.:Computer Defense:.

An interesting paper was recently posted on the Symantec Blog. The paper was initially presented at AVAR2006. It discusses various methods of attack Virtual Machines and also detecting them... There's source code provided for most of the methods discussed and not only is Virtual Machine detection discussed, but methods of detecting specific virtual machines (VMWare, Virtual PC, etc) are also discussed.

I've been a little quiet lately... mostly because thing have been hectic at both work and home.. but I figured I should at least make an appearance. I decided to provide a daily link list (something I haven't done in a bit) with some of the cool things that I found as I was reading blogs (which is a nice wind down to end a busy day)..

Freedom to Tinker, which is a really great blog, had an interesting article today on Diebold voting machines. It seems that Diebold members can order keys to the voting machines from their website... You have to be a member to do this... so no big deal right? ... Wrong... They also provide images which are more than sufficient to produce keys that can open the voting machines. The article provides details and a video on the reproduction and use of these keys.

Mozilla announced the release of Mozilla Thunderbird 2 Beta 2 today.

There's a small write-up on gotspeech.net on using Wireshark to debug sip... Nothing new if you've used Wireshark before but a cool application of the software for those that haven't seen it before.

The SBS Diva Blog, pointed me towards an interesting article on eWeek... although rant might be a better word than article.  The Author of this opinion piece cries foul because Windows Update installed IE7 on his computer... without his knowledge and it was impossible for him to uninstall it. The SBS Diva blog makes an excellent point that he had to agree to the EULA in order to install it... so I guess the question then is, "Can you blame users for "automagically" clicking through screens?"... I may answer that in the future.

I decided I wanted to see just what happened, so I jumped on my fiance's  Windows XP Home PC... Sure enough the January Updates had been installed (via Automatic Updates) yet she was still running IE 6.  Just to be sure, I logged onto Windows Update and took a look... I can see KB929969 (MS07-004) has been installed, as has the January Malicious Software Removal Tool... So, I look under updates... sure enough IE 7 is listed... and right next to it... a check box so I can decide if I want to remove it or not... I don't see Microsoft forcing IE 7 on her. In fact it looks like she has plenty of choice.

Now another issue mentioned was uninstalling it... Time to check my Windows XP Pro PC which is running IE 7... Control Panel --> Add Remove Programs --> Windows Internet Explorer 7... Highlight and click Remove. Now before the uninstall would proceed I was asked if I was sure I wanted to remove IE 7 as other software had been installed since its installation and it couldn't guarantee that software would continue to work if it was reliant on IE 7... and that's understandable.

The last issue is that the author of the eWeek article makes the argument that this doesn't belong in Windows Updates which is for Security Updates... Windows Updates is for updating Windows... I've seen Media Player, .Net and other Non-Security Updates there... I've even seen driver updates... IE 7 was listed as High Priority but not pushed onto users.. This makes sense to me... I would even go so far, as to argue that IE 7 is indeed a security update when you look at the new features it contains.

Now I'm off to reinstall IE 7 on my PC.

Lastly, I wanted to pass on this email from the WebApp Sec Mailing list:

The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry
professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant
to the field of web application security. Articles will be reviewed by our peer review team which will provide
feedback and suggestions, as well as be promoted and marketed by WASC. Article submissions and comments may be sent to articles_@_webappsec.org. 

That's all for now.

Peace,
HT

This is just going to be a quick post... I came across a fairly cool website earlier today and thought I should share it with everyone. InstaLinux.com. The concept is fairly cool. They provide a list of several Linux distros and you build yourself an automated install CD...

Read more...

I can across an interesting blog post today on a proof of concept AJAX sniffer. It explains how to override certain functions found inside XMLHttpRequest. Source code is also provided on the page. This PoC is an implementation of concepts introduced in Subverting AJAX.

Something else I wanted to briefly mention was Attack Labs. A Demo of the AJAX sniffer and other web attacks are available on this page. The complete list of available Proof of Concepts (with source code) includes:

• Steal Clipboard
• Ajax worm
• Steal History
• Browser Spy
• Site Defacement
• Cross Domain Javascript Request
• Ajax Sniffer

I'm not a fan of Web 2.0... and I'm not sure I'm overly fond of AJAX (although I've been playing with pyjamas a bit). So I have to question, as I see more and more attacks come to life, if we're really benefiting from moving more and more of our code from server-side to client-side.

The website CSO Online identifies itself as the "Resource for Security Executives"... and for that reason, there are plenty of stories on the site that don't necessarily interest me... A recent story, The Chilling Effect by Scott Berinato, caught my eye as it comes at a time when everyone is talking about Disclosure; Responsible Disclosure vs Full Disclosure. The tag line attached to the article sums it up nicely:

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.

The 6 page story,  which includes comments from Jeremiah Grossman and RSnake, doesn't look at your classic "off the shelf" or "out of a box" software... It looks at web applications, at vulnerabilities such as XSS and discusses how disclosure can work in the "Web Environment".

It's an interesting topic of discussion. These days it's not uncommon to "stumble" upon an XSS or SQL Injection attack... sometimes it's as simple as changing a GET variable to disclose another's information... Then you have the ethical, and legal, question... "Do I report it?". It seems that a lot of companies are unhappy when a web-based attack is reported on their websites. Rather than thank you and fix the code, they want to harass you and come after you from a legal standpoint and when this happens... it's the logic of the company involved that I fail to understand.

I, for one, would be rather someone report a vulnerability in one of my websites to me, it's better than a visitor being taken advantage of by a malicious party.

Vendors want responsible disclosure... perhaps the "standard" Vendor should work to push the benefits of responsible disclosure on companies with web-based applications, or even non-IT companies that have a web presence. Microsoft, for example, a champion of responsible disclosure, should provide literature to companies on the positive benefits of responsible disclosure over full disclosure. The supporters of responsible disclosure could even start a legal fund to back those who are currently willing to responsibly disclose web vulnerabilities.
If security researches, hackers, or any other term you want to use, could report web-based vulnerabilities, responsibly, without fear of retribution and with the expectation of a simple thank you email, I think it'd be a great start towards making the net a safer place for everyone.

I need to preface this post by saying that the Agnitum article is a marketing tool for their Outpost firewall, so you do have to accept that there will be some bias in some of their comments.

The Article.

Overall, Agnitum proclaimed the Vista firewall a step in the right direction but still a security risk and provided this list of pros and cons:

Positives:

• Supports multiple connection profiles;
• Supports advanced firewall rules;
• Supports data authentication for secure connections;
• IPv6 support;
• Pre-configured access rules for internal system software and services.

Negatives:

• Advanced settings require too much effort to use;
• Doesn’t control and secure outbound connections by default;
• Incoming connections are not filtered if they follow a previously initiated outbound request for a session applicable to the requesting program;
• Doesn’t prompt the user for action in regard to outbound requests; it can either allow or block a connection;
• No time-based rules;
• No advanced control of inter-process communication for outbound program access. Partially covered by UAC, but programs exist that can establish outbound access bypassing UAC;
• No Intrusion Detection System (IDS);
• Primitive logging;
• No monitoring of active connections.

The most interesting is that they see the lack of an IDS as a negative... I find this humourous given discussions back in October on IDS and it's usefulness ( Thomas Ptacek, Amrit Williams). As I said, they are marketing their product, so we have to watch out for bias.

Their biggest complaint (or "security risk") with the Vista firewall was that response data isn't checked. This one is interesting. Apparently, if I type in a request to Google in my browser, the firewall should prompt me to allow the response data from my request. I have issues with this... My issue is that the firewall at this point is set to "Allow outbound connection". If a firewall allows an outbound connection, then yes... it should allow the inbound response. Could you imagine a system where all inbound data trigged warnings... Even if initiated via an outbound request... one which the firewall was told to categorize as "Allowed". I'd never be able to use IRC, SMTP or even my bowser again... I'd be inundated with warning messages.

Now if Agnitum had said that the biggest problem was that the Vista Firewall allows all outbound connections by default... I would have agreed.. but they didn't... they turned it into a "vulnerability" (as they label it in their write-up)... This is pure marketing BS.

Another problem with the article that really made my skin crawl was this paragraph:

On a more positive note, Gibson Research’s open ports probe utility Shields UP!! revealed that all the ports on my computer were successfully stealthed (shielded, made invisible) by the firewall. This is a good thing, because if hackers cannot locate open ports (that might accept remote connections) on a computer, that computer will be much harder to link to and exploit.

Now last time I checked, a "stealthed port" was a closed port that didn't reply with a response... The packet is dropped instead of a RST being sent (Fyodor's nmap documentation allowed me to confirm this). So I question the last sentence. Was the author thinking that open ports could be stealthed? A listening port does not appear as a stealth port... a closed port that doesn't send a RST is stealthed.... which means it has nothing to do with "linking to and exploiting" the computer. The logic behind that paragraph doesn't make a lot of sense. They might as well have said, "The Vista Firewall is a Firewall... It blocks unauthorized access to ports on the PC". I also question the term "link to".... generally you connect to a computer, but I'll just assume that English isn't the authors first language.

As some of you may have guessed by this point, I'm irritated... Rather irritated. I'm definitely not a fan of Vista... I think that it's way too bloated... but taking shots like this write-up is doing, simply to do a little marketing... I can't agree with or tolerate that. Buried within the shameless self-promotion, biased attacks and misinformation... there's actually a decent walk-through of the features available in the Vista Firewall... It's a shame that walk-through was soured.

The last thing I'll mention is that the author had issues with manually adding allowances for programs when you set the firewall to block outbound connections. The author wanted a pop-up like most modern firewalls give, where you could simply click an allow button. I actually give kudos to Microsoft for not having this... for requiring that the rules be setup manually. Users become much to complacent in automatically clicking allow because the pop-ups annoy them... this forces them to not click allow... to actually set things up.

From what I read of the unbiased portions of the article... I'm actually impressed with what Microsoft is doing... It's actually shown me a bit of positive light in a product (Vista) that I saw primarily negatives in. I've also decided that I will never purchase an Agnitum product... I don't like their business tactics.

Earlier today CGISecurity.com released a CSRF/XSRF FAQ. The table of contents / answer questions contains:

• About
• What is Cross Site Request Forgery?
• Who discovered CSRF?
• What can be done with CSRF?
• Is CSRF and Cross-site Scripting the same thing?
• What are common ways to perform a CSRF attack?
• Is this vulnerability limited to browsers?
• Can applications using only POST be vulnerable?
• How can I detect if a website is vulnerable?
• Can CSRF be prevented by implementing referrer checking?
• Has there been a major attack using CSRF?
• What can I do to protect myself as a user?
• What can I do to protect my own applications?
• References and Additional Reading

While I'm not going to repost the entire  FAQ, I'll repost the "What is CSRF" response, for those of you that are unsure of what it is.

What is Cross Site Request Forgery?

Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically you'll use Cross Site Scripting to embed an IMG tag or other HTML/JavaScript code to request a specific 'task url' which gets executed without the users knowledge. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted.

There's a posting on the Adobe Labs blog:

All releases (Macintosh, Windows, and Linux) of Flash Player 9 Update are now shipping on Adobe.com and are no longer available on Adobe Labs. Final Mac and Windows versions became available on November 14th and the Linux version was called final on January 16th. See the release notes for details regarding changes in the update release of Flash Player 9.

It would seem that a lot of people still haven't learned to check their address bar prior to logging into a page... I say a lot because at least 1 or 2 of the 56000 users taken in by http://www.marcolano.com/login (google cache) provided false information.

I actually feel quite bad for the users involved in this phishing quest. Generally your password is obtained by the person running the phish attempt, however someone felt the need to provide a link to the list of passwords as it was being created. After the site was taken down, someone had the "genius" thought of circulating this list on the Full Disclosure mailing list.

A quick whois of the domain provides the following details:

Domain name: marcolano.com

Registrant Contact:
LunarDev Productions
Marc Olano (marcolano@hotmail.com)
+1.8583738773
Fax: none
1252 Grand Avenue
San Diego, CA 92109
US

I've fired off an email to Marc to see if he was responsible or if it was a website compromise. If he was responsible, I've also asked him what his motivation was, although I doubt I'll receive a response. I've also fired off an email to MySpace in case they were unaware of the issue (which seems doubtful), and I find it interesting that they don't have a generic security contact address that's easy to find on their website. This is something that all major websites should have, in my opinion, easily viewable on their main page.

I would like to note that this page was submitted to the FireFox 2.0 Phishing Protection page. As soon as I attempted to visit the page, even though the server was down and no page was loaded, I received a warning about the site being reported as a fake.

[UPDATE] Brian Krebs has published an article where he performs breakdowns of the passwords. Providing the most common passwords, the number of unique passwords, and a count of the length of the passwords.  

Peace,
HT

Gadi Evron had a rather large list of fuzzing tools which were posted today to the fuzzing mailing list.

The list included:

• zzuf - A transparent application input fuzzer.
• IPC Fuzzing Tools - A Collection of tools for fuzzing Windows Interprocess Communication mechanisms.
• jCUTE - A Java implementation of CUTE ( Concolic Unit Testing Engine ). A "productive way of combining fuzzing with static analysis".
• Joxean's Fuzzer - Two Python Fuzzers... One for PostgreSQL and one for Informix.
• Akathisia - A Windows RPC Fuzzer.

I'm going to add WebFuzz... my series of cheesy Python scripts for fuzzing HTTP (to a minor extent).

Other fuzzers that weren't mentioned but that people should be aware of:

• FileFuzz - A Windows-based Graphical File Format Fuzzer from iDefense.
• COMRaider - A Tool designed to fuzz COM Object Interfaces from iDefense.
• SPIKEfile - A Linux-based file format fuzzer from iDefense.
• notSPIKEfile - A Linux-based file format fuzzer from iDefense.
• WebFuzz - A Graphical Web Fuzzer, presented by Michael Sutton at RECON but oddly enough not on the iDefense page.
• fuzzball2 - A TCP/IP options fuzzer.
• FuzzySniffAndSend - A Network Fuzzer, it sniffs data and then resends various mangled versions of the captures data.
• PeachFuzz - A Clear Text Protocol Fuzzer -- Includes templates for FTP, SMTP, IMAP4 and POP3.
• Fuzzer.pl - Another plain-text protocol fuzzer from CIRT.DK.
• Bluetooth Stack Smasher -- A Bluetooth fuzzer.
• Radius Fuzzer - A Radius Server Fuzzer, written in C.
• Hamachi - A Browser Fuzzer
• fsfuzzer - A Filesystem Fuzzer.