Fatma Bazargan’s blog

Various # 09 – 105
May 5, 2009, 12:07 pm
Filed under: Security



Couple of interesting snippets for today…


I just came across a wonderful website called Wepawet. Interestingly, Wepawet is a service for detecting and analyzing web-based malware and it currently handles Flash, Java Script and PDF Files. So now you wont need to think twice about clicking a website and opening a file that you feel is malicious just take sometime test it and you are good to go. Simply the things you can do is…


Determine if a page or file is malicious

wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.


Analyze a malicious resource

wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.


Identify the attacks launched by a malicious resource

wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.


There is an interesting entry from Lori about the Real Meaning of Cloud Security, how to distinguish “cloud security” from “cloud-based security”. The former is about securing the cloud and its infrastructure, the latter about services hosted in a cloud environment. He goes then on talking about Cloud Security in particular.   


For all those who will be attending the 21st Annual FIRST Conference in Japan to be held from 28th June to 3rd of July, here you can find some very interesting podcasts prior to the event. In addition, FIRST has announced that those who hold CISSP, CISA, CISM and CGEIT will have an opportunity to earn CPEs if they attend the FIRST conference. Other than that if you are a Twitter person then you can follow them at firstdotorg for latest updates.


Talking about training courses, now that we all know that Virtualization is one of the must-know hot topics when it comes to information security, SANS have introduced a new course called Virtualization Security and Operations SEC557. As mentioned by SANS, the course aims to provide a firm foundation for all aspects of virtualization technology, covering the hosts, guests, networks, and management components. When students leave this class, they’ll have all the tools they need to properly secure their virtual environments and maintain their desired security and compliance posture.


Finally, Bill gives some Career Advice for Security Geeks.



That’s all for now. Enjoy!




Data Privacy and Data Protection
April 25, 2009, 7:14 pm
Filed under: Security
mmm.. and who shall watch the watchers?

mmm.. and who shall watch the watchers?


For the last couple of days I have been reading about an interesting topic called “government trojans”. A government trojanis a spyware/Trojan/backdoor installed on a workstation or network by a law enforcement agency for the purpose of capturing information relevant to a criminal investigation. This Trojan captures private e-mail communication, VoIP traffic, data residing on hard drives, record video conferences, etc. This captured data is then sent out to a central server for processing and analysis without the prior consent or knowledge of the individual and their data privacyl.


The overall goal of planting the trojan in a suspect’s computer is in order to snoop on the suspect’s hard drive data and Internet traffic for any suspicious activity related to terrorism, child pornography, drug trafficking, etc.


Personally and even some individuals find it illegal for government to snoop into their data using these so called government trojans, let alone the other case of wiretapping the Internet traffic which some countries find it illegal where others are just fine with it.


You can read about it more here, here and here. It elaborates further which countries have implemented and who is planning to implement and so on.


Where are we going with this is the question.


Till then, be unwatched.


Various # 09 – 104
April 21, 2009, 1:07 pm
Filed under: Security


Some of the interesting reads I had these couple of days:


1. Now this is awesome, ISC2 launches Child Online Safety Program and calls it “Safe & Secure Online“: a program that invites (ISC)2 information security experts to educate school children ages 11-14 on how to protect themselves online.


“Safe & Secure Online is a program begun by (ISC)2 with support from Childnet International, a charity that aims to make the Internet a safe place for children. First introduced in the United Kingdom (UK) in 2006, then expanded to Hong Kong in 2007, Safe & Secure Online has reached nearly 20,000 children in those regions. The program is designed to address the gap in security advice that exists in children’s safety outreach efforts.


And for all of you who are maintaining your CPEs, you can do that by teaching Children on how to be safe and secure when online.


2. If you are thinking to set up a CERT/CSIRT at your organization then ENISA has released CERT/CSIRT Exercises Handbook with a toolset, they also have a guide on a step-by-step approach on how to set up a CSIRT and you can also find a great guide on basic collection of good practices for running a CSIRT. I found it a useful resource to start with besides others.


3. Talking about USB drives and how they can be vulnerable to malicious applications and viruses Mobile Armor’s KeyArmor USB drive is designed to combat these threats:    


“The KeyArmor solution is a military level encrypted USB drive managed by the Mobile Armor enterprise policy console, PolicyServer. KeyArmor USB drives are FIPS 140-2 Level 2 validated using on processor AES hardware encryption. KeyArmor now independently provides protection against viral and malware threats. With integrated anti-malware detection and remediation, viruses and malicious software are prevented from attacking data transferred and stored on the KeyArmor drive. This is an independent function of KeyArmor, not requiring the existence or utilization of anti-malware from the data source device. KeyArmor provides detailed auditing and logging relating to the anti-malware component, including version control, update integrity, update frequency and file status.

KeyArmor: You are neat!


4. This is an interesting read about eEye Digital Security that announced the Blink Server 4 that has integrated protection platform for the windows servers and applications. 


That’s all for now. Good day all.



Quick Update
April 16, 2009, 12:39 pm
Filed under: Security


Just being on vacation for the last couple of weeks and the coming week will be my last week enjoying being disconnected for a while.


But as a quick update on the happenings around is:

  • For those following the Conficker updates you can visit the Conficker Working Group website and for those who were wondering what Conficker did in first week of April well it was limited to spam and serving the victim’s with fake anti-virus products.
  • I found this simple interactive animation interesting one to understand how a simple Buffer Overflow attack works click here.
  • Infected or Compromised by Richard Bejlitch.  


That’s all for now.


Enjoy the weekend.

NMAP 4.85Beta6 Released
April 1, 2009, 8:52 am
Filed under: Security

There is a new release of NMAP 4.85Beta6 (Windows, Linux, OSX)


This release as per insecure.org includes further improvements such as:

§  Fixed some bugs with the Conficker detection script (smb-check-vulns)

§  SMB response timeout raised to 20s from 5s to compensate for slow/overloaded systems and networks.

§  MSRPC now only signs messages if OpenSSL is available (avoids an error).

§  Better error checking for MS08-067 patch, among others.


The command you can use for the Conficker scan is:

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]



More on Conficker
March 30, 2009, 8:33 pm
Filed under: Security
How to detect and contain Conficker!

How to detect and contain Conficker!


So quick news about the Conficker, Honeynet Project members Tillmann Werner and Felix Leder have developed a new scanning tool for detecting Conficker and the Know Your Enemy writeup that would describe and explain on how to contain Conficker will be out shortly. The tool is now publicly available and is in the process to be integrated in major vulnerability scanning tools such as Tenable (Nessus), nCircle, Qualys, NMAP among others.


Doxpara, Dan Kaminsky has also packaged the tool by Werner and Feder in a scanner via py2exe that you can run to scan an IP range and it would detect any machine from the list that has been infected by Conficker.


Word to Spread: Ensure that your computers are patched with the latest Microsoft Patches through Windows Update and that your anti-virus engines have the latest updates.


Don’t forget to run the tools to detect Conficker infection.



HERE is a video about the Conficker (GREAT LISTEN): http://www.sophos.com/blogs/gc/g/2009/03/31/video-conficker-april-1st-fuss/ 

Qualys also have something to say about Conficker: http://laws.qualys.com/lawsblog/2009/03/taming-of-the-shrew-aka-confic.html 


The Know your Enemy Paper explain how to detect, contain and remove Conficker:  http://www.honeynet.org/papers/conficker

If you are going to use NMAP then check DAN’s post http://www.doxpara.com/?p=1294

Update 3:

 Symptoms of being infected:

  • When you find yourself not able to access the anti-virus websites or security related websites.
  • When you find your account locked out in the directory
  • When you find an autorun.inf files in the recycled directory
  • When you notice deny access to admin shares
  • When you notice malicious traffic sent through port 445

 SANS have set up a diary for updates on conficker at: http://isc.sans.org/diary.html?storyid=5860


Final word for today: even if you get infected and go looking for a removal tool for conficker, make sure you download a removal tool from a vendor that you always deal with or at least are sure of and heard of. The last thing you would ask for is downloading a bogus conficker removal tool that has been set up by cyber criminals!


(WATCH OUT THIS ENTRY, I’ll keep updating it with Conficker Info)


Happy Conficker’ing Day!

Fatma Bazargan

Firefox 3.0.8 Released
March 29, 2009, 8:37 am
Filed under: Security

The new release of Firefox 3.0.8 fixed two security issues:


MFSA 2009-13 Arbitrary code execution through XUL <tree> element
MFSA 2009-12 XSL Transformation vulnerability


Firefox 3.0.8 Release Notes and Download