رمضان كريم

أتقدم إلى مقامكم الكريم بأسمى آيات التهاني والتبريكات بمناسبة حلول شهر رمضان المبارك،
أعاده الله علينا وعليكم وعلى الأمة العربية والإسلامية أجمع بالخير واليمن والبركات متمنين لكم وافر الصحة والسعادة.

وكل عام وأنتم بخير

May Allah Bless You and Your Family and wish you a Ramadan Kareem

تحياتي

فاطمة أحمد بازاركان

It indeed has been a long time since I updated my blog. Just been so occupied with leaving the old career getting into a new one and finally adjusting to the new environment and people.  

Currently, I fill the position of Manager, ICT Security at Masdar (Abu Dhabi Future Energy Company). The Masdar Initiative is a wholly owned subsidiary of Mubadala and considered the world’s first carbon-neutral zero waste city and is the head-quarters of the International Renewable Energy Agency (IRENA).

A new milestone and a challenge in my career life and a long way to go, wish me luck.

Will be updating more often.

Always, Fatma Bazargan

Couple of interesting snippets for today…

I just came across a wonderful website called Wepawet. Interestingly, Wepawet is a service for detecting and analyzing web-based malware and it currently handles Flash, Java Script and PDF Files. So now you wont need to think twice about clicking a website and opening a file that you feel is malicious just take sometime test it and you are good to go. Simply the things you can do is…

Determine if a page or file is malicious

wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.

Analyze a malicious resource

wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.

Identify the attacks launched by a malicious resource

wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.

There is an interesting entry from Lori about the Real Meaning of Cloud Security, how to distinguish “cloud security” from “cloud-based security”. The former is about securing the cloud and its infrastructure, the latter about services hosted in a cloud environment. He goes then on talking about Cloud Security in particular.   

For all those who will be attending the 21^st Annual FIRST Conference in Japan to be held from 28^th June to 3^rd of July, here you can find some very interesting podcasts prior to the event. In addition, FIRST has announced that those who hold CISSP, CISA, CISM and CGEIT will have an opportunity to earn CPEs if they attend the FIRST conference. Other than that if you are a Twitter person then you can follow them at firstdotorg for latest updates.

Talking about training courses, now that we all know that Virtualization is one of the must-know hot topics when it comes to information security, SANS have introduced a new course called Virtualization Security and Operations SEC557. As mentioned by SANS, the course aims to provide a firm foundation for all aspects of virtualization technology, covering the hosts, guests, networks, and management components. When students leave this class, they’ll have all the tools they need to properly secure their virtual environments and maintain their desired security and compliance posture.

Finally, Bill gives some Career Advice for Security Geeks.

That’s all for now. Enjoy!

Fatma.

Swine Influenza - Pandemic

Source: BBC News

What is swine flu?

Swine flu is a respiratory disease, caused by influenza type A which infects pigs. There are many types, and the infection is constantly changing. Until now it has not normally infected humans, but the latest form clearly does, and can be spread from person to person – probably through coughing and sneezing.

How worried should people be?

When any new strain of flu emerges that acquires the ability to pass from person to person, it is monitored very closely in case it has the potential to spark a global epidemic, or pandemic.

The World Health Organization has warned that taken together the Mexican and US cases could potentially trigger a global pandemic, and stress that the situation is serious. However, experts say it is still too early to accurately assess the situation fully. Currently, they say the world is closer to a flu pandemic than at any point since 1968 – rating the threat at three on a six-point scale. Nobody knows the full potential impact of a pandemic, but experts have warned that it could cost millions of lives worldwide. The Spanish flu pandemic, which began in 1918, and was also caused by an H1N1 strain, killed millions of people. The fact that all the cases in the US have so far produced mild symptoms is encouraging. It suggests that the severity of the Mexican outbreak may be due to an unusual geographically-specific factor – possibly a second unrelated virus circulating in the community – which would be unlikely to come into play in the rest of the world. Alternatively, people infected in Mexico may have sought treatment at much later stage than those in other countries. It may also be the case that the form of the virus circulating in Mexico is subtly different to that elsewhere – although that will only be confirmed by laboratory analysis. There is also hope that, as humans are often exposed to forms of H1N1 through seasonal flu, our immune systems may have something of a head start in fighting infection. However, the fact that many of the victims are young does point to something unusual. Normal, seasonal flu tends to affect the elderly disproportionately.

More information can be found at:

• World Health Organization
• Health Protection Organization
• Belgium Influenza
• Pandemic Watch by Stephen Northcutt
• Google Map of Swine Flu Outbreak

safe safe.

Fatma Bazargan

mmm.. and who shall watch the watchers?

For the last couple of days I have been reading about an interesting topic called “government trojans”. A government trojan “is a spyware/Trojan/backdoor installed on a workstation or network by a law enforcement agency for the purpose of capturing information relevant to a criminal investigation. This Trojan captures private e-mail communication, VoIP traffic, data residing on hard drives, record video conferences, etc. This captured data is then sent out to a central server for processing and analysis without the prior consent or knowledge of the individual and their data privacyl.”

The overall goal of planting the trojan in a suspect’s computer is in order to snoop on the suspect’s hard drive data and Internet traffic for any suspicious activity related to terrorism, child pornography, drug trafficking, etc.

Personally and even some individuals find it illegal for government to snoop into their data using these so called government trojans, let alone the other case of wiretapping the Internet traffic which some countries find it illegal where others are just fine with it.

You can read about it more here, here and here. It elaborates further which countries have implemented and who is planning to implement and so on.

Where are we going with this is the question.

Till then, be unwatched.

Some of the interesting reads I had these couple of days:

1. Now this is awesome, ISC2 launches Child Online Safety Program and calls it “Safe & Secure Online“: a program that invites (ISC)2 information security experts to educate school children ages 11-14 on how to protect themselves online.

“Safe & Secure Online is a program begun by (ISC)2 with support from Childnet International, a charity that aims to make the Internet a safe place for children. First introduced in the United Kingdom (UK) in 2006, then expanded to Hong Kong in 2007, Safe & Secure Online has reached nearly 20,000 children in those regions. The program is designed to address the gap in security advice that exists in children’s safety outreach efforts.“

And for all of you who are maintaining your CPEs, you can do that by teaching Children on how to be safe and secure when online.

2. If you are thinking to set up a CERT/CSIRT at your organization then ENISA has released CERT/CSIRT Exercises Handbook with a toolset, they also have a guide on a step-by-step approach on how to set up a CSIRT and you can also find a great guide on basic collection of good practices for running a CSIRT. I found it a useful resource to start with besides others.

3. Talking about USB drives and how they can be vulnerable to malicious applications and viruses Mobile Armor’s KeyArmor USB drive is designed to combat these threats:    

“The KeyArmor solution is a military level encrypted USB drive managed by the Mobile Armor enterprise policy console, PolicyServer. KeyArmor USB drives are FIPS 140-2 Level 2 validated using on processor AES hardware encryption. KeyArmor now independently provides protection against viral and malware threats. With integrated anti-malware detection and remediation, viruses and malicious software are prevented from attacking data transferred and stored on the KeyArmor drive. This is an independent function of KeyArmor, not requiring the existence or utilization of anti-malware from the data source device. KeyArmor provides detailed auditing and logging relating to the anti-malware component, including version control, update integrity, update frequency and file status.”

KeyArmor: You are neat!

4. This is an interesting read about eEye Digital Security that announced the Blink Server 4 that has integrated protection platform for the windows servers and applications. 

That’s all for now. Good day all.

Bazargan.

Just being on vacation for the last couple of weeks and the coming week will be my last week enjoying being disconnected for a while.

But as a quick update on the happenings around is:

• For those following the Conficker updates you can visit the Conficker Working Group website and for those who were wondering what Conficker did in first week of April well it was limited to spam and serving the victim’s with fake anti-virus products.
• I found this simple interactive animation interesting one to understand how a simple Buffer Overflow attack works click here.
• Infected or Compromised by Richard Bejlitch.  

That’s all for now.

Enjoy the weekend.

http://insecure.org/

There is a new release of NMAP 4.85Beta6 (Windows, Linux, OSX)

This release as per insecure.org includes further improvements such as:

§  Fixed some bugs with the Conficker detection script (smb-check-vulns)

§  SMB response timeout raised to 20s from 5s to compensate for slow/overloaded systems and networks.

§  MSRPC now only signs messages if OpenSSL is available (avoids an error).

§  Better error checking for MS08-067 patch, among others.

The command you can use for the Conficker scan is:

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

How to detect and contain Conficker!

So quick news about the Conficker, Honeynet Project members Tillmann Werner and Felix Leder have developed a new scanning tool for detecting Conficker and the Know Your Enemy writeup that would describe and explain on how to contain Conficker will be out shortly. The tool is now publicly available and is in the process to be integrated in major vulnerability scanning tools such as Tenable (Nessus), nCircle, Qualys, NMAP among others.

Doxpara, Dan Kaminsky has also packaged the tool by Werner and Feder in a scanner via py2exe that you can run to scan an IP range and it would detect any machine from the list that has been infected by Conficker.

Word to Spread: Ensure that your computers are patched with the latest Microsoft Patches through Windows Update and that your anti-virus engines have the latest updates.

Don’t forget to run the tools to detect Conficker infection.

UPDATE:

HERE is a video about the Conficker (GREAT LISTEN): http://www.sophos.com/blogs/gc/g/2009/03/31/video-conficker-april-1st-fuss/ 

Qualys also have something to say about Conficker: http://laws.qualys.com/lawsblog/2009/03/taming-of-the-shrew-aka-confic.html 

UPDATE 2:

The Know your Enemy Paper explain how to detect, contain and remove Conficker:  http://www.honeynet.org/papers/conficker

If you are going to use NMAP then check DAN’s post http://www.doxpara.com/?p=1294

Update 3:

 Symptoms of being infected:

• When you find yourself not able to access the anti-virus websites or security related websites.
• When you find your account locked out in the directory
• When you find an autorun.inf files in the recycled directory
• When you notice deny access to admin shares
• When you notice malicious traffic sent through port 445

 SANS have set up a diary for updates on conficker at: http://isc.sans.org/diary.html?storyid=5860

Final word for today: even if you get infected and go looking for a removal tool for conficker, make sure you download a removal tool from a vendor that you always deal with or at least are sure of and heard of. The last thing you would ask for is downloading a bogus conficker removal tool that has been set up by cyber criminals!

(WATCH OUT THIS ENTRY, I’ll keep updating it with Conficker Info)

Happy Conficker’ing Day!

Fatma Bazargan

MFSA 2009-13 Arbitrary code execution through XUL <tree> element
MFSA 2009-12 XSL Transformation vulnerability

Firefox 3.0.8 Release Notes and Download