Danzer

Dranzer, an open source tool released by CERT.

It enables users to examine effective techniques for fuzz testing ActiveX controls in order to provide some insight into the current state of ActiveX security.

iPhone in Action

"iPhone in Action" is a book release in Dec 2008.

The blog for iPhone in Action is at http://iphoneinaction.manning.com/iphone_in_action/
It is all about iPhone including tutorials, classes, and other info on iPhone SDK programming.

MakeUseof Freebies

This is a list of freebies from MakeUseOf:

• Shortcut cheatsheets
• "Where to Watch" Guide for Web
• MakeUseOf Photoshop Guide
• Idiot's Ultimate Guide for Building your own computer.
• MakeUseOf Laptop Buying Guide 2009
• The Big Book of iTunes
• MakeUseOf PSP Downgrading and Upgrading Guide

I found the Big Book of iTunes is particularly useful for me.

Vulnerability on OAuth

What's OAuth?

• It is an an open protocol to allow API access authorization.
  
• It allows user to grant access on specific user's data to online providers, like OpenID.
  
• OpenID provides the authentication and then OAuth gives access to the user's properties and attributes without giving all other information to the provider.
  

Summary of the Vulnerability

• It is similar to a session fixation vulnerability (it's not session related).
  
• The attacker can get a legitimate request token from one site, then entice a victim to click on a link with that token.
  
• The link brings the victim to a page for approving access for site to access personal information.
  
• The attacker can then finishes the authorization and get access to whatever information was approved to be accessed by the site.

The advisory and the detail can be accessed at OAuth site.

Below is a list of affected vendors:

• Cliqset
• Fellowship One
• Google
• Iron Money
• Mashery
• Meetup
• Netflix
• TripIt
• Twitter
• Yahoo
• Yammer

New Linux Rootkit Technique

A new rootkit technique is uncovered by a Linux expert using /dev/mem. This is also less obvious thant the established route via traditional LKM method to hide files or processes, or interfere with network traffic.

The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory.

Interestingly, some platforms are secure against this new rootkit (by default):

• Current RedHat and Fedora (incorporates SELinux )
• Virtual environment (another reason to be virtualized)
  

The detail of the new rootkit is documented in Malicious Code Injection via /dev/mem.

Configuring Linux for Oracle Database 10g

This is to show how to configure Linux kernel and prepare for the installation of Oracle Database 10g.

Setup the user and groups:

/usr/sbin/groupadd oinstall
/usr/sbin/groupadd dba
/usr/sbin/groupadd oper
/usr/sbin/useradd -g oinstall -G dba,oper oracle
/usr/bin/passwd oracle

Setup the envrionement:

umask 022

PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
LD_LIBRARY_PATH=/usr/lib:/usr/X11R6/lib
      
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1
ORACLE_SID=orcl
PATH=$ORACLE_HOME/bin:$PATH

export PATH LD_LIBRARY_PATH

mkdir -p /u01/app/oracle
chown -R oracle:oinstall /u01/app
chmod -R 775 /u01/app
export ORACLE_BASE ORACLE_HOME ORACLE_SID

Setup the kernel parameters:

/sbin/sysctl -w kernel.sem = 250 32000 100 128
/sbin/sysctl -w kernel.shmall = 2097152
/sbin/sysctl -w kernel.shmmax = 2147483648
/sbin/sysctl -w kernel.shmmni = 4096
/sbin/sysctl -w fs.file-max = 65536
/sbin/sysctl -w net.ipv4.ip_local_port_range = 1024 65000
/sbin/sysctl -p

>>>> From http://www.oracle.com/technology/obe/obe10gdb/install/linuxpreinst/linuxpreinst.htm

Twitter Attacked by (XSS) Worm

A twitter nowadays does not eat worm? How about a worm is attacking twitter?


Twitter has confirmed the attack and closed a vulnerability on last Saturday (Apr 11, 2009). Over Saturday, a worm which uses a cross site scripting flaw in Twitter profiles has been tricking users of the social networking service and directing them to stalkdaily.com.

The worm consisted of JavaScript code hidden in the "Bio" section of the Twitter profile. A user would be sent to view another users profile which contained the script. The script would wait three seconds and grab the user name and twitter cookie for the user. It then used the Twitter API, with the users credentials to modify that users profile, adding the worm and sending tweets about stalkdaily.com.

Twitter users should check their profile's biography field to see if it has changed and if so, reset it. Twitter has reset the password on a number of affected accounts and those users will need to request a new password to regain access.

Two Easter Eggs

Two easter eggs I come across from Internet.

uTorrent Tetris

To find it: In uTorrent, go to the Help menu and choose "About uTorrent." Press the letter T.
Purpose: A game of Tetris while you wait for your download to complete.

Picasa Teddy Bears

To find it: In Picasa, press Ctrl+Shift+Y.
Purpose: For fun. Your photo library taken over by teddy bears! Keep hitting the key combo to add more bears.

Building Security in Maturity Model

Software security again.

In 2006, software security found itself embodied in three major methodologies: Microsoft SDL, Cigital Touchpoints, and OWASP CLASP. Of course there are more. BSIMM selects 9 (out of 35 software security initiatives) and creates a Software Security Framework (SSF).

The BSIMM is about helping us to determine where our organization stands with respect to software security initiatives and what steps can be taken to make it more effective.

For a concise description of the BSIMM, read the informIT article Software [In]security: The Building Security In Maturity Model (BSIMM), Confessions of a Software Security Alchemist.

You can download the document from here.

WiFi at Airport

You're sitting in an airport or in a cafe, and they provide WiFi access with some fees. However, they do allow ICMP or DNS traffic, though for free. What can you do?

The answer is tunneling: IP-over-ICMP or IP-over-DNS.

Check this out to get yourself ready for this situation:

• ICMPTX
• NSTX
  

SSL Audit

SSL is not a panacea. Thus, it is important to learn how to audit a SSL/TLS host effectively. This is a compilation of various articles on how to audit a weak SSL host.

Attempt to connect to target (in this case google.com) with SSLv2:

~# openssl s_client -no_tls1 -no_ssl3 -connect www.google.com:443

Check the output if it works. You can also do this with NMAP (with NSE script):

~# nmap -n -p443 -v --script=sslv2 -iL target.list -oG https.gnmap

Next, we will need to parse the NMAP output and dump the all the X.509 certificates with OpenSSL tool:

~# gawk "/https/{print $0}" https.gnmap > https-ip.txt
~# ./get-cert-info.sh https-ip.txt

Below is the "get-cert-info.sh":

#!/bin/bash
# You will need OpenSSL for this script to work

processLine(){
# Use OpenSSl to download the cert and extract the right info
# from it witht he X509 utility e.o.
 line="$@" # get all args
 IP=$(echo "$line" | cut -d" " -f1)
 TARGETDOM=$(echo "$line" | cut -d" " -f2)
 HOST="$TARGETDOM:443"
# Connect to HOST, defer errors to /dev/null,
# send standard output to RAWCERT variable
 RAWCERT=$(openssl s_client -connect ${HOST} 2>/dev/null)
# Obtain encoded certificate from RAWCERT
 CERTTEXT=$(echo "$RAWCERT" | /
   sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
# Process certificate for the different variables
 SIGALG=$(echo "$CERTTEXT" | /
   openssl x509 -noout -text | /
   grep -m 1 "Signature Algo" | cut -d: -f2)
 SUBJECT=$(echo "$CERTTEXT" | /
   openssl x509 -noout -subject | sed -e 's/subject= //')
 ISSUER=$(echo "$CERTTEXT" | /
   openssl x509 -noout -issuer | sed -e 's/issuer= //')
 START=$(echo "$CERTTEXT" | /
   openssl x509 -noout -startdate | cut -d= -f2)
 END=$(echo "$CERTTEXT" | /
   openssl x509 -noout -enddate | cut -d= -f2)
 SERIAL=$(echo "$CERTTEXT" | /
    openssl x509 -noout -serial | cut -d= -f2)

#Clean-up dates
START=$(echo "$START" | sed -e 's/GMT//')
START=$(echo "$START" | cut -d" " -f1,2,4)
STARTDAY=$(echo "$START" | cut -d" " -f2)
STARTMONTH=$(echo "$START" | cut -d" " -f1)
STARTYEAR=$(echo "$START" | cut -d" " -f3)
START=$STARTDAY\/$STARTMONTH\/$STARTYEAR

END=$(echo "$END" | sed -e 's/GMT//')
END=$(echo "$END" | cut -d" " -f1,2,4)
ENDDAY=$(echo "$END" | cut -d" " -f2)
ENDMONTH=$(echo "$END" | cut -d" " -f1)
ENDYEAR=$(echo "$END" | cut -d" " -f3)
END=$STARTDAY\/$STARTMONTH\/$STARTYEAR

# Output in CSV format
 echo $IP, $TARGETDOM, $SIGALG, $SUBJECT,/
   $ISSUER, $START, $END, $SERIAL
}

### File line loop ###
# Store file name
FILE=""

# Make sure we get file name as command line argument
FILE=${1?"No file name specified"}
# Check that file exists and is readable
[ ! -f $FILE ] && { echo "$FILE: does not exist"; exit 1; }
[ ! -r $FILE ] && { echo "$FILE: cannot be read"; exit 2; }

#Open file for reading
exec 3< $FILE

#Process file line by line
while read -u 3 line
do
  # use $line variable to process line
  # in processLine() function
  processLine $line
done

# Close file after reading
exec 3<&-

exit 0

Related links:

• Testing for SSL-TLS
• Automated scan for SSL hosts and dowload of SSL-certificates
  

Advanced Javascript Obfuscation

This is an interesting article at SANS. Once again, this shows why signature scanning will fail most of the time.

Read more.

F-Secure: Security Threat Summary Q1/2009

F-Secure just published their threat summary for the 1st quarter of 2009. It includes:

• Conficker
• First SMS worm
  
• Threats in social networks.
  

More info on http://www.f-secure.com/en_EMEA/security/security-lab/latest-threats/security-threat-summaries/2009-1.html

Built-in Network Tools in Vista

Windows Vista does come with a number of network tools: 2 new and 10 old tools (in XP).

The 2 new toys:

1. getmac - display the MAC address
2. pathping - ping + traceroute

The 10 old toys:

1. hostname
2. ipconfig
3. nslookup
4. net
5. nbtstat
6. netstat
   
7. ping
8. tracert
9. netsh
10. route

Related links:

• Hidden Network Tools in Vista

!exploitable Crash Analyzer

A new open-source tool to make debugging easier is released by Microsoft. It gives developers a lot of help during the release cycle to build more secure software.

Microsoft released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it’s still under development.

As its name suggests, !exploitable Crash Analyzer (pronounced “bang exploitable crash analyzer”) combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a “game changer” because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.

“Microsoft has taken years of difficulties with security vulnerabilities and really condensed that experience down to a repeatable tool that takes a look at a crash and says ‘You better take a look at this,’” Kaminsky told The Reg. “What makes !exploitable so fascinating is that it takes at least the first level of this knowledge and packages it up into something that can be in the workflow.”

There is currently an x86 and an x64 version availalble.

You can download the application here: !exploitable Crash Analyzer - MSEC Debugger Extensions

Ophcrack and Rainbow Table

Still remember Ophcrack? How about rainbow table? If you really don't know, check here for Ophcrack and here for rainbow table.

Now there is a free/demo online version I found today. Check out at objectif-securite.

At here, you can dump the hash to get back the password immediately (of course this is based on rainbow table), or vice versa.

Try the following hashes:

• aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 [EMPTY]
  
• e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c [password]
• ac804745ee68ebea1aa818381e4e281b:3008c87294511142799dca1191e69a0f [admin123]
  

Picture of the Day: Snow White chomps on poison Apple

One-Line-Web-Server For File Sharing

Today, I learn a way to create a web server within one-line. This allows me to share files with browser access from remote.

TCP port 80

~# python -c "import sys,SimpleHTTPServer;sys.argv=[None,80];SimpleHTTPServer.test()"

Or TCP port 8000

~# python -m SimpleHTTPServer

SANS Consensus Audit Guidelines (Draft 1.0)

On Feb 23, 2009 SANS publishes the first draft of the Consensus Audit Guidelines (CAG). As represented in the press release, the CAG includes 20 controls, 15 of which can be automated and 5 are not.

The 20 Critical Controls subject to automated measurement and validation (AMV):

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
4. Secure Configurations of Network Devices Such as Firewalls And Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security ***
   
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection
    
16. Secure Network Engineering (not AMV)
17. Red Team Exercises (not AMV)
18. Incident Response Capability (not AMV)
19. Assured Data Back-Ups (not AMV)
20. Security Skills Assessment and Training to Fill Gaps (not AMV)

Two (2) points I would like to make here:

• When your only tool is hammer (For*ify), you tend to see every problem as a nail. Hey dude, *** is only 1/20 of the entire infosec.
• RedTeam Exercise isn't an automated measurement and validation.
  

Does PCI Works?

This is a news from Computer World.

Payment card industry's data security rules aren't working, critics say; (and of course ) VISA, PCI council continue to defend stand.

Some evidences:

• Hannaford was certified as PCI-compliant by a 3rd-party assessor in Feb 2008, just 1 day after the company was informed of the system intrusions (which had begun 2 months ago).
• RBS WorldPay was certified as PCI-compliant prior to breaches that the payment processors disclosed in Dec 2007 and Jan 2008 respectively.

Interesting?

NTFS-hacked in USB without Hacking

I know there are many tools out there to allow you to format a USB thumb/flash drive to NTFS. By default, Windows allow your USB to be formatted to FAT only. Here's the instruction to allow you to format your USB to NTFS without any hacking.

1. After plug in your USB, open "My computer".
2. Right click "My Computer, select "Manage".
3. Open the 'Device Manager' and find your USB drive under the 'Disk Drives' heading.
4. Right click the drive and select 'Properties'.
5. Choose the 'Policies' tab and select the 'Optimize for performance' option.
6. Click 'OK' to close it.
7. Now, open 'My Computer'.
8. Right click the USB drive and select 'Format'.
9. Choose 'NTFS' in the File System dropdown box.
10. Click 'Start' to format it in NTFS.

Software Assurance Maturity Model

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

• Evaluating an organization’s existing software security practices
• Building a balanced software security assurance program in well-defined iterations
• Demonstrating concrete improvements to a security assurance program
• Defining and measuring security-related activities throughout an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.