Thursday, April 30, 2009

System Scanner Tool, The Task Manager Replacement

The tool allow you to get more info about the processes like the IDs of all the threads, handles to DLLs, ability to suspend specific threads of a specific process and, finally, an ability to view the process virtual memory.

Download the tool from here.

Monday, April 27, 2009

Cisco SAFE, A Security Reference Architecture

Cisco has updated its security reference architecture guide, known as SAFE.

The Cisco SAFE consists of design blueprints based on proven security best practices that provide the design guidelines for building secure and reliable network infrastructures.

Here is the 344 pages SAFE reference guide:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html

Sunday, April 26, 2009

SPAM with Botnet

Marshal8e6 researchers took closer look at SPAM originated from Botnets, here are some points came out of the research:

- An infected machine within some botnets are capable of sending 25,000 SPAM message per hour.

- Almost 75% of overall spam messages are coming from only 4 botnets.

- The largest source of spam is Rustock botnet, and it is active for more than 2 years.

- The research is looking at the big 10 SPAM botnets (Rustock, MEGA-D, Pushdo, XARVESTER, GRUM, Donbot, Gheg, Bobax, Srizbi, Waledac) with more details here.

Wednesday, April 22, 2009

Hacking Internet Backbone, Blackhat


New freely available tools demonstrated in Blackhat last week showed that MPLS, BGP, and Metro Ethernet are vulnerable to several attacks.

The MPLS used to segregate network traffic for corporate customers, can be modified by an attacker to gain access to other MPLS networks.

As the MPLS has no mechanism for protecting the integrity of the headers that determine where a data packet should be delivered, the tool was used to modify the header. although the attack is difficult to be carried out as it require the attacker to be in the MPLS backbone.

The message here is, Encrypt your traffic anyway, and do not trust your carrier....

Tuesday, April 21, 2009

Advanced SQL Injection, Blackhat


An Italian researcher "Bernardo Damele Assumpcao Guimaraes" presented in Blackhat Amsterdam last week some new techniques that could allow for full control on a target system.

One of these techniques is using patched queries to read or write a malicious file on the file system, the attack assumes that the user has specific privileges depends on the attack type.

The attacks are valid on many databases including Mysql, PostgreSQL, MS-SQL, on different OS like Windows and Linux, and on some programing languages like PHP, ASP.NET and ASP (not valid on PHP/Mysql and PHP/ASP as patched queries are not supported)

The attack details are different from one DB to another, and may require other workarounds to avoid restrictions in some DBs.

The presenter is one of the developer of sqlmap tool which can be used to automate these techniques. The tool will fingerprint the DB and continue the attack accordingly.

Here is how to write a file to the file system using Mysql:
- Create a support table with one field, data type is longtext
- Encode the local file content to hex
- Split the hex encoded string into chunks of 1024 char each
- INSERT the 1st chunk into the database
- UPDATE the rest of chunks into the database
- Export the hex encoded contents from the table into destination file path using SELECT's INTO DUMPFILE clause.
- Retrieve the length of the written file "LENGTH" to check if it was written correctly.

Monday, April 20, 2009

Hijacking Mobile Data Connections, BlackHat



Italian Security researchers presented a nice demo on how they managed to hijack mobile data connection, simply by sending a fake binary configuration message to a mobile phone pretending to be sent from the carrier, if the recipient accepted the message (which is normally accepted by anyone) a new access point will be created on the mobile with a malicious DNS server IP and maybe also an http proxy IP. This will allow the attackers to monitor all data connections from this mobile.

The attack does not reply on a single vulnerability in a single element, but exploit several elements:
- User trust, when he receives spoofed sms appears to be from the carrier
- Many devices will not provide to the user sufficient information about the configuration to be changed
- Usage of external DNS service from withing the mobile network, if enabled.
- Also http proxy parameter pointing to external address.

Counter Measures:
- Proper filtering of OMA provisioning messages.

Blocking access to external DNS servers from mobile devices, however this could lead to DOS attack, if the attacker managed to change the DNS settings of a mobile phone, that mobile will have no access to the internet.

Wednesday, April 15, 2009

Verizon Data Breach report, 2009

Verizon released a new report on data breach:
  • More than 285 million records were compromised
  • 91% of all compromised records were attributed to organized criminal groups
  • 99.6% of records were compromised from servers and applications
  • 74% resulted from external sources
  • 69% were discovered by a 3rd party
  • 67% were aided by significant errors
  • 32% implicated business partners

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Tuesday, April 14, 2009

Windows AUTOPWN Exploit Loading Framework

This is a free, quick, and standalone exploit framework for windows.
Exploits are updated almost daily.

Monday, April 6, 2009

rsyslog - A new syslog server

I am a big fan of syslog-ng, and personally used it to handle 5 million syslog messages per day with mysql on a single server.

However this syslog server (rsyslog) seems interesting, and here is a comparison between the 2 syslog servers:
http://www.rsyslog.com/doc-rsyslog_ng_comparison.html

It has all the nice features of syslog-ng in addition to other features like:
- Support backup back-end database
- Support more databases like MS-SQL, sybase
- Native support for sending emails
- Native support to send SNMP traps


You can also use a web front-end with it http://www.phplogcon.org/ , also http://code.google.com/p/php-syslog-ng/ can be used.

Sunday, April 5, 2009

Facebook public search reveals lots of information

A new paper about mining search engines for facebook data shows that user's ignorance and poorly designed privacy control can reveal lots of information about the users.

The researchers used a kind of social graphs that revealed some interesting information such as:
- Finding the most popular users in a network
- Cluster the users into highly-connected subgroups

This information can be use by marketers to target a small set of users with high influence to reach the entire network.
And if an attacker can compromise a small dominating set, he can reach out to the whole network.

They have found that compromising 10% of the users, can lead to compromise more than 50% of messages in that network.

http://www.cl.cam.ac.uk/~jcb82/8_friends_paper.pdf

Thursday, April 2, 2009

Conficker Update

Updated

A Conficker Work Group is formed by the industry leaders to coordinate an effective response to the Conficker worm. http://www.confickerworkinggroup.org

Check if your IP is infected:
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Information for enterprise
http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=ENT.Enterprise

The Honeynet Project has an article about detecting Conficker infection with a link to a tool to scan you network for possible infection.
http://honeynet.org/node/388

IDS Signatures, Detection tools:
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

List of domains used by Conficker.C for April 1st:

Wednesday, April 1, 2009

Scan for Malicious pdf Documents

Didier Stevens released PDFiD tool to help in identifying if a pdf file could be malicious or most likely not , the tools is based on string scanner.