Fatma Bazargan’s blog

Last week at CanSecWest security conference in Vancouver, British Colombia, a “single-click-and-you’re-owned exploit,” was unveiled in the beta release of Microsoft’s browser, Internet Explorer 8 (IE8). Microsoft confirmed that the vulnerability exists in the official release of IE8. The exploit apparently defies Microsoft’s DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies.

On other hand, Mozilla announced that it will release next week Firefox 3.0.8 to close serious security vulnerability and this makes the second big exploit of Firefox in a week. The exploit code has been publicly posted and it provides an opening through which attackers can enter Firefox source code and modify it. If a Firefox user simply views a maliciously coded XML file on a website, in a style of attack known as a drive-by download.

By the way, the drive-by download affects Firefox running on all platforms, including Mac OS and Linux, according to Mozilla developer notes.

define: drive-by download (wikipedia)

Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the “supplier” may claim that the user “consented” to the download though s/he was completely unaware of having initiated a malicious software download.

The main issue is that end-users run their computers with administrative privileges, which enables an attacker to run code on a victim’s machine using the victim’s current privilege level (admin).

This type of attack can be prevented and mitigated if the end-user follows some of the below methods:

• Avoid logging to your machine with an account that has administrative privileges. Log in as a normal user (low-privilege) unless if something is really required then you can always switch to account with admin privileges.
• For those who are into virtual machines, always run your browser sessions in a contained virtual machine (Vmware, etc.), and in this way your browser session is completely segmented from your actual machine so even if the exploit is successful, you can always revert back to an earlier snapshot and as if you were never infected.
• Finally if you use Firefox then run it in Restricted Mode and use the NoScript add-on for Firefox. This prevents JavaScript from running until you allow it to.

Safe browsing,

Fatma Bazargan

hmm.. i dont think it's that pretty!

For a while the Conficker worm has just been such a nightmare for all. Now that everyone has been talking about the April 1^st where a new variant of Conficker will be released, as a heads up folks it isn’t like a doomsday, it is just that before Conficker.A and B were polling 250 domains per day to download and run an update program, the new variant will poll 50,000 domains instead to do the same thing. The security researchers have also stated that the Conficker worm has been crafted by professionals as it is considered one of the first real world cases that uses MD6 hash algorithm.

As I have mentioned before about the SRI International’s writeup about confikcer now they have also released a new technical writeup about the Conficker.C analysis. Parts of the writeup explains the Peer-to-Peer functionality and the domain name generation pseudo-code for the Conficker.C:

“Among the key changes, Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day. “

There is also a Sandbox result for running Conficker.C.

I’m sure you all may have tons of questions in regards to this worm, here you can find the April 1^st Conficker questions and answers. (A MUST READ) Don’t forget to read about the peer-to-peer functionality as well.  

An F-Secure cleaning tool is available here.

Regards;

Fatma

I know it has been a long time ever since I last updated, was caught up with a lot of things lately, it was IDEX 09 in Abu Dhabi and now the SANS Orlando. As today is my last day at Orlando and before I leave to look around the Disney here just thought of updating this place with a small blog entry.

XKCD: Yeah, that's easier! LOL

1. I’m sure you all know Ed Skoudis (who doesn’t?) the author of the book Counter Hack Reloaded, a SANS great instructor and the Founder of Inguardians, Inc. Ed, Hal Pomeranz and Paul Assadorian Founder of PaulDotCom have a great blog called Command Line Kung Fu where they discuss all the various command lines (kung fu) both on Windows and Linux and all the different ways you can execute them and use them for sys admin and pen testing. So much to learn from the website. P.S: Ed, it was a great experience being taught by you and meeting you.

2. SRI International has published a wonderful useful report on the Analysis of Conficker’s Logic. Worth a read.  

3. A week ago Security Researcher Didier Stevens posted a video on how acrobat reader exploit works without opening the PDF and today he explains how only by having an infected file on your hard disk can be vulnerable and how Windows Indexing Services is the cause. Follow the countermeasures.

That’s all for now.

Fatma.

Podslurping

As my high interest to read about what’s new with everything related to the autorun.inf, I stumbled today upon something called as Podslurping which is titled as the new endpoint security threat (Data Theft): where access is gained while the computer is rendered unattended.

As per the Wikipedia, Podslurping is the act of using a portable data storage device such as an iPod, USB, etc. to illicitly download large quantities of confidential data by directly plugging it into a computer where the data is held.

Why is Podslurping becoming an endpoint security threat? Because you don’t need to login to the computer in order to copy confidential data! All you need is as USB Hacks mentioned a few lines of .bat file (batch file) and a reasonable copy program and you are good to go. (Plug it in and then come after an hour to fetch it out!)

Now, do you recall one of the solutions I talked about previously in one of my blog entries on how to disable the Autorun feature via the registry? Exactly that solution can impede against Podslurping. Do test it in your labs. 

Interesting Reads:

http://www.pik-potsdam.de/members/gibietz/security-management/protecting-windows-computers-against-attacks-that-are-based-on-usb-sticks

http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

Enjoy!

FB.

Information

wow, it has been a loooooong time since I updated this place, just been so packed with different stuff lately! *whola! Isn’t this stretchable any more than 24 hours a day!*

It’s going to be *wickedly* technical post today..

• One of the greatest tools than any InfoSec expert should have in their toolset is the NMAP. Raul Siles way back had a great list of questions he asked titled “Mastering Network Monitoring and Scanning” it was all about NMAP. Recently he published the answers to it and you can have a great read about it here or on his website here or in the ISC here.  
• For all those Penetration Testing Challenge Fans, Ed Skoudis published the Part 5 of the Santa Claus is Hacking the Town Challenge go and feed your beast J .. Once you solved it out then you can check the answers. Now, to that Raul Siles released the second version of the challenge you can find it here, so you have now two challenges to enjoy. J 
• Ed Skoudis released recently an interesting paper titled “Secret’s of America’s Top Pentesters”, for all those interested meeting and being taught by Ed, you can attend the SANS Orlando 2009 that will be held from 01 March – 09 March. At least I know for sure I’m going to enjoy SANS Orlando this March. J  
• For all those interested in reading the top web hacking techniques of 2008, you can read the interesting Jeremiah’s List here. Wow the list just goes on now doesn’t it! 
• One of the news I read recently was Microsoft fixes clickjacking in IE8. For all of those out there clickjacking is a relatively new technique that was found by Jeremiah and Hansen in mid 08. Using widely available vulnerabilities to take over an end user’s browser. “The idea of clickjacking is that simply by tricking a visitor into arriving at an infected URL, an attacker can manipulate the affected end users’ browser session to get them to do just about anything the hackers desires, such as downloading malware, and at the time it was first reported publicly, there were clickjacking vulnerabilities available in just about every major browser, including IE7.”

That’s all for now.

Enjoy!

Fatma.

Various

Two worms that few security websites and media recently have reported are W32.Conficker.worm and WORM_DOWNAD.AD both have an exploit for the recent Microsoft Server Service Vulnerability (MS08-067). The W32.Conficker.worm uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself and the WORD_DOWNAD.AD it is an autorun-based malware. The way it works:

§ Sends exploit packets to all machines on network not patched against MS08-067 (patch management); once exploited;

§ The vulnerability allows remote code execution for an attacker and effects every Windows version ever since Windows 2000 (platform); then

§ Drops a copy of itself in the Recycler Folder (Recycle Bin) of all available removable and network drives (propagation); next

§ Creates an obfuscated autorun.inf file on all these drives, so the worm is executed simply by browsing to the network folder or removable drive (weak security policy); then

§ Enumerates the available servers on the network and using that information it gathers a list of user accounts on these machines (segregation); finally,

§ Runs a dictionary attack against the accounts using a predefined password list; if successful it drops a copy of itself on their system and uses a scheduled task (weak passwords – policy).

Word to Spread: even if you have one machine UNPATCHED it is enough to cause a catastrophe in the entire network. The patch has been available ever since late last year. If you haven’t patched your machines then it’s highly recommended to do so, download and install MS08-067. (Patch Management)

Another news bit: LinkedIn is a professional networking site that connects several millions of users across many different industries. It has been finally touched by cybercriminals; a close to hundred bogus profiles has been created to include links to malware domains, redirectors and droppers to cause infection; using the names and images of famous individuals such as Salma Hayak, Beyonce, Kate Hudson, and several others.  A detailed explanation can be found here.

Finally, there is an amusing list put by Lenny Zeltser from dshield about How to Suck in Information Security from, and an informative cheat sheet about Information Security Assessment RFP, worth read.

Good Day!

Fatma Bazargan

Cyber Warfare

What have been noticed in the field recently?

Microsoft issued a critical security bulletin MS09-001: Vulnerabilities in Microsoft Server Message Block (SMB) protocol Could Allow Remote Code Execution on affected systems. So patch up your systems.

I’m sure so far most of you have been reading about the latest research work on generating rogue Certificate Authority (CA) using MD5 collision attacks. Apparently the Carnegie Melon Lab in collaboration with the NSF has come up with a research about a solution called Perspectives a FireFox extension that detects rogue CAs: Improving SSH-Style Host Authentication with Multi-Path Network Probing. Worth a Read.

As security professionals we have always noticed that any political, martial, financial, etc views always had a cyber dimension and we called it Cyber Warfare. Some of the examples can be the cyber attacks on Estonia and Georgia. The Economist had a great article explaining Cyber Warfare called “Marching off to Cyberwar” their insight is..

“For a cyberattack to qualify as “cyberwar”, it must take place alongside actual military operations.” They also go in defining cybervandalism or cyberhooliganism as being forms of cybercrime. In that essence, I believe every country or world wide should come up with an agreement on a definition for cyber warfare to accommodate it in their laws or have entirely new laws for it!

Well I guess I’ll have another update by tonight as I’m getting late for a meeting here.

Good Day All!

Fatma. 

web application security issues

Throughout this year most of us wouldn’t deny that web application security issues and vulnerabilities has been the biggest issue. SQL Injection, Cross-Site Request Forgery (CSRF), Cross Site Scripting (XSS), Websites with malicious codes and data/password stealing codes, are some to name. Its one of two either organizations are spending immensely on securing everything and leaving out securing the web-based apps or simply the majority of malicious activities are just becoming web-based.  

Some great preventative measures are released by the Internet Crime Complaint Center (IC3); in addition, the WhiteHat Security has great statistics in regards to the same.

CISCO also had a word in their 2008 Annual Report:

“Online security threats continued their growth in 2008. Online criminals combined spam, phishing, botnets, malware, and malicious or compromised websites to create highly effective blended threats that use multiple online vectors to defraud and com promise the security of Internet users.”

Not to forget: Acunetix, WebSense Threat Resource Center, Sophos, APWG, ScanSafe, and many others.

I’m sure we will see some interesting web app security issues in 2009!

Rgds;

Fatma