New Adobe 0 day vulnerabilities

Posted on May 1, 2009 by BetoFTW

Prepare yourselves. F-Secure recommends trying another PDF reader.

Disabling Javascript is a must if you stick with Adobe

Read this article:

http://www.f-secure.com/weblog/archives/00001673.html

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Security | Tagged , , | Comments Off

Conficker killed me!

Posted on April 22, 2009 by BetoFTW

Just kidding. It has been really busy lately. Have been working on some new things with Vulnerability scanning and compliance scanning.

Anyways, Conficker did not do me in. It was an interesting time, following the news, taking certain precautions. Some worth while some questionable. It was interesting to see the website you could go to to identify if you were infected, by basically showing you a few pictures off of some security vendor’s sites. Conficker supposedly blocks your ability to resolve to certain sites. Tricksy.

News as of late:

- The twitter XSS vulnerability that ended up being a worm. Enforces the idea of web app secuity; http://isc.sans.org/diary.html?storyid=6229&rss

- Twitter wants to hire a web app security guy: appy here!

- Someone broke the Internets in the bay area by cutting the cable. oops! Read here!

- Put to use some of the fu that Ed, Hal and Paul generate at: http://blog.commandlinekungfu.com

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in News | Tagged , , | Comments Off

New Firefox vulnerability

Posted on March 27, 2009 by BetoFTW

These are busy times, especially after cansecwest. The conference that owned with browser 0 days. Firefox was a victim and Mozilla has published a blog post here about 2 issues. The 1 issue that was discovered in the cansecwest conference can be remedied by disabling javascript, or with smart use of the no script addon.

Firefox 3.0.8 is due out April 1st, same day conficker is allegedly going to have a field day.

Update: Firefox 3.0.8 is out as of yesterday. Go to mozilla.com or hit update your browser to get the latest version. Here is the link to the 2 bugs fixed in this version:

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.8

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Desktop Security | Tagged , , , | Comments Off

Zero Day vulnerabilities

Posted on March 20, 2009 by BetoFTW

What is a Zero Day vulnerability? I have talked a little bit about zero day vulnerabilities that have came out such as the recent ones with Excel and Adobe Reader.

What about a vulnerability that is out there but no one knows about it except 1 guy. Well this week at the CanSecWest conference they had a pwn2own contest and Safari was owned, then IE8, and finally Firefox. Not talking about old versions or unpatched browsers, but fully patched browsers updated with latest security patches. So there are zero days that are public knowledge and there are zero days that no one knows about.

Still need to keep your apps up to date and if you read the below note, you can see that the client side exploits are what can do you in. Don’t open docs/attachments or go to sites you are not fully confident are not malicious or may contain malicious data.

http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1—safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Hacks, News | Tagged , , | Comments Off

Consequences of your Ac7i0ns!

Posted on March 17, 2009 by BetoFTW

Many people think they might be anonymous on the internet and there are certainly the tools to do so, such as the Tor Network, and anonymous proxies. Although for the college student who “hacked” into Sarah Palin’s email account could get himself in some deep trouble if convicted, up to 20 years.

Think about it, 20 years for messing around on the internet, thinking your doing something cool. Basically this guy was just researching about the vice presidential candidate, such as her high school, when she met her husband. Whats wrong with that, other than maybe being creepy? Its the further actions that did him in. Submitting to yahoo lost password service and falsely access a foreign account, is what is illegal and the act that did him in. Especially when only using 1 proxy service and underestimating the seriousness of his actions.

Many people are members of online forums and chat rooms and have even acted like a tough buy behind their computer, and maybe even been banned from said services. That may be all well and fun, but when actions go beyond simple insults and bad behaviour to intrusion and un authorized access, try to think of the warning you might get if the system you are trying to get into had a DOD or other type government warning banner.

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Hacks, News | Tagged , , | Comments Off

Intrusion Detection

Posted on March 10, 2009 by BetoFTW

So there is this technology called IDS, Intrusion Detection System. Also known as IPS, Intrusion Prevention Systems. There are flavors, such as Host based and Network Based systems.

This is a piece of the security pie, and a very important one. These systems, like your typical AV, have signature based detection engines as well as some behavioural. That means if you attack a vulnerability and you traverse an IDS/IPS with an enabled signature for that vulnerability, the system will alert and you can take action. You can become an incident handler.

Many corporate systems use, host based IDSs such as McAfee, or ISS or Symantec, and even on servers such as ossec and others. This may cause grief for system admins, when you have an untuned IPS, but on critical systems it can be very important to mitigate new vulnerabilities and give insight to what is going on with you systems.

There are also Network based IDS/IPS. These devices can sit on a span port and monitor your network traffic, or an IPS can sit in-line and block certain traffic you deem as attacks.

I will post more about this topic as time comes, since it is a primary duty. I posted about Vunl Assessment tools, and maybe a IDS tool post is in the future. Stay tuned.

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Desktop Security, Network Security | Tagged , | Comments Off

Adobe Acrobat 0-day

Posted on February 24, 2009 by BetoFTW

Zero day, or 0 day vulnerability in the Security field is one that is known but has no patch available. I mentioned in a previous post about the recent Adobe Acrobat 0-day. I found out that exploits are now out and available from milworm.

We know that many people use Adobe Acrobat to read documents. We often open up these documents even from a web browser. They show up in google searches as links with a quick click your adobe product will open them right up.

This is another case of user security awareness. DO NOT open pdf documents from untrusted sources. That means google searches and spam email. That means untrusted links you may receive in email that might end up being malicious.

On a more technical side, it is a good idea to disable Javascript in Adobe Acrobat settings as such:

Acrobat Java settings

It is also a good idea to keep your AV solutions up to date. To also ensure any Intrusion Prevention signatures are up to date. The metasploit blog here gives a really good point of view to this vulnerability. It even pointed me to a patch created by Sourcefire located here. So isn’t that curious. A security vendor such as Sourcefire comes up quicker to patch a system than Adobe themselves, the owner of the Acrobat software. The metasploit blog mentions something very interesting about patches. Microsoft is known for being vulnerable and not secure. They come up with monthly patch dates. But one thing is when a 0-day comes out and all the criticism gets thrown and Microshaft, or Microsucks, they act on it and in a few days come out with a “out of cycle” patch. Come on Adobe, March 11 is the date this patch is to come out. Lets hope not too many people get owned in the meantime.

You can read more about this here:

http://news.cnet.com/8301-1009_3-10168266-83.html

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Desktop Security, Security | Tagged , | Comments Off

Latest Security news and vulnerabilities

Posted on February 20, 2009 by BetoFTW

So I feel I am behind on my research and study but here goes a bunch of stuff:

1st Shadowserver foundation posts about an Adobe 0 day, check out the info:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219

Milworm has a MS09-002 exploit out:

http://www.milw0rm.com/exploits/8077

A blog post on the importance of trustworthines in hiring a pen-tester.

http://sbranigan.wordpress.com/2009/02/18/how-to-choose-a-pen-tester/

This article caught my eye, then after reading I was calmed. Govtrip.com was compromised, a travel management site for various government agencies. It is still down as I write this. Former employer Northrop Grumman was the contractor and is probably now scrambling to fix the problem. Web based attacks are continuing to be a huge attack vector. It is vital that security is implemented in all phases of public websites development, especially ones that contain/transfer sensitive information.

http://www.scmagazineus.com/Government-travel-site-hacked-remains-shuttered/article/127596/

A good write up on the Sourcefire blog about the conficker virus.

http://vrt-sourcefire.blogspot.com/2009/02/making-conficker-cough-up-goods.html

A presentation from BlackHat on a SSL attack. Just when you think that little lock on your browser means that your info is secure. Think again.

https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov

Another presentation from the inGuardians guys.

http://www.tdprod.com/recordings/SWF/21709_SANS.swf

So I was following the ddos attack on HD Moore’s sites, including metasploit. on the DarkReading site they explain how HD reversed their attack.

http://darkreading.com/security/attacks/showArticle.jhtml?articleID=214501208&cid=RSSfeed

And I think thats about all. Some good info from the past week or so.

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Hacks, News, Security, Vulnerabilities | Tagged , , , , , | Comments Off

Vulnerability Scanner Review

Posted on February 20, 2009 by BetoFTW

So I thought I would give my perspective on the various vulnerability scanner technologies that are out there. I have experience with a few, including:

ISS Internet Scanner/Enterprise Scanner

Eeye Retina

STAT Guardian

Nessus

I have varied degrees of experience in these scanners, but I have my likes and dislikes in each one. So let start with ISS or now IBM Internet Security Systems.

IBM ISS: ISS comes with Internet Scanner. This is the original scanner that could be installed on a Windows XP box or greater. The scan can be run locally on the system itself or it can be a managed scanner by the console called Site Protector. From Site Protector you can create folders, discover assets scan assets, create scanning policies, credential sets and schedule scans as well. This worked rather well, however the scanner itsself required maintenance, especially being on a windows box. Patching troubleshooting problems and there was even an issue where Service Pack 2 for XP was not compatible with ISS Internet Scanner 7. The results were rather good, sure there was a false positive every now and then, but I was satisfied.

IBM ISS Enterprise Scanner: The newer ISS product is the Enterprise Scanner whose main difference is that it is an actual appliance linux based. This is a definite improvement, also that the ES1500 comes with 5 NICs for scanning different network subnets, such as networks behind different firewalls that may be present.

Both of these scanners are managed with Site Protector as the management console. You can set policies, groupings, scan schedules and more. I find the interface to be somewhat problematic as policies have to inherit and it can get complicated. This interface has changed since the newest version of Site Protector 7 and seems to be even more hard to get functioning correctly. Another negative is that the checks are mostly for vulnerabilities and not much on the security settings for security best practice configuration.

eEye Retina is a scanner that is a bit different from ISS in that it is a web interface. I dont have the in depth experience with Retina as I do with the other scanners but it has been selected by DoD as a scanner of choice. It does seem to have better vulnerability coverage than ISS but not by much. It has a install that can run on a XP system and I believe has an agent deployment as well. They do have an appliance so this review may not do eEye Justice. I would take a closer look at this scanner if you have a chance.

STAT Guardian, now Lumension, is another alternative which in the configuration I am familiar with can be run on a windows server and have vuln info stored on a 2005 MSsql database. The scanner client is somewhat useful and is a thick client. It generates different reports and can even send scan data to a repor server for enterprise wide reporting. This scanner has issues however with reporting vulnerabilities even when it could not get admin access on a system to fully verify. This has caused 400 page reports to kick out at times. Recently an issue with MS08-062 showing unpatched and all recent patches not reporting up to MS09-001. SAs verified SCCM report the patch to be applied. Investigation is still undergoing, but this would not be my scanner of choice.

Last is Nessus, which is my preference. I have used the Nessus Client and find it to work very well. It is accurate in reporting findings and even is open to show the details of the vuln check to see exactly what the scanner is looking for. This is located at the Tenable website. There is a forum for support, a mailing list as well and then the paying customers get typical privliedged support.

The best part of Nessus is the Security Center, which can is a management server for Unified log management. It will take your scan results and put it in a database for reporting, metrics, grouping of vulnerabilities and more. This is web based and can also be integrated with IDS data. In other words you can point your Snort instance to the Security Center for event correlation. Also there is a component called a Passive Vulnerability Scanner, which will sit on a span port and capture traffic and information of what is going across the wire and ad it to the data correlation. There is also a vmware appliance for easy deployment of Nessus as well as a soon to be released Security Center VMWare appliance running on Fedora.

Nessus plus Security Center gets my recomendation.

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in Security | Tagged , , , , | Comments Off

Clickjacking explained (link)

Posted on February 14, 2009 by BetoFTW

FYI, with the recent news of twitter clickjacking.

http://www.sectheory.com/clickjacking.htm

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
Posted in News, Security | Tagged , | Comments Off