Julian's InfoSec Blog

Meta-Information XSS

2010-04-14T07:22:00.000-07:00

In his article "Introducing Meta-Information XSS", Tyler Reguly describes a method of XSS attack by proxy.

The jist of it is, that most people trust the data returned from sources like ARIN.NET. The problem is that services like whois on ARIN may not filter the data that they retrieved on your behalf, thus possibly forwarding malicious content on to you.

To read about his investigation into the matter, read his blog post and follow the links to his white paper and presentation.

http://blog.ncircle.com/blogs/vert/archives/2010/04/introducing_metainformation_xs.html

Hacker exploits PDF files without using a vulnerability

2010-03-30T22:37:00.000-07:00

A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.
The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

http://threatpost.com/en_us/blogs/hacker-finds-way-exploit-pdf-files-without-vulnerability-033010

Academic Paper in China Sets Off Alarms in U.S.

2010-03-22T20:23:00.000-07:00

Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10 that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.”

http://www.nytimes.com/2010/03/21/world/asia/21grid.html

Thanks Captain Picard

2010-03-07T22:44:00.000-08:00

I love this graphic. It says so much. I actually have it pinned up at my desk at work so it's easy for me to roll my eyes over and ask him the same question - usually several times a night.

Tonight I will share this graphic with you in response to this "Severe" OpenSSL vulnerability recently released. And this quote:

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device's power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough "transient faults" that they were able to assemble the entirety of its 1024-bit key.

http://www.theregister.co.uk.nyud.net/2010/03/04/severe_openssl_vulnerability/

Fraudsters target IT Workers

2010-03-03T00:39:00.000-08:00

Dear Valued Customer,
We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx - xx.xxx.xxx.xxx)

http://infoworld.com/print/115086

How to avoid rogue security software

2010-02-28T23:57:00.000-08:00

What can you do to help prevent the spread of rogues and make sure that rogue software vendors stop profiting from their unscrupulous business? Follow these tips below to tell what's real and what's not when it comes to security software – and share them with friends and family who may be vulnerable to rogue threats.

1. Do not fall for scare tactics.

2. Use security software with real-time protection and keep it up-to-date.

3. Access experts at security forums and ask about the software you are considering before you decide to purchase it.

4. Read the software reviews at reputable sites like Download.com. Do not blindly trust individual sites offering security products.

5. Ask knowledgeable friends and family members about quality software they use.
6. Practice online skepticism.

http://www.net-security.org/malware_news.php?id=1245

Defense in Depth Protecting your Netowrk for Internal Attacks

2010-02-28T23:51:00.000-08:00

...some tips on how to stop someone from exploiting vulnerabilities in your network by turning on some simple security features in your switches. Most people don’t know that the switches in their network can give a solid defense against several attack vectors. This article will focus on how just a few lines of configuration can harden your network to prevent the following attacks:
DHCP starvation
Rogue DHCP servers
Client side exploitation
ARP spoofing
ARP poison routing
VLAN hopping
MAC address flooding
Connection of Rouge devices
This article illustrates configuration on products from Cisco Systems, which are most likely
already in use in your network. If you aren’t using Cisco products consult your vendor’s
literature to see if the equivalent commands/protections are available.

http://pauldotcom.com/Defense%20in%20Depth%20Protecting%20your%20Netowrk%20for%20Internal%20Attacks.pdf

A Guide to XSS

2010-02-28T23:09:00.000-08:00

XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest. Also, please note my XSS page has been replicated by the OWASP 2.0 Guide in the Appendix section with my permission.

http://ha.ckers.org/xss.html

Hitler and Cloud Computing Security

2010-02-26T08:35:00.001-08:00

Police warn of credit card 'skimming' at gas stations

2010-02-23T22:19:00.001-08:00

Utah police investigators said crooks have installed electronic "skimming" devices at 180 gas stations from Salt Lake to Provo in an attempt to steal bank card and pin numbers.

“The skimming device is actually located inside the gas pump,” said Sandy Police Sgt. Troy Arnold, who estimated that hundreds of people used the pay-at-the-pump device at the 7-11 store located at 2185 East 9400 South in Sandy without knowing crooks had installed an electronic device inside pump. The “Skimmer” copied card and pin numbers giving the criminals free access to the victim’s bank accounts. “What they were able to do is to place a secondary pin pad inside this gas pump,” said Arnold.

http://www.abc4.com/content/news/tagr/story/Police-warn-of-credit-card-skimming-at-gas/se4lev5CkkaTEsYIL57Uxw.cspx

Intel Also The Target In Cyber Attacks

2010-02-23T21:53:00.000-08:00

Intel this week said it was the victim of a sophisticated cyberattack that occurred in January around the same time cybercriminals compromised systems at Google, Adobe and more than 30 other large companies.

http://www.scmagazineus.com/intel-the-victim-of-sophisticated-cyberattack/article/164382/

VirusTotal.com

2010-02-23T21:36:00.000-08:00

Have a suspicious file download and like to scan it before you download it?

Check out VirusTotal.com

The VirusTotal.com Web site offers a free but invaluable security service. It will scan any Web download, e-mail attachment or other file you send it with 40-odd different antivirus scanners to let you know whether it's safe for your computer. The free VirusTotal Uploader utility makes sending a file to the site a breeze by adding a new right-click option for any file.

http://www.pcworld.com/article/189826/Virustotal_Uploader.html?tk=rss_reviews

How SQL Injection vulnerabilities work

2010-02-23T21:26:00.000-08:00

In discussing how to prevent SQL injection attacks, Paul Rubens does a good job explaining how an SQL injection attack is performed in layman's terms.

http://www.enterprisenetworkingplanet.com/_featured/article.php/3866756/10+Ways+to+Prevent+or+Mitigate+SQL+Injection+Attacks.htm

New Report Examines Malware's Origins, Motivations

2010-02-22T07:36:00.000-08:00

Nearly every day, industry analysts and security researchers warn IT professionals about the skyrocketing proliferation of malware. A simple Web search turns up many reports that dissect the technical nature of malicious software, how it works, and how it affects its victims.

But who develops malware, and who distributes it? Who buys it, and what do they hope to achieve? Ask these questions in a Web search, and you'll find far fewer results.

In a report issued last week, ScanSafe security researcher Mary Landesman offers some thoughts on the genesis and spread of malware -- this time from a business perspective, rather than a technical point of view. While Landesman's report -- part of ScanSafe's "Annual Global Threat Report" -- is far from the first to offer insight on the business of malware, it does offer a snapshot of the current state of the malware business and a clear categorization of the players.

http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=222900593

Got Bluescreen? Check for Rootkits

2010-02-22T05:44:00.000-08:00

Microsoft confirmed today that the recent spate of Windows XP crashes and blue-screens experienced by people who installed this month’s batch of security updates were found mainly on systems that were already infected with a rootkit, a tool designed to hide malware infestations on host computers.

http://www.krebsonsecurity.com/2010/02/microsoft-got-bluescreen-check-for-rootkits/

Irate parents in Pa. say schools use 'peeping tom technology'

2010-02-22T02:45:00.000-08:00

Irate indeed...

According to the original complaint, Robbins was accused by a Harriton High School assistant principal of "improper behavior in his home" and shown a photograph taken by his laptop as evidence. In an appearance on CBS' "Early Show Saturday Edition," Robbins said he was accused by the assistant principal of selling drugs and taking pills, but he claimed the pictures taken by his MacBook's camera showed him eating candy.

http://www.networkworld.com/news/2010/022110-irate-parents-in-pa-say.html

Experimenting with VLAN hopping

2010-02-22T01:24:00.001-08:00

Most network engineers have been told at one point or another never to use VLAN 1 for user access. The motivation behind this warning is the result of fear concerning VLAN hopping attacks, wherein an attacker can send packets with a specially-crafted 802.1Q header(s) to "hop" from one VLAN to another. This theory relies on the assumption that a switch will happily forward 802.1Q-tagged frames ingressing an access port.

http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/

Two Chinese schools implicated in Google Aurora attacks

2010-02-22T01:15:00.000-08:00

Two Chinese schools with links to the armed forces have become implicated as suspects in the ongoing Operations Aurora attacks against Google and at least 33 other western conglomerates last December.

Security experts, including investigators from the National Security Agency, now reckon the attacks date from April last year, far earlier than previously suspected, the New York Times reports. Although the attacks originated from China, it's by no means clear that they were orchestrated by the Chinese government. It's even possible that hackers from outside China ran, or had an involvement in, at least some of the attacks.

http://www.theregister.co.uk/2010/02/19/aurora_china_probe_latest/

The Four Myths Of Cyber Security

2010-02-15T21:50:00.001-08:00

Governments and corporations around the globe are facing a crisis in the form of cyber security threats. Incidents and exploits crafted by an effective and growing menace are threatening the continuity of, and confidence in, the very core of our commercial and social infrastructure. In just 90 criminal investigations performed in 2008, where data compromise was confirmed, the Verizon Business RISK team (a leading computer forensics group) reported more than 285 million consumer credit records stolen. This number far exceeds the combined total confirmed for all their investigations from 2004 to 2007.

http://www.net-security.org/article.php?id=1377

New Russian Botnet Tries to Kill Rival

2010-02-15T21:23:00.001-08:00

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

http://news.yahoo.com/s/pcworld/20100210/tc_pcworld/newrussianbotnettriestokillrival

Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon

2010-02-15T20:18:00.001-08:00

The Department of Homeland Security is detecting new patterns of cyberattacks from foreign adversaries -- some targeted at particular agencies and others aimed at the entire U.S. government -- due to to special-purpose intrusion-detection systems that will be widely deployed in federal networks during 2010.

http://www.networkworld.com/news/2010/021110-cybersecurity-einstein-2.html

A Stick Figure Guide to the Advanced Encryption Standard (AES)

2010-02-15T20:01:00.000-08:00

http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

Mandatory certification & licensing for IA professionals

2010-02-15T19:25:00.000-08:00

I would only be interested in this certification if, upon receipt, it allows also licenses me to carry EMP weapons. I see no mention of EMP Weapons in the article, therefore, I do not support it.

On April Fool's Day 2009, senators John D. "Jay" Rockefeller (D-W.V.) and Olympia Snow (R-Maine)> introduced Senate Bill 773, "A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes." The bill's short title is the "Cybersecurity Act of 2009."

http://www.networkworld.com/news/2010/021510-mandatory-certification.html

China leads the world in hacked computers, McAfee study says

2010-02-15T19:18:00.001-08:00

More private computers were commandeered by hackers for malicious 
purposes in China in the last quarter of 2009 than in any other country, 
including the United States, according to a new study by an Internet 
security company.

http://www.infosecnews.org/pipermail/isn/2010-February/018769.html

Security budget woes? Grab your management's attention!

2010-02-15T02:41:00.001-08:00

A few years ago, I was called in by the CSO of a Fortune 25 company. He hired 4 of the best known companies that do penetration testing to find problems with their corporate network. All 4 companies came back two weeks and $100,000 later, and told the CEO that they had full control of his network. The CSO went immediately to the CEO, who basically replied, "I don't care."

The CSO then hired me to perform an espionage simulation. I came back within one week, and handed the CSO their mergers and acquisitions plans, their new technologies that were being released in three years, multi-billion dollar proposals, pictures showing how I bugged the CEO's office, and told him that I had full control of their entire network. The next week, the CEO raised the security budget by $10,000,000 and they hired security managers for all business units.

http://www.computerworld.com/s/article/9154918/Security_budget_woes_Grab_your_management_s_attention?taxonomyId=17

Twelve Principles of DoD Cyber Conflict

2010-02-15T02:15:00.000-08:00

This article provides firsthand observations on twelve key principles of Computer Network Operations (CNO). I believe these observations can provide other CNO practitioners with a critical foundation required for successful CNO. These principles will also be of use to officers who whish to engage in the ongoing national security and policy discussions concerning CNO. After further examination and feedback from the field and the fleet, we expect them to become cornerstones of a new joint doctrine for CNO. Until then, I offer, Twelve Principles of CNO.

http://smartdatacollective.com/Home/24933

A look at Sandia National Labs’ Threat Analysis Model and why it won’t work

2010-02-08T20:45:00.000-08:00

Today I’ll be taking an in depth look at an integral part of the National SCADA Test Bed - Sandia’s Threat Analysis model – and its reliance on a flawed OSINT methodology.
Sandia National Labs, in an ongoing effort to protect U.S. critical infrastructure from physical and network attacks, has developed a Threat Analysis Framework comprised of 5 elements:
the identification of an adversary
the development of generic threat profiles
the identification of generic attack paths
the discovery of adversary intent
the identification of mitigation strategies
Sandia researcher David Duggan and his colleagues, who are responsible for developing this tool, recognized the limitations of classified threat data (i.e., a very slow process to get it to the people who need it) and chose to develop an unclassified threat analysis framework instead. Duggan’s report “Threat Analysis Framework” is available for public release and should be read if you want a full understanding of this model.

http://intelfusion.net/wordpress/2010/02/03/a-look-at-sandia-national-labs-threat-analysis-model/

National Data Privacy Day

2010-02-08T18:53:00.000-08:00

I missed it this year, but it's on my calendar for next year!

Data Privacy Day's educational initiative has focused on raising awareness among teens and young adults about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy. The international celebration offers many opportunities for collaboration among governments, industry, academia, nonprofits, privacy professionals and educators.

http://en.wikipedia.org/wiki/Data_Privacy_Day

Cisco's Backdoor For Hackers

2010-02-07T23:16:00.000-08:00

Activists have long grumbled about the privacy implications of the legal "backdoors" that networking companies like Cisco build into their equipment--functions that let law enforcement quietly track the Internet activities of criminal suspects. Now an IBM researcher has revealed a more serious problem with those backdoors: They don't have particularly strong locks, and consumers are at risk.

http://www.forbes.com/2010/02/03/hackers-networking-equipment-technology-security-cisco.html

Introduction to Reverse Engineering Software

2010-02-07T21:49:00.000-08:00

This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows�. The goal of this book is not to cover how to reproduce an entire program from a binary, but instead how to use the Scientific Method to deduce specific behavior and to target, analyze, extract and modify specific operations of a program, usually for interoperability purposes. As such, the book takes a top-down approach, starting at the highest level (program behavior) and drilling down to assembly when it is needed.

http://www.acm.uiuc.edu/sigmil/RevEng/

Extracting a 3DES key from an IBM 4758

2010-02-07T21:19:00.000-08:00

A classic example of Cat-And-Mouse Security...

The arrival of multi-user operating systems in the 1960s showed that it was extremely difficult to process sensitive data on a computer and protect it from other programs running on the same computer. The operating systems were meant to provide protection, but in practice there were bugs and design limitations that meant that cryptographic keys and personal identification numbers (PINs) were always at risk. This led to the development of standalone "security modules" such as the IBM 3848 and the VISA security module. These were basically just microprocessors in robust metal enclosures. When you opened the lid the power supply was disabled and they "forgot" their sensitive information.

http://www.cl.cam.ac.uk/~rnc1/descrack/ibm4758.html

Cybersecurity Enhancement Act passed by U.S. House

2010-02-07T20:33:00.000-08:00

The act would authorize up to $396 million over the next four years to fund cybersecurity research and $94 million over that period to provide scholarships.

Cybersecurity Enhancement Act passed by U.S. House

Pentagon seeks billions to battle terror abroad (AP) (Yahoo Security)

2010-02-07T20:32:00.000-08:00

Pentagon seeks billions to battle terror abroad (AP) (Yahoo Security)

RIPE plays with 1.1.1.1 and 1.2.3.4 following APNIC allocation

2010-02-07T20:30:00.000-08:00

Last month, IANA allocated the 1.0.0.0/8 and 27.0.0.0/8 networks to APNIC (the Internet registry for the Asia-Pacific region), pushing the total IPv4 address space utilization above the ominous 90% mark. Passing this benchmark should not come as a surprise to anyone, given the painfully slow adoption of IPv6. But what's interesting about the first range in particular is the amount of junk traffic already present.

RIPE plays with 1.1.1.1 and 1.2.3.4 following APNIC allocation

Microsoft to deliver 13 security patches for 26 bugs

2010-02-07T20:25:00.000-08:00

After a relatively quiet January, administrators next week will have to deal with an unusually large security update from Microsoft, with 26 vulnerabilities in line for fixing.

Microsoft to deliver 13 security patches for 26 bugs

Mozilla confirms infected Firefox add-ons slipped through security

2010-02-07T20:22:00.000-08:00

Mozilla confirmed that it had failed to detect malware in a pair of Firefox add-ons, which may have infected up to 4,600 users.

Mozilla confirms infected Firefox add-ons slipped through security

2010-02-15 Update:
Mozilla retracts Firefox add-on malware claim

Can you trust Chinese computer equipment?

2010-02-07T20:06:00.000-08:00

"If I were in charge of any enterprise where I thought I had any reason to think that these Chinese authorities might be interested in what I was doing, I'd stop buying Chinese computer products today. Until this issue of Chinese cyber-espionage has been cleared up and cleaned up, I simply couldn't justify buying or using hardware that might be working against me,"

http://www.net-security.org/secworld.php?id=8837