Archive | May, 2010

Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

Find your website's Achilles' Heel


The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation

OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

You can download Suricata v0.9 here:

suricata-0.9.0.tar.gz

Or read more here.


Posted in: Countermeasures, Network Hacking, Security Software

Tags: , , , , , , , , , , , , ,

Posted in: Countermeasures, Network Hacking, Security Software | Add a Comment
Recent in Countermeasures:
- Bearded – Security Automation Platform
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,271 views
- Password Hasher Firefox Extension - 117,883 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,752 views

Get protected with Sucuri


New Argument Switch Attack Bypasses Windows Security Software

Your website & network are Hackable


There’s been a lot of highly technical and most theoretical attacks lately, academic season really is in full swing. This is a very neat attack which is being labeled somewhere between catastrophic and mildly annoying depending on who you ask.

It effects most of the major Anti-virus vendors, it’s called an argument-switch attack and leverages on the way in which most anti-viral suites interact with the Windows kernel.

It seems to be most critical on Windows XP which is an operating system near the end of life anyway, so it shouldn’t be too widespread – that’s even assuming the bad guys can work it out and spread it in the wild (I would safely assume they can). Although the research does indicate it also works on Vista SP1.

A just-published attack tactic that bypasses the security protections of most current antivirus software is a “very serious” problem, an executive at one unaffected company said today.

Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it’s able to execute. Calling the technique an “argument-switch attack,” a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.

Some of the AV vendors are using different methods to communicate with the Windows kernel, so aren’t vulnerable to this attack – such as Immunet. I hope the collective AV companies pull their fingers out and do some real testing on this attack to see if it can really impact consumers or not.

What we really don’t need is “Oh it’s really complex and unlikely, it’s not a big deal” – then later 200,000 machines get owned using the technique. At least they know about and can perhaps address the sloppy methods they are using to implement kernel hooks.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Some security vendors agreed with Huger. “It’s a serious issue and Matousec’s technical findings are correct,” said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an e-mail.

“Matousec’s research is absolutely important and significant in the short term,” echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.

Other antivirus companies downplayed the threat, however. “Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario,” a McAfee spokesman said in an e-mail reply to a request for comment. “The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run.”

Kaspersky Lab had a similar reaction. “[We] have analyzed the published material and concluded that the issue is only linked to certain features of [our] products,” Kaspersky said in an e-mailed statement. “Kaspersky Lab products implement not only [kernel] hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity.”

I guess most AV companies don’t go that deep into system security, to the point of exploring how they implement kernel addressing and hooks to enable their software to function. Either way the research is now published, is picking up quite a bit of press and that itself is likely to force some action.

The full paper is available with details of the attack from Matousec here:

KHOBE – 8.0 earthquake for Windows desktop security software

Source: Network World


Posted in: Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Massive Yahoo Hack – 500 Million Accounts Compromised
- Tesla Hack – Remote Access Whilst Parked or Driving
- PunkSPIDER – A Web Vulnerability Search Engine

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,882 views
- AJAX: Is your application secure enough? - 120,271 views
- eEye Launches 0-Day Exploit Tracker - 85,745 views

Get protected with Sucuri


iScanner – Detect & Remove Malicious Code/Web Pages Viruses From Your Linux/Unix Server

Your website & network are Hackable


iScanner is free open source tool lets you detect and remove malicious codes and web pages viruses from your Linux/Unix server easily and automatically. This is a neat tool for those who have to do some clean up operation after a mass-exploitation or defacement on a shared web-host.

This tool is programmed by iSecur1ty using Ruby programming language and it’s released under the terms of GNU Affero General Public License 3.0.

Features

  • Detect malicious codes in web pages. This include hidden iframe tags, javascript, vbscript, activex objects and PHP codee.
  • Extensive log shows the infected files and the malicious code.
  • Send email reports.
  • Ability to clean the infected web pages automatically.
  • Easy backup and restore system for the infected files.
  • Simple and editable signature based database.
  • Ability to update the database and the program easily from dedicated server.
  • Very flexible options and easy to use.
  • Fast scanner with good performance.

Coming Soon

  • Microsoft Windows compatibility.
  • Export log in other formats (xml, html).
  • Extend the database and make it able to detect malicious files.
  • Ability to send infected file to iScanner server for analysis.
  • Build remote scanner service with API.

You can download iScanner v0.5 here:

iscanner.tar.gz

Or read more here.


Posted in: Countermeasures, Malware, Security Software, Web Hacking

Tags: , , , , , , , , , , , ,

Posted in: Countermeasures, Malware, Security Software, Web Hacking | Add a Comment
Recent in Countermeasures:
- Bearded – Security Automation Platform
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,271 views
- Password Hasher Firefox Extension - 117,883 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,752 views

Get protected with Sucuri


Federal Authorities Have Seized More Than $143 Million USD Of Fake Network Equipment

Find your website's Achilles' Heel


What a surprise, another quiet weekend – nothing much has been going on apart from the big furore about Facebook privacy – which frankly has been discussed to death.

Other than that, 2 critical patches are expected in the next Microsoft patch Tuesday – info here and here.

One story which I did find interesting was about fake networking gear, mostly Cisco which the Feds have been seizing for the past 5 years under Operation Network Raider – with more than 700 seizures and 30 felony convictions, that sure is a lot of dodgy gear out there!

Federal authorities over the past fives year have seized more than $143m worth of counterfeit Cisco hardware and labels in a coordinated operation that’s netted more than 700 seizures and 30 felony convictions, the Justice Department said Thursday.

Operation Network Raider is an enforcement initiative involving the FBI, Immigration and Customs Enforcement and Customs and Border Protection agencies working to crack down on the bogus routers, switches and other networking gear. In addition to costing Cisco and other US businesses millions of dollars, the scams could threaten national security by infusing critical networks with gear that’s unreliable or, worse, riddled with backdoors.

As part of the operation, Ehab Ashoor, 49, a Saudi citizen residing in Sugarland, Texas, was sentenced this week to 51 months in prison and ordered to pay Cisco $119,400 in restitution after being found guilty of trying to sell counterfeit gear to the US Department of Defense. In 2008, he attempted to traffic 100 gigabit interface converters that were bought in China and contained labels fraudulently indicating they were genuine Cisco equipment, according to court documents. The kit was to be used by the US Marine Corps for communications in Iraq

The scary part for me is not that this stuff is out there, but that it is being sold to the US government! Especially that some was destined to be used by the US Military in Iraq. Now with the relations between China and the US the conspiracy theorists could come up with some interesting thoughts on this.

The sentences handed out are pretty stiff though with 51 months in prison, even though I guess it’ll be some cushy white-collar prison and not some hardcore federal penitentiary.

In January, 33-year-old Chinese resident Yongcai Li was ordered to serve 30 months in prison and pay restitution of $790,683 for trafficking counterfeit Cisco gear, officials said.

The prospect that government and business networks may have deployed bogus gear has raised national security concerns, since much of the counterfeit equipment originates in China. Similar espionage fears were raised by research from University of Illinois researchers, who in 2008 showed how they were able to modify a Sun Microsystems SPARC microprocessor to effectively create a hardwired backdoor capable of logging passwords or other sensitive data.

In May of 2008, Cisco officials said they had no evidence that any of the counterfeit networking gear contained backdoors.

Since late 2007, US authorities have made more than 1,300 seizures of 5.6 million bogus semiconductors. More than 50 shipments were falsely marked as military or aerospace grade devices. The Justice Department’s press release is here.

From the restitution figures it seems like Yongcai Li sold a lot higher volume than Ehab Ashoor but his prison sentence is much shorter. Perhaps he was given a more lenient sentence as he wasn’t directly trying to sell the fake gear to the US government and military.

They state none of the networking equipment contained backdoors, but then if they did – would they really tell anyone? They were obviously trying to buy cheap gear on the side rather than dealing directly with Cisco – not a wise decision.

Source: The Register


Posted in: General News, Legal Issues

Tags: , , , , , , , , , , ,

Posted in: General News, Legal Issues | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,447 views
- eEye Launches 0-Day Exploit Tracker - 85,745 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,388 views

Get protected with Sucuri


Jarlsberg – Learn Web Application Exploits and Defenses

Your website & network are Hackable


This codelab is built around Jarlsberg /yärlz’·bərg/, a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Jarlsberg and in general.

Jarlsberg Vulnerable Web Application

The codelab is organized by types of vulnerabilities. In each section, you’ll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Jarlsberg. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you’ll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Jarlsberg as if it’s open source: you can read through the source code to try to find bugs. Jarlsberg is written in Python, so some familiarity with Python can be helpful.


However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Jarlsberg to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

If you wish to test the hosted version of Jarlsberg you can do so here:

http://jarlsberg.appspot.com/start

You can download Jarlsberg here:

jarlsberg-code.zip

Or read more here.


Posted in: Countermeasures, Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , , , , , , , , , , , ,

Posted in: Countermeasures, Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Countermeasures:
- Bearded – Security Automation Platform
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,271 views
- Password Hasher Firefox Extension - 117,883 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,752 views

Get protected with Sucuri


Untethered Userland Jailbreak For iPhone 3.1.3 & iPad 3.2 Has Arrived

Find your website's Achilles' Heel


It’s been a long time since we’ve covered any kind of Jailbreak apps, although we did cover some stories where owners of jailbroken devices were getting pwned by Rickrolling followed up shortly after with a malicious version of the worm.

I thought I’d cover this anyway as the iPad seems to be ‘the next big thing’ and everyone is talking about (even if they hate it), so I thought it’d be a worthy story. Anyway the latest news is someone has released an untethered userland jailbreak for iPhones, iPods and iPads running the latest version.

The all-in-one untethered iDevice jailbreak for iPhone 3.1.3, iPad 3.2 and iPod touch 2G/3G is finally here. Available for both Windows and Mac OS X, Spirit is a userland jailbreak but it does not work out-of-the browser as previously thought. It is in fact a simple one click app, like Blackra1n which can jailbreak (not unlock) any Apple iDevice on iPhone 3.1.2 or 3.1.3.

It is also important to note here that Spirit wont unlock your phone. It is a jailbreaking tool only that will only work on devices which are activated via iTunes. So if you rely on an unlock, DO NOT upgrade to stock firmware or you’ll be stuck. Unlock for iPhone 3.1.3 on 05.12.01 baseband wont be out before the next iPhone hit the shelves. And that wont be before June/July of this year.

You can find the jailbreak software here:

http://www.spiritjb.com/

What’s Spirit?

  • Spirit is an untethered jailbreak for iPad, iPhone, and iPod touch on the latest firmwares.
  • Spirit is not a carrier unlock.
  • If you currently are using a tethered jailbreak, you have to restore to use Spirit. Do not upgrade if you use an unlock on an iPhone 3G or 3GS. (You can, however, restore to 3.1.2 if you have SHSH blobs for that version.)

Do note, this is just a jailbreak and NOT a carrier unlock, so don’t b0rk your phone if you have a network locked model.

Source: Redmond Pie


Posted in: Apple, Hardware Hacking

Tags: , , , , , , , , , , , , , , , ,

Posted in: Apple, Hardware Hacking | Add a Comment
Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,067 views
- Apple Struggling With Security & Malware - 24,143 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 15,994 views

Get protected with Sucuri


OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool

Your website & network are Hackable


OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

Web Application

  • Automatically deploy and start agents over Netbios/SMB
  • When done, automatically stop, uninstall, and delete agents over Netbios/SMB
  • Pause, resume, and forcefully uninstall agents in an entire scan or on individual systems
  • Concurrently and securely receive results from hundreds or thousands of deployed agents over two-way-trusted SSL connection
  • Create Perl-compatible regular expressions (PCREs) for finding sensitive data at rest
  • Create reusable profiles for scans that include whitelisting or blacklisting directories and file extensions
  • Review findings and identify false positives
  • Export results as XML
  • Written in Perl with MySQL backend

Agent

  • Runs on Windows 2000 and later systems
  • Written in C with no .NET Framework requirements
  • Runs as a Windows Service at low priority so users do not see or feel it
  • Resumes automatically upon system reboot with no user interaction
  • Securely transmit results to web application at user-defined intervals over two-way-trusted SSL connection
  • Uses PCREs to identify sensitive data inside files
  • Performs additional checks on potential credit card numbers to reduce false positives

You can download OpenDLP v0.1 here:

OpenDLP-0.1.tar.bz2

Or read more here.


Posted in: Forensics, Hacking Tools, Privacy

Tags: , , , , , , , ,

Posted in: Forensics, Hacking Tools, Privacy | Add a Comment
Recent in Forensics:
- CuckooDroid – Automated Android Malware Analysis
- Cuckoo Sandbox – Automated Malware Analysis System
- Web Application Log Forensics After a Hack

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,506 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 34,645 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 30,439 views

Get protected with Sucuri


New Malware Variants More Malicious Than ILOVEYOU Bug

Your website & network are Hackable


So no big surprise here, malware is getting more malicious! It’s good to know though and it’s good that companies out there like Messagelabs, under the watchful eye of Symantec, are trying to measure what is going on in malware land.

The malware/worm landscape has always been a fast moving one and my guess is it’s only going to get faster as more of the World gets an Internet connection, a basic grasp of coding and a greed to scam money from people.

A decade after the Love Bug virus attacked millions of computers worldwide and put the Philippines in the IT world map in a negative way, computer security experts have noticed that today’s computer attacks are more malicious than the original computer security threat. In its April 2010 security report, Symantec said it has detected 36,208 unique strains of malware that were designed to carry out targeted attacks.

MessageLabs, which was acquired by Symantec later, was the first one to raise the alert on the Love Bug virus, which was designed to overwrite and destroy data. The virus came in the form of a message attachment when, once opened, sent itself to the addresses of the email recipient and spread on from there.

Ten years since Symantec Hosted Services, then MessageLabs, intercepted 13,000 copies of the virus in a single day on 4 May 2000, MessageLabs Intelligence said it now stops 1.5 million copies of malicious e-mails each day.

The latest is that the malware of today is more malicious than the infamous ILOVEYOU worm that broke out 10 years ago in the year 2000.

You can see the jump is scales though, from 13,000 in a day to 1.5 million in a day. I still tell people the reason we need such vast storage clouds and such fast Internet connections is because of only 2 things – porn and spam.

It seems the dynamics have changed too, the bad guys are no longer writing mass spreading spammy malware – but sending much more malicious and highly targeted viruses.

“Although mass mailing viruses like the Love Bug are rare today, cyber criminals’ techniques have evolved to more malicious, highly targeted attacks and they are motivated less by achievement and credibility than by financial gain and identity theft,” Symantec said in a statement. “On 4 May, 2000, 1 in 28 e-mails contained the Love Bug virus. By comparison, 1 in 287.2 e-mails contained a virus on 9 April 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware.”

“The Love Bug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year,” said MessageLabs Intelligence senior analyst Paul Wood. “Back then, users were less savvy, regarding the dangers posed by suspicious e-mail attachments and e-mails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks.”

The April 2010 MessageLabs Intelligence Report also revealed that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control.

Botnet dynamics have also shifted a bit with Cutwail being knocked off the top spot and replaced by Rustock.

Rustock was knocked back a while ago and the Next-gen botnets were touted to replace it along with Srizbi.

Source: Network World


Posted in: General Hacking

Tags: , , , , , , , , , , , , , ,

Posted in: General Hacking | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,171,973 views
- Hack Tools/Exploits - 631,172 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 436,623 views

Get protected with Sucuri