You probably already heard, but Metasploit Framework 3.0 is out!
An article in Dark Reading comments on the new functionality:
Among the new features for Metasploit 3.0 that weren’t originally shown in the beta are three exploit modules that target WiFi driver vulnerabilities in the Windows kernel. The framework comes with APIs, 177 exploits, as well as modules that handle host discovery, protocol fuzzing, and denial-of-service testing. It’s aimed at researchers, network security pros for penetration testing, system administrators for verifying patch installations, and at vendors testing the security of their products. Metasploit runs across all the main operating systems and works with Unix mainframes and Nokia n800 handheld devices as well.
One feature in the new version lets you manipulate the memory of process that’s running in an exploited system, and another lets you relay attacks through the compromised machine, notes Moore. “From a penetration testing perspective, the most useful features are the combination of the new Meterpreter payload and the ability to relay connections through compromised systems.”
Download Metasploit Framework 3.0 from here.
We have already commented on how pump-and-dump stock scams work, and how much money they provide the scammer when they work.
Symantec, in its latest Internet Security Threat Report talks about underground economy servers which are “used by criminals and criminal organizations to sell stolen information, typically for subsequent use in identity theft.” In the second half of 2006, about half of these servers were located in the USA.
According to the report, these are the current advertised prices for stuff such as credit card information, lists of emails, banking accounts, compromised computers, etc.
You can download the full Internet Security Threat Report (PDF) from Symantec.
Some comments about Microsoft’s security performance:
InternetNews quotes Symantec’s Internet Security Threat Report: “Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.”
Jeff Jones releases his 90 Days Vulnerability Report on workstation OS, which includes Vista, XP, MacOS and several popular flavours of Linux.
And Kai from Microsoft, comments (rants) about the fact that Red Hat Enterprise Linux Desktop 5 has been released together with a stack of vulnerabilities at launch date, and how there seems to be a lack of media outcry about this.
From The Independent Online, how to steal 21 million € worth of diamonds:
A thief has evaded one of the world’s most expensive hi-tech security systems, and made off with €21m (£14.5m) worth of diamonds - thanks to a secret weapon rarely used on bank staff: personal charm.
In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.
“OneCare is a new product–they shouldn’t have rolled it out when they did, but they’re fixing the problems now”
This statement, coming from Arno Edelmann, Microsoft’s European business security product manager, is something to take into account while shopping for anti-malware products.
Read the rest of the article at news.com.
Very interesting article from McAfee: “Mapping the mal web“. It contains statistics on the chances to find malware on the web depending on the country of origin (according to the TLD) It’s worth it to take a look at it. The main conclusions are:
- The most risky large countries are Romania (.ro, 5.6% risky sites) and Russia (.ru, 4.5% risky sites). These country TLDs are also the most likely to host exploit sites.
- .info is the riskiest generic TLD, with 7.5% of its sites rated as risky. .com is the second most risky generic TLD, with 5.5% of sites rated as risky.
- Four of the five least risky country TLDs are Nordic countries - Finland (0.10%), Norway (.no, 0.16%), Sweden (.se, 0.21%) and Iceland (.is, 0.19%). Ireland (.ie, 0.11%) rounds out the top five least risky country TLDs.
- .gov is the only frequently tested TLD for which SiteAdvisor has found no risky sites. .gov is only available to United States government agencies.
- Even though the .com TLD is only the 5th most risky TLD by rank, its huge popularity magnifies its impact on search and browsing risk dramatically. 86.6% of clicks to red and yellow rated sites go to .com sites.
- Even though the Netherlands (.nl), Germany (.de) and the United Kingdom (.uk) are all relatively safe TLDs, ranking 31st, 33rd and 51st most risky, each of their TLDs account for more than 2 million clicks to red and yellow sites every month. Likewise Japan (.jp) is ranked 57th most risky and yet red and yellow rated .jp sites receive an estimated 1.6 million clicks each month.
The authors offer an interactive map to graphically show the different rates of malware occurrence per country.
The information is gathered from SiteAdvisor, which is a free tool available for Internet Explorer and Firefox which tests the websites the user visits, and checks for spyware, spam, viruses and scams.
Software vendors often indulge in adding “features” to their software products which are not really necessary. “To insecurity through bloatware”, we could say. And no, this time this is not a rant against the usual suspects.
Did you know that you can embed JS scripts in Apple Quicktime movies? (the feature is called “HREF tracks”)
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
Well, this might not be very new or bleeding-edge, but apparently there is malware using invisible QuickTime movies embedded in webpages. Didier Stevens writes about it:
The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.
This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie.
I don’t have Apple QuickTime installed in the laptop I’m using to write this, but I would be very surprised to see an option to disable this kind of behaviour or “trust zones” control like in IE or Outlook.
Microsoft has announced that no security updates will be released in March.
Didier Stevens wonders if any zero-day exploit will be released this week:
It will be interesting to see if new zero-days will appear in the coming days. We often see new zero-days just after patch Tuesday. There’s a theory that states that exploit writers do this to maximize the life-time of the exploit. If this theory is correct, we should already see new zero-days appearing between now and Tuesday, because exploit writers won’t have to wait for Tuesday to maximize the life-time of the exploits.
Let’s see what happens. The fact that Microsoft won’t release patches this month doesn’t mean they are not working on the next batch for April. If they were aware of the existence of a zero-day exploit for any of the current unpatched vulnerabilities, they would have included the patch in this months release. Of course, the very definition of “zero-day exploit” means that it is unknown except to the guys using it (or those paying to use it).
Michael Howard, from Microsoft, comments about Vista security from a privileged point of view. He predicts that the number of security bugs for Vista will be smaller than those for XP SP2 or Windows Server 2003. And he is able to make this prediction based on his trust in the SDL (Security Development Lifecycle)
The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows.
Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux :-)
My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.
It is a reasonable prediction based on previous SDL experience, for example in the SQL Server 2005 case. Putting some numbers into it:
So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.
The latest release of everyone’s favorite LiveCD distribution for security has been released. After 5 months in beta phase, BackTrack 2.0 Stable is available to the public for downloading. Some of the new stuff include an updated kernel (2.6.18-rc5), updated tools, PXE network boot, John MPI Instant Cluster for parallel-processing password cracking, and the possibility to save the changes back to the CD. It also includes support for more wireless cards. According to the authors themselves:
It’s taken us almost 5 months to pull ourselves out of the beta stage. Every time we thought we were done, a new idea or improvement would surface, and we just *had* to implement it. Many features were added, and many of the old (yet persistent) bugs were fixed. We honestly believe that BackTrack v 2.0 Final is the leanest, mind blowing and sexiest version to come out and hope that you enjoy using it as much as we did making it. Find more information on our wiki at http://backtrack.offensive-security.com
Download BackTrack v2.0 Stable
