Has anyone actually checked if this is for real?
Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…
Very cool paper on “Digital Image Analysis and Forensics” by Neal Krawetz, presented at Black Hat 2007. Fascinating read.
You’ve probably heard: “More than half of Ubuntu’s production servers had to be pulled offline after a security breach caused those servers to actively attack other machines.”
The root causes of the intrusion and compromise are, according to an email in the Ubuntu community mailing list:
According to Maligno’s blog, the servers had been running unpatched for 9 months and a half!
The probability of intrusion and/or compromise is determined on how well you manage your systems. The choice of OS just means different attack vectors. What is the use of a [sarcasm]Super-Secure-Unbreakable[/sarcasm] operating system if you don’t patch and update it, use poor configuration management, use clear-text passwords, etc?
From an Slashdot commenter:
“Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn’t be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server.”
Researchers from Stanford University have published a paper titled “Protecting browsers from DNS rebinding attacks“. Abstract:
DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction
between the browser and browser plug-ins such as Flash and Java LiveConnect. These attacks can be used to circumvent firewalls and are highly cost-effective for sending
spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that a well-known, existing defense
against these attacks, called “DNS pinning,” is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers. For the near-term, we suggest easy-to-deploy defenses that prevent large-scale exploitation by patching individual plug-ins and improving the robustness of browser DNS pinning strategies. For the longterm, we propose two solutions, circumvention-resistant firewalls
and host name authorization, that fix the root cause of DNS rebinding vulnerabilities by preventing the attacker from naming a target server.
You can download the paper (PDF) here.
Very interesting presentation at BlackHat 2007, by HD Moore and Valsmith, about pentesting without having to rely on “transient” vulnerabilities.
Interesting article at Dark Reading about security audits with basic tips on how to pass them (or at least how to give it a good try) It starts off with “Nobody passes a security audit on the first try“. Maybe the title should be changed to “Where will the auditors look for issues (and probably find them)“.
The eight general recommendations are:
Sounds easy, heh? If you have that reasonably locked down, you’ve gone a long way.
I use Google Mail. While checking email today, I ran across this error message.
“Arrgh! The page has been corrupted. If you are running security or firewall software, you might have to disable it”
I stared at it for several seconds.
WTF? Who the hell decided the wording of this error message? Is that an actual recommendation from Google? Disable security software and firewalls when you encounter a momentary glitch in a web application?
The work on QRBG Service has been motivated by scientific necessity (primarily of local scientific community) of running various simulations (in cluster/Grid environments), whose results are often greatly affected by quality (distribution, nondeterminism, entropy, etc.) of used random numbers. Since true random numbers are impossible to generate with a finite state machine (such as today’s computers), scientists are forced to either use specialized expensive hardware number generators, or, more frequently, to content themselves with suboptimal solutions (like pseudo-random numbers generators).
[…]
To ensure high-quality of the supplied random numbers (true randomness) and high speed of serving, we have used fast non-deterministic, stand-alone hardware number generator relying on photonic emission in semiconductors. The used Quantum Random Bit Generator was previously developed at Rudjer Boskovic Institute, in Laboratory for Stochastic Signals and Process Research (for details, see below).
To achieve high availability of the service, several network access modes are developed, or shall be developed. These include transparent acquisition of random numbers using C/C++ libraries, web services (access over the SOAP protocol), and Mathematica/MATLAB client add-ons.
You can visit que QRBG site, download the client of your choice, and start getting true randomness in no time (registration required)
Talking about forensics…
The new Helix v1.9 version was released yesterday (see the CHANGELOG for the updated packages)
Download Helix v1.9 here.
There is an interesting article by Scott Berinato at CSOonline about the widespread use of “antiforensics” tools, and how they are changing the information security landscape in general, and the forensics practice in particular.
This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.
The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, it’s because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. What’s more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. “Five years ago, you could count on one hand the number of people who could do a lot of these things,” says the investigator. “Now it’s hobby level.”
The article describes some tools currently used, such as Timestomp, Slacker, Sam Juicer, etc. and how the “arms race” has moved from the disk to memory.
It would seem that the forensics practice is currently sitting at the bottom of a “trough of disillusionment“.
Some months ago I prepared a presentation about “Forensics in the Corporation” (sorry, only in Spanish!) which should have been really called “Why everything you learned at forensics training won’t be really useful in the real world”. And I didn’t include anything about antiforensics, just focusing on the technical, political and organizational challenges that big corporations pose to the forensics investigator.
The forensics practice is much too focused around the PC world. That is, you normally have physical access to the “suspect” machine, you can power it off or unplug it from the network, hard drive sizes are reasonable, and some expectations are always met. That is fine. This kind of forensics work… works! But mostly in the workstation/laptop world.
What about servers? Virtualization, huge storage capacities (SAN, NAS, RAID arrays, etc.), distributed systems (as in “distributed all over the world”), business critical systems that cannot be unplugged or turned off (come on, in how many LOB servers could you do such things?)
I’m sure the forensics practice will evolve in the following years. I’m sure it’ll be damn interesting to see.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
