabilities

2005-07-08T02:00:00.000-07:00

I know this quite an old link(2003) but still its good for beginners..
Vulnerabilities, Patches and Exploits for Windows RPC/DCOM explaining about the RPC and DCOM. Also explains the exploits and some pactches links has also been provided.

More ICMP flaws

2005-07-08T00:39:00.000-07:00

Just gone thru the Kernal Trap Article on More ICMP flaws. Some of the things were really great to know like most of companies are interested in gaining name/fame for dicovering the flaw rather solving the problem for their customers.
Especially this line was gr8...

Theo explains, "here we have a 20 year old protocol, a part of the Internet infrastructure that hasn't been touched in 10 years and we were all sure was right, and now is cast in doubt." He went on to add, "these things have to be done carefully. We can't ignore the problem, which is what the IETF and the other vendors are telling us to do."

These flaws(written in a draft by Fernando gont) has been summerized as:

1. Blind connection reset attack: an attacker can generate a "hard" ICMP error to remotely tear down an existing connection.
2. Blind throughput reduction: an attacker can generate ICMP errors that repeatedly trigger source quenching, thereby reducing the throughput of the connection.
3. Blind performance degrading attack: an attacker can use ICMP packets to trick Path MTU discovery into reducing the size of each sent packet down to only 68 bytes.

He has given some solutions also. Must a checkout article.