Archive for the 'Security' Category

« Previous Entries
Next Entries »
09
Mar

Vista security and the Security Development Lifecycle

By alfredo reino Comment
Categories: Products and Security

Michael Howard, from Microsoft, comments about Vista security from a privileged point of view. He predicts that the number of security bugs for Vista will be smaller than those for XP SP2 or Windows Server 2003. And he is able to make this prediction based on his trust in the SDL (Security Development Lifecycle)

The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows.

Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux :-)

My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.

It is a reasonable prediction based on previous SDL experience, for example in the SQL Server 2005 case. Putting some numbers into it:

So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.

08
Mar

BackTrack 2.0 Stable released!

By alfredo reino Comment
Categories: Products and Security

BackTrack 2.0 StableThe latest release of everyone’s favorite LiveCD distribution for security has been released. After 5 months in beta phase, BackTrack 2.0 Stable is available to the public for downloading. Some of the new stuff include an updated kernel (2.6.18-rc5), updated tools, PXE network boot, John MPI Instant Cluster for parallel-processing password cracking, and the possibility to save the changes back to the CD. It also includes support for more wireless cards. According to the authors themselves:

It’s taken us almost 5 months to pull ourselves out of the beta stage. Every time we thought we were done, a new idea or improvement would surface, and we just *had* to implement it. Many features were added, and many of the old (yet persistent) bugs were fixed. We honestly believe that BackTrack v 2.0 Final is the leanest, mind blowing and sexiest version to come out and hope that you enjoy using it as much as we did making it. Find more information on our wiki at http://backtrack.offensive-security.com

Download BackTrack v2.0 Stable

06
Mar

Trojan Horses and Physical Security

By alfredo reino Comments
Categories: Fun and Weird and Security

This is actually funny. Found it at Dark Reading. It’s from an Australian TV show called “The Chaser’s War on Everything“. They build an actual Trojan horse, full size, with Greek soldiers inside. And they try to get the Trojan Horse inside (supposedly) “secure” sites. See the video here.
Trojan Horse

28
Feb

Operating System Vulnerability Scorecard

By alfredo reino Comments
Categories: Security

Jeff Jones announces in his blog at CSO Online that he will be publishing a monthly Operating System Vulnerability Scorecard. He has published also a description of the methodology, sources and assumptions.

The Scorecard will have different sections on workstation (Vista, Windows XP SP2, RHEL4 Workstation, Ubuntu 6.60 LTS, and Mac OS X) and server (Windows Server 2003, RHEL 4 AS, and Sun Solaris 10) operating systems. Jeff is careful to specify the kinds of packages and components that will be taken into account.

The results for “Year to date 2007″ (that is, January + February) are the following:

Vulnerability Scorecard - Workstation OS - 2007
Vulnerability Scorecard - Server OS - 2007

Of course, there is an important caveat. “Level of risk” is not the same as “number of vulnerabilities”. In the words of the author:

Security professionals will correctly note that vulnerabilities represent only part of the security picture, with the risk equation also needing an understanding of the potential threats and value of the information at risk. However, number and quality of attackers are elements largely orthogonal to factors that vendors have ability to influence. Vulnerabilities, on the other hand, are a factor that vendors can influence directly by investing in process, testing and other best practice Q&A techniques to reduce bugs and raise quality of shipping products.

Jeff is a Microsoft employee. Read his post titled “Exactly how biased am I?

28
Feb

Solaris worm based on Telnet vulnerability?

By alfredo reino Comment
Categories: News and Security

A new Solaris worm using the recent Telnet vulnerability seems to have been found in the wild:

This morning on ATLAS we saw a pair of hosts scanning for Telnet servers. While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to a recent Solaris bug, specifically CVE-2007-0882 (the telnet “-froot” bug). Two boxes in the same subnet scanning for it and hitting ATLAS; reports from another site indicate another box on that same subnet scanning them.

Last night a team member found what appears to a Sun Solaris telnet worm using this vulnerability.

Read it all at the Arbor Security Blog.

According to SANS, there is a spike in port tcp/23 scans.

SANS - tcp/23 scans

UPDATE 1-Mar-2007: Symantec’s report on the issue and a write-up on the Solaris.Wanuk.Worm. The spread of the worm seems to be quite limited. After all not many Solaris boxes have telnet ports accesible from the Internet.

27
Feb

Windows for warships

By alfredo reino Comments
Categories: News and Security

Bruce Schneier comments on the article by The Register about the UK’s new class of Type 45 destroyers and Vanguard-class submarines (carrying Trident ICBMs) will run Windows-based operating systems.

Is it wise? Well, all software has bugs. Operating systems are big pieces of software, therefore they must have lots of bugs. It has happened before. These kinds of systems should have multiple checks and redundancies built-in to avoid for any kind of problem. And proper support, heavily trained. And a good Change&Configuration Management process.

As The Register says (with a healthy dose of sarcasm):

“Again, Windows platforms may be troublesome to maintain, but most civilian sysadmins simply wouldn’t believe the resources the navy can throw at problems. A present-day Type 42 destroyer carries at least four people who have absolutely nothing else to do but care for the ship’s command system. As of just a few years ago, this was still a pair of antique 24-bit, 1MHz machines each with about 25KB of RAM.

Two of the seagoing sysadmins will be senior technicians with at least five years’ expensive general training and months of courses specifically tailored for the kit they are minding now. Their assistants will be less skilled, but still useful. They can take care of drudgery – minor bumf, safety checks, making tea – freeing the real techs for serious work. And the on-board team would seldom be expected to cope with anything as complex as a software update. That would be done in harbour by more advanced specialists, probably including vendor reps. Nor do the combat sysadmins get lumbered with general IT desktop support; there are other people to do that, also lavishly trained. If any organisation can keep Windows functional, it’s Her Majesty’s navy.”

23
Feb

Open Source Information Security Management

By alfredo reino Comments
Categories: Papers and Security

These are several documents and frameworks that I find very useful in the area of Information Security management and consulting. The nice thing about these is their Open Source nature and their comprehensiveness.

Information Security Management Maturity Model v1.20 (PDF) by the ISM3 Consortium

    ISM3 offers a practical approach to design, implement and evaluate process-oriented Information Security Management systems. It takes into account different levels of maturity and focuses on the level of security required to fulfill the organizational and business objectives.

Open Information Security Risk Management Handbook v1.0 (PDF) by SOMAP

    It describes how to plan, implement and manage an Information Security Risk strategy, including Risk Assessment and Risk Management.

Open Information Security Risk Assessment Guide v1.0 (PDF) by SOMAP

    As an extension to the “Open Information Security Risk Management Handbook”, it discusses the management process and the details of the Risk Assessment Workflow. There is even a (Java) tool to support this methodology, called SOBF (Security Officer’s Best Friend).

Open Source Security Testing Methodology Manual v2.2 (PDF) by ISECOM

    Excellent resource for those conducting security tests of any kind (security audit, pentest, vulnerability scanning, etc). It describes the technical areas to be addressed in any test, grouped into different channels: “information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations“.

22
Feb

The profits of spam and pump-and-dump scams

By alfredo reino Comments
Categories: Papers and Security

Rustock spamI’m sure everyone assumes spam is worth it for spammers. They wouldn’t do it otherwise, right? Of course, the same could be said of the traditional “pyramid scams” and Multi-Level Marketing. They produce benefits. However, the benefits fall on few hands, usually those at the top.

Whether it’s selling Rolexes, Viagra, penis-enlargement pumps, dialer porn, or pump-and-dump stocks, the economic incentive is there.

And all that, not taking into account identity theft, credit card theft or phishing.

I’ve found an interesting post by Joe Stewart with an analysis of a particular pump-and-dump scheme related to the Rustock trojan. It shows how this particular spammer or organization can net a nice $20K over one single weekend just by deploying this spamming-trojan and some stock market knowledge (plus human greed, an important part of this, let’s not forget). Joe comments:

So, at close on Friday Dec 15, the stock is at $0.0011. Suddenly, the Rustock botnet begins spewing out the spam shown above. All weekend it churns away, sending millions of emails. Monday morning, Dec 18, sees the stock immediately rise to $0.0019 a share, then all the way to $0.0025 a share, as some recipients of the spam begin to purchase the stock. A far cry from the spammer′s target of $0.02 a share, but lets see how much that adds up to. If the spammer sells his shares early on Monday, when the stock has peaked, those 11,532,726 shares could be worth nearly $29,000, leaving the spammer with a cool $20K profit for one weekend. I wonder if the spams touting Viagra and Rolexes have ever made that much profit so quickly for the spammers with so little effort and almost zero overhead. It’s little wonder why stock spam is taking over.

Rustock-spam manipulation of stock value

21
Feb

LiveCD distros I use for Security

By alfredo reino Comments
Categories: Products and Security

I’m a big fan of Linux-based security distros. There are many of them and most have their use. Of course each one goes through a period of fame and glory and extreme usefulness, and then it falls into oblivion when it becomes obsolete, stops being maintained (the curse of open-source projects) or a shiny new different one is released.

While there are some general-purpose LiveCD distros which are very good, such as the venerable Knoppix, my choice for security-oriented toolkits is the following:

Backtrack 2
http://www.remote-exploit.org/backtrack.html

Backtrack 2 can be downloaded from here

Mainly for pentesting and wardriving (it happens to support my PCMCIA wireless cards out-of-the-box, kinda). It is Slackware-based and contains many useful tools. From their authors:

BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.
It’s evolved from the merge of the two wide spread distributions Whax and Auditor Security Collection. By joining forces and replacing these distribution the BackTrack could gain a massive popularity and was voted in 2006 as #1 at the surveil of insecure.org. Security professionals as well as new-comers are using it as their favorite toolset all over the globe.

It contains more than 300 tools, and has some exciting features like the possibility of deploying password-cracking clusters using PXE boot (PDF link)

One bad point, at least for me, is the lack of Nessus 3 in the latest release of Backtrack. Apparently Tenable didn’t agree to it. However it is possible to install Nessus 3 on Backtrack2 without much problem!

Backtrack

mPentoo 2006.1
http://www.pentoo.ch/-PENTOO-.html

mPentoo 2006.1 can be downloaded from here

Pentoo and mPentoo (the mini version) are two LiveCD distros based on Gentoo. The mini-version (mPentoo) seems to be the most interesting one. It weights a little more than 200 MB, so it fits in small CDs the kind of which you can carry inyour wallet. From the authors:

Pentoo is a penetration testing LiveCD distribution based on Gentoo. It features a lot of tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities.

It includes many tools, listed here. As you can see it lacks nothing. It even includes a copy of Nessus 2.2 and Metasploit Framework 2.6.

mPentoo

Helix 1.8
http://www.e-fense.com/helix/

Helix 1.8 can be downloaded from here

One of the best forensics toolkit available today. Well documented. Based on Knoppix. Many different forensics tools and toolsets included, including Sleuthkit/Autopsy, and Steve Gibson’s Forensic Acquisition Utility.

Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.

It can be used by booting the offline system to Helix, or by mounting Helix on a live system (Unix, Linux or Windows). All the evidence acquisition tools have minimal footprint and impact on the examined system, and the relevant tools are “forensically sound“.

Helix

As I mentioned at the beginning, there are many more LiveCD distros that can be used. Do you know of a good one? Please feel free to make suggestions!

19
Feb

Rutkowska vs. Russinovich on Vista UAC security

By alfredo reino Comment
Categories: News and Security

Joanna RutkowskaThere is an article at ZDNet (”Hacker, Microsoft duke it out over Vista design flaw“) which describes the controversy between the hacker Joanna Rutkowska and Microsoft’s Mark Russinovich over an allegued design flaw of Vista UAC.

In a nutshell, Vista assumes automatically that all application installers should be executed with elevated privileges. There is no possibility of running installers with normal user privileges (for example, if no drivers need to be installed or changes to the system done)

Mark RussinovichRussinovich’s explanation sort of admits that a vector for sohisticated attack is technically possible.

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

According to Bruce Schneier,

What’s interesting is that Microsoft is positioning this as a trade-off between security and ease-of-use. That’s correct, of course, but it seems that someone made a bad decision in this regard.

Joanna posted another entry in her blog clarifying her position:

There are two things which should be distinguished:

1) The fact that UAC design assumes that every setup executable should be run elevated (and that a user doesn’t really have a choice to run it from a non-elevated account),

2) The fact that UAC implementation contains bug(s), like e.g. the bug I pointed out in my article, which allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was pissed off not because of #1, but because Microsoft employee - Mark Russinovich - declared that all implementation bugs in UAC are not to be considered as security bugs.

True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote “The Joke Post”.

« Previous Entries
Next Entries »