A new excellent article by the (also excellent) Raul Siles at the RaDaJo blog describing a practical demostration of the new kind of WEP-cracking described in the paper “Breaking 104 bit WEP in less than 60 seconds” by Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Raul uses this information together with the aircrack-ptw tool and the latest release of Backtrack 2 to check the validity of the method.
And guess what? It works beautifully :)
In Raul’s own words: “Awesome results and advancements for auditing the security of WEP-based wireless networks!“
Stop using WEP now. Switch to WPA/WPA2 as soon as possible.
You can read Raul’s post here.
Here is the complete kit:
Download the “Breaking 104 bit WEP in less than 60 seconds paper.
Download the aircrack-ptw tool.
Download Backtrack 2 Stable.
Let’s assume you have the usual “defense-in-depth” security architecture in place. Anti-virus software, perimeter firewalls, machines properly hardened, non-admin users, etc.
Let’s also say you have a serious malware outbreak today. Wait, make that tonight. Your sysadmins call you at night and tell you several thousand clients and servers are infected with something that sneaked past the AV software. What do you do? Do you have a procedure?
These things happen. You might have the best security architecture, follow best practices, have top consultants evaluate your risk periodically, the whole thing. But when push comes to shove, does everyone know what to do? Do they have the tools to do it?
This is a simple checklist. It probably isn’t very complete. But it’s wise to at least think about these questions before lightning strikes. In no particular order:
- Do you have alternative malware cleaning tools?
- Do you have malware-cleaning tools that can run from a bootable CD?
- Do you have admin-level access to all involved machines?
- Can you reach machines in remote locations?
- Do you know the current admin passwords?
- Are there people available with physical access to the machines in remote locations?
- If you have to re-install / re-image some boxes, do you have the relevant installation media?
- Do you have the phone numbers of the important vendor’s support service? Is it 24×7x365?
- Do your operators know how to react? (yes, I know you have a Incident Response document somewhere, but have people actually read it?)
- Do you have access to someone that can take drastic decisions if needed?
Or would all this make life too easy for us? ;)
You probably already heard, but Metasploit Framework 3.0 is out!
An article in Dark Reading comments on the new functionality:
Among the new features for Metasploit 3.0 that weren’t originally shown in the beta are three exploit modules that target WiFi driver vulnerabilities in the Windows kernel. The framework comes with APIs, 177 exploits, as well as modules that handle host discovery, protocol fuzzing, and denial-of-service testing. It’s aimed at researchers, network security pros for penetration testing, system administrators for verifying patch installations, and at vendors testing the security of their products. Metasploit runs across all the main operating systems and works with Unix mainframes and Nokia n800 handheld devices as well.
One feature in the new version lets you manipulate the memory of process that’s running in an exploited system, and another lets you relay attacks through the compromised machine, notes Moore. “From a penetration testing perspective, the most useful features are the combination of the new Meterpreter payload and the ability to relay connections through compromised systems.”
Download Metasploit Framework 3.0 from here.
We have already commented on how pump-and-dump stock scams work, and how much money they provide the scammer when they work.
Symantec, in its latest Internet Security Threat Report talks about underground economy servers which are “used by criminals and criminal organizations to sell stolen information, typically for subsequent use in identity theft.” In the second half of 2006, about half of these servers were located in the USA.
According to the report, these are the current advertised prices for stuff such as credit card information, lists of emails, banking accounts, compromised computers, etc.
You can download the full Internet Security Threat Report (PDF) from Symantec.
Some comments about Microsoft’s security performance:
InternetNews quotes Symantec’s Internet Security Threat Report: “Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.”
Jeff Jones releases his 90 Days Vulnerability Report on workstation OS, which includes Vista, XP, MacOS and several popular flavours of Linux.
And Kai from Microsoft, comments (rants) about the fact that Red Hat Enterprise Linux Desktop 5 has been released together with a stack of vulnerabilities at launch date, and how there seems to be a lack of media outcry about this.
From The Independent Online, how to steal 21 million € worth of diamonds:
A thief has evaded one of the world’s most expensive hi-tech security systems, and made off with €21m (£14.5m) worth of diamonds - thanks to a secret weapon rarely used on bank staff: personal charm.
In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.
“OneCare is a new product–they shouldn’t have rolled it out when they did, but they’re fixing the problems now”
This statement, coming from Arno Edelmann, Microsoft’s European business security product manager, is something to take into account while shopping for anti-malware products.
Read the rest of the article at news.com.
Very interesting article from McAfee: “Mapping the mal web“. It contains statistics on the chances to find malware on the web depending on the country of origin (according to the TLD) It’s worth it to take a look at it. The main conclusions are:
- The most risky large countries are Romania (.ro, 5.6% risky sites) and Russia (.ru, 4.5% risky sites). These country TLDs are also the most likely to host exploit sites.
- .info is the riskiest generic TLD, with 7.5% of its sites rated as risky. .com is the second most risky generic TLD, with 5.5% of sites rated as risky.
- Four of the five least risky country TLDs are Nordic countries - Finland (0.10%), Norway (.no, 0.16%), Sweden (.se, 0.21%) and Iceland (.is, 0.19%). Ireland (.ie, 0.11%) rounds out the top five least risky country TLDs.
- .gov is the only frequently tested TLD for which SiteAdvisor has found no risky sites. .gov is only available to United States government agencies.
- Even though the .com TLD is only the 5th most risky TLD by rank, its huge popularity magnifies its impact on search and browsing risk dramatically. 86.6% of clicks to red and yellow rated sites go to .com sites.
- Even though the Netherlands (.nl), Germany (.de) and the United Kingdom (.uk) are all relatively safe TLDs, ranking 31st, 33rd and 51st most risky, each of their TLDs account for more than 2 million clicks to red and yellow sites every month. Likewise Japan (.jp) is ranked 57th most risky and yet red and yellow rated .jp sites receive an estimated 1.6 million clicks each month.
The authors offer an interactive map to graphically show the different rates of malware occurrence per country.
The information is gathered from SiteAdvisor, which is a free tool available for Internet Explorer and Firefox which tests the websites the user visits, and checks for spyware, spam, viruses and scams.
Software vendors often indulge in adding “features” to their software products which are not really necessary. “To insecurity through bloatware”, we could say. And no, this time this is not a rant against the usual suspects.
Did you know that you can embed JS scripts in Apple Quicktime movies? (the feature is called “HREF tracks”)
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
Well, this might not be very new or bleeding-edge, but apparently there is malware using invisible QuickTime movies embedded in webpages. Didier Stevens writes about it:
The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.
This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie.
I don’t have Apple QuickTime installed in the laptop I’m using to write this, but I would be very surprised to see an option to disable this kind of behaviour or “trust zones” control like in IE or Outlook.
Microsoft has announced that no security updates will be released in March.
Didier Stevens wonders if any zero-day exploit will be released this week:
It will be interesting to see if new zero-days will appear in the coming days. We often see new zero-days just after patch Tuesday. There’s a theory that states that exploit writers do this to maximize the life-time of the exploit. If this theory is correct, we should already see new zero-days appearing between now and Tuesday, because exploit writers won’t have to wait for Tuesday to maximize the life-time of the exploits.
Let’s see what happens. The fact that Microsoft won’t release patches this month doesn’t mean they are not working on the next batch for April. If they were aware of the existence of a zero-day exploit for any of the current unpatched vulnerabilities, they would have included the patch in this months release. Of course, the very definition of “zero-day exploit” means that it is unknown except to the guys using it (or those paying to use it).
