Apr 28, 2009

Danzer

Dranzer, an open source tool released by CERT.

It enables users to examine effective techniques for fuzz testing ActiveX controls in order to provide some insight into the current state of ActiveX security.

Apr 27, 2009

iPhone in Action

"iPhone in Action" is a book release in Dec 2008.

The blog for iPhone in Action is at http://iphoneinaction.manning.com/iphone_in_action/
It is all about iPhone including tutorials, classes, and other info on iPhone SDK programming.

MakeUseof Freebies

This is a list of freebies from MakeUseOf:
  • Shortcut cheatsheets
  • "Where to Watch" Guide for Web
  • MakeUseOf Photoshop Guide
  • Idiot's Ultimate Guide for Building your own computer.
  • MakeUseOf Laptop Buying Guide 2009
  • The Big Book of iTunes
  • MakeUseOf PSP Downgrading and Upgrading Guide
I found the Big Book of iTunes is particularly useful for me.

Vulnerability on OAuth

What's OAuth?
  • It is an an open protocol to allow API access authorization.
  • It allows user to grant access on specific user's data to online providers, like OpenID.
  • OpenID provides the authentication and then OAuth gives access to the user's properties and attributes without giving all other information to the provider.
Summary of the Vulnerability
  • It is similar to a session fixation vulnerability (it's not session related).
  • The attacker can get a legitimate request token from one site, then entice a victim to click on a link with that token.
  • The link brings the victim to a page for approving access for site to access personal information.
  • The attacker can then finishes the authorization and get access to whatever information was approved to be accessed by the site.
The advisory and the detail can be accessed at OAuth site.

Below is a list of affected vendors:

Apr 20, 2009

New Linux Rootkit Technique

A new rootkit technique is uncovered by a Linux expert using /dev/mem. This is also less obvious thant the established route via traditional LKM method to hide files or processes, or interfere with network traffic.

The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory.

Interestingly, some platforms are secure against this new rootkit (by default):
  • Current RedHat and Fedora (incorporates SELinux )
  • Virtual environment (another reason to be virtualized)
The detail of the new rootkit is documented in Malicious Code Injection via /dev/mem.

Apr 19, 2009

Configuring Linux for Oracle Database 10g

This is to show how to configure Linux kernel and prepare for the installation of Oracle Database 10g.

Setup the user and groups:
/usr/sbin/groupadd oinstall
/usr/sbin/groupadd dba
/usr/sbin/groupadd oper
/usr/sbin/useradd -g oinstall -G dba,oper oracle
/usr/bin/passwd oracle
Setup the envrionement:
umask 022

PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
LD_LIBRARY_PATH=/usr/lib:/usr/X11R6/lib

ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1
ORACLE_SID=orcl
PATH=$ORACLE_HOME/bin:$PATH

export PATH LD_LIBRARY_PATH

mkdir -p /u01/app/oracle
chown -R oracle:oinstall /u01/app
chmod -R 775 /u01/app

export ORACLE_BASE ORACLE_HOME ORACLE_SID
Setup the kernel parameters:
/sbin/sysctl -w kernel.sem = 250 32000 100 128
/sbin/sysctl -w kernel.shmall = 2097152
/sbin/sysctl -w kernel.shmmax = 2147483648
/sbin/sysctl -w kernel.shmmni = 4096
/sbin/sysctl -w fs.file-max = 65536
/sbin/sysctl -w net.ipv4.ip_local_port_range = 1024 65000
/sbin/sysctl -p

>>>> From http://www.oracle.com/technology/obe/obe10gdb/install/linuxpreinst/linuxpreinst.htm

Apr 16, 2009

Twitter Attacked by (XSS) Worm

A twitter nowadays does not eat worm? How about a worm is attacking twitter?


Twitter has confirmed the attack and closed a vulnerability on last Saturday (Apr 11, 2009). Over Saturday, a worm which uses a cross site scripting flaw in Twitter profiles has been tricking users of the social networking service and directing them to stalkdaily.com.

The worm consisted of JavaScript code hidden in the "Bio" section of the Twitter profile. A user would be sent to view another users profile which contained the script. The script would wait three seconds and grab the user name and twitter cookie for the user. It then used the Twitter API, with the users credentials to modify that users profile, adding the worm and sending tweets about stalkdaily.com.

Twitter users should check their profile's biography field to see if it has changed and if so, reset it. Twitter has reset the password on a number of affected accounts and those users will need to request a new password to regain access.


Apr 12, 2009

Two Easter Eggs

Two easter eggs I come across from Internet.

utorrenttetris.png


uTorrent Tetris

To find it: In uTorrent, go to the Help menu and choose "About uTorrent." Press the letter T.
Purpose: A game of Tetris while you wait for your download to complete.




picasabears.jpg


Picasa Teddy Bears

To find it: In Picasa, press Ctrl+Shift+Y.
Purpose: For fun. Your photo library taken over by teddy bears! Keep hitting the key combo to add more bears.

Apr 10, 2009

Building Security in Maturity Model

Software security again.

In 2006, software security found itself embodied in three major methodologies: Microsoft SDL, Cigital Touchpoints, and OWASP CLASP. Of course there are more. BSIMM selects 9 (out of 35 software security initiatives) and creates a Software Security Framework (SSF).

The BSIMM is about helping us to determine where our organization stands with respect to software security initiatives and what steps can be taken to make it more effective.

For a concise description of the BSIMM, read the informIT article Software [In]security: The Building Security In Maturity Model (BSIMM), Confessions of a Software Security Alchemist.

You can download the document from here.

WiFi at Airport

You're sitting in an airport or in a cafe, and they provide WiFi access with some fees. However, they do allow ICMP or DNS traffic, though for free. What can you do?

The answer is tunneling: IP-over-ICMP or IP-over-DNS.

Check this out to get yourself ready for this situation:

Apr 9, 2009

SSL Audit

SSL is not a panacea. Thus, it is important to learn how to audit a SSL/TLS host effectively. This is a compilation of various articles on how to audit a weak SSL host.

Attempt to connect to target (in this case google.com) with SSLv2:
~# openssl s_client -no_tls1 -no_ssl3 -connect www.google.com:443
Check the output if it works. You can also do this with NMAP (with NSE script):
~# nmap -n -p443 -v --script=sslv2 -iL target.list -oG https.gnmap
Next, we will need to parse the NMAP output and dump the all the X.509 certificates with OpenSSL tool:
~# gawk "/https/{print $0}" https.gnmap > https-ip.txt
~# ./get-cert-info.sh https-ip.txt
Below is the "get-cert-info.sh":
#!/bin/bash
# You will need OpenSSL for this script to work

processLine(){
# Use OpenSSl to download the cert and extract the right info
# from it witht he X509 utility e.o.
line="$@" # get all args
IP=$(echo "$line" | cut -d" " -f1)
TARGETDOM=$(echo "$line" | cut -d" " -f2)
HOST="$TARGETDOM:443"
# Connect to HOST, defer errors to /dev/null,
# send standard output to RAWCERT variable
RAWCERT=$(openssl s_client -connect ${HOST} 2>/dev/null)
# Obtain encoded certificate from RAWCERT
CERTTEXT=$(echo "$RAWCERT" | /
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
# Process certificate for the different variables
SIGALG=$(echo "$CERTTEXT" | /
openssl x509 -noout -text | /
grep -m 1 "Signature Algo" | cut -d: -f2)
SUBJECT=$(echo "$CERTTEXT" | /
openssl x509 -noout -subject | sed -e 's/subject= //')
ISSUER=$(echo "$CERTTEXT" | /
openssl x509 -noout -issuer | sed -e 's/issuer= //')
START=$(echo "$CERTTEXT" | /
openssl x509 -noout -startdate | cut -d= -f2)
END=$(echo "$CERTTEXT" | /
openssl x509 -noout -enddate | cut -d= -f2)
SERIAL=$(echo "$CERTTEXT" | /
openssl x509 -noout -serial | cut -d= -f2)

#Clean-up dates
START=$(echo "$START" | sed -e 's/GMT//')
START=$(echo "$START" | cut -d" " -f1,2,4)
STARTDAY=$(echo "$START" | cut -d" " -f2)
STARTMONTH=$(echo "$START" | cut -d" " -f1)
STARTYEAR=$(echo "$START" | cut -d" " -f3)
START=$STARTDAY\/$STARTMONTH\/$STARTYEAR

END=$(echo "$END" | sed -e 's/GMT//')
END=$(echo "$END" | cut -d" " -f1,2,4)
ENDDAY=$(echo "$END" | cut -d" " -f2)
ENDMONTH=$(echo "$END" | cut -d" " -f1)
ENDYEAR=$(echo "$END" | cut -d" " -f3)
END=$STARTDAY\/$STARTMONTH\/$STARTYEAR

# Output in CSV format
echo $IP, $TARGETDOM, $SIGALG, $SUBJECT,/
$ISSUER, $START, $END, $SERIAL
}

### File line loop ###
# Store file name
FILE=""

# Make sure we get file name as command line argument
FILE=${1?"No file name specified"}
# Check that file exists and is readable
[ ! -f $FILE ] && { echo "$FILE: does not exist"; exit 1; }
[ ! -r $FILE ] && { echo "$FILE: cannot be read"; exit 2; }

#Open file for reading
exec 3< $FILE

#Process file line by line
while read -u 3 line
do
# use $line variable to process line
# in processLine() function
processLine $line
done

# Close file after reading
exec 3<&-

exit 0

Related links:

Advanced Javascript Obfuscation

This is an interesting article at SANS. Once again, this shows why signature scanning will fail most of the time.

Read more.

F-Secure: Security Threat Summary Q1/2009

F-Secure just published their threat summary for the 1st quarter of 2009. It includes:
  • Conficker
  • First SMS worm
  • Threats in social networks.
More info on http://www.f-secure.com/en_EMEA/security/security-lab/latest-threats/security-threat-summaries/2009-1.html


f-secure

Built-in Network Tools in Vista

Windows Vista does come with a number of network tools: 2 new and 10 old tools (in XP).

The 2 new toys:
  1. getmac - display the MAC address
  2. pathping - ping + traceroute
The 10 old toys:
  1. hostname
  2. ipconfig
  3. nslookup
  4. net
  5. nbtstat
  6. netstat
  7. ping
  8. tracert
  9. netsh
  10. route
Related links:

Apr 8, 2009

!exploitable Crash Analyzer

A new open-source tool to make debugging easier is released by Microsoft. It gives developers a lot of help during the release cycle to build more secure software.
Microsoft released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it’s still under development.

As its name suggests, !exploitable Crash Analyzer (pronounced “bang exploitable crash analyzer”) combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a “game changer” because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.

“Microsoft has taken years of difficulties with security vulnerabilities and really condensed that experience down to a repeatable tool that takes a look at a crash and says ‘You better take a look at this,’” Kaminsky told The Reg. “What makes !exploitable so fascinating is that it takes at least the first level of this knowledge and packages it up into something that can be in the workflow.”

There is currently an x86 and an x64 version availalble.

You can download the application here: !exploitable Crash Analyzer - MSEC Debugger Extensions


Apr 6, 2009

Ophcrack and Rainbow Table

Still remember Ophcrack? How about rainbow table? If you really don't know, check here for Ophcrack and here for rainbow table.

Now there is a free/demo online version I found today. Check out at objectif-securite.

At here, you can dump the hash to get back the password immediately (of course this is based on rainbow table), or vice versa.

Try the following hashes:
  • aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 [EMPTY]
  • e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c [password]
  • ac804745ee68ebea1aa818381e4e281b:3008c87294511142799dca1191e69a0f [admin123]

Picture of the Day: Snow White chomps on poison Apple


Apr 3, 2009

One-Line-Web-Server For File Sharing

Today, I learn a way to create a web server within one-line. This allows me to share files with browser access from remote.

TCP port 80

~# python -c "import sys,SimpleHTTPServer;sys.argv=[None,80];SimpleHTTPServer.test()"

Or TCP port 8000

~# python -m SimpleHTTPServer

SANS Consensus Audit Guidelines (Draft 1.0)

On Feb 23, 2009 SANS publishes the first draft of the Consensus Audit Guidelines (CAG). As represented in the press release, the CAG includes 20 controls, 15 of which can be automated and 5 are not.

The 20 Critical Controls subject to automated measurement and validation (AMV):
  1. Inventory of Authorized and Unauthorized Hardware.
  2. Inventory of Authorized and Unauthorized Software.
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
  4. Secure Configurations of Network Devices Such as Firewalls And Routers.
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security ***
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering (not AMV)
  17. Red Team Exercises (not AMV)
  18. Incident Response Capability (not AMV)
  19. Assured Data Back-Ups (not AMV)
  20. Security Skills Assessment and Training to Fill Gaps (not AMV)
Two (2) points I would like to make here:
  • When your only tool is hammer (For*ify), you tend to see every problem as a nail. Hey dude, *** is only 1/20 of the entire infosec.
  • RedTeam Exercise isn't an automated measurement and validation.

Does PCI Works?

This is a news from Computer World.

Payment card industry's data security rules aren't working, critics say; (and of course ) VISA, PCI council continue to defend stand.

Some evidences:
  • Hannaford was certified as PCI-compliant by a 3rd-party assessor in Feb 2008, just 1 day after the company was informed of the system intrusions (which had begun 2 months ago).
  • RBS WorldPay was certified as PCI-compliant prior to breaches that the payment processors disclosed in Dec 2007 and Jan 2008 respectively.
Interesting?

NTFS-hacked in USB without Hacking

I know there are many tools out there to allow you to format a USB thumb/flash drive to NTFS. By default, Windows allow your USB to be formatted to FAT only. Here's the instruction to allow you to format your USB to NTFS without any hacking.
  1. After plug in your USB, open "My computer".
  2. Right click "My Computer, select "Manage".
  3. Open the 'Device Manager' and find your USB drive under the 'Disk Drives' heading.
  4. Right click the drive and select 'Properties'.
  5. Choose the 'Policies' tab and select the 'Optimize for performance' option.
  6. Click 'OK' to close it.
  7. Now, open 'My Computer'.
  8. Right click the USB drive and select 'Format'.
  9. Choose 'NTFS' in the File System dropdown box.
  10. Click 'Start' to format it in NTFS.

Apr 2, 2009

Software Assurance Maturity Model

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
  • Evaluating an organization’s existing software security practices
  • Building a balanced software security assurance program in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities throughout an organization
SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.