Monday, March 29, 2010

Smartphone Security - Part 4

In CanSecWest Pwn2Own 2010, researchers were able to break in a fully patched IPhone using unknown Safari vulnerability, it took them 2 weeks to find the vulnerability and write the exploit and took them 20 seconds to hijack the entire SMS database and uploaded it to a server.

The researchers claim that they can also hijack the emails and photos using the same vulnerability.

Vulnerability details will be disclosed after releasing a patch by Apple, as per the press release.

Whatever the details of the vulnerability is, it is a fact that finding a vulnerability is not that difficult, and considering the growing market share of the smartphones, with more and more powerful hardware, the problem of smartphone security will be a big issue.

You may want to check Part 1, 2, 3 of related smartphone security issues.

Sunday, March 21, 2010

Finding Malware Using Cached DNS entries

This is an interesting way of checking your DNS cash for malicious domains, an easier method instead of examining the DNS server log. This might miss some domains with low TTL value, but still very handy.

After some trials on a small ISP DNS server, the short TTL is dominating Zeus domain (1 min on average) , so checks should be on-going, with DNS overheads in mind.

Another good idea is to add more sources of malicious domains, check my list.

Great idea with minimum overheads.

Wednesday, March 10, 2010

Mariposa, Game Over

After shutting down Mariposa, PandaLabs published some statistics on the infection rate per country, and it is really interesting that US and China are not on top, instead we are seeing several Arab countries in the top list, Egypt, Saudi Arabia, Morocco, and Emirates.

I compared the data from PandaLabs with the internet usage in each country, and came up with the infection percentage with reference to internet usage, then using ManyEyes, below is how it looks like, with almost 10% of internet users in Kazakhstan, Mexico and Emirates are infected.

Monday, March 8, 2010

Firewall Rules Scanner, Open Source

Flint is the name of the tool, it examines firewalls, and spots problems so you can:

- Clean up configuration

- Check if new rules will create problems

- Discover overly rules

Thursday, March 4, 2010

Botnet network behavior analysis lab

Here is a suggestion for building a botnet network behavior analysis lab based on netflow, DNS, Snort, proxy, and packet capture logs .

- Vyatta vc6 alpha version supports netflow.
- Net:DNS:Nameserver can be configured to be a fake DNS.
- Malicious domains can be collected from some feeds in this list
- Other sources of malicious domains could be spamtraps, twitter timeline, ....

Monday, March 1, 2010