There have been some massive hacks recently due to Flash -

- Hackers Exploiting Latest Adobe Flash Bug On Large Scale
- Adobe Patches Latest Flash Zero Day Vulnerability
- Adobe Promises Patch For Flash 0-day Being Used In Targeted Attacks

Those 3 were all in 2011!

Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.

“The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach,” said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. “Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities.”

In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far.

Adobe decided to implement sandboxing in Adobe Reader back in 2010 in order to counter the large number of exploits that targeted the product and its users. The technology was built into Adobe Reader X (10.0) and is based on the same sandboxing principles that Google used when developing Chrome.

Later that same year Adobe also launched a sandboxed version of Flash Player for Chrome and promised to explore the possibility of doing the same for other browsers. The new sandboxed Flash Player for Firefox, which works with Windows Vista and Windows 7, is the result of those efforts.

They have been talking about sandboxing for a long time and did mention they wanted to sandbox Adobe PDF Reader too, Chrome has had great success with it’s sandbox model and I’m sure many more software vendors will follow suit.

It’s good to see this approach with the web becoming an extremely dangerous place and more and more commerce is moving online, this gives us a deadly mix of poor security and lots of money floating around.

Critical Flash Player vulnerabilities have regularly been exploited to infect computers with malware during the past several years. Along with Java and Adobe Reader, Flash Player is one of the most attacked software applications, because its vulnerabilities can usually be exploited by simply visiting a malicious website.

“Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X,” Uhley said. “We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.”

However, the success of this version at deterring cybercriminals from writing Flash Player exploits in the future will largely depend on how quickly it gets adopted. In order to speed up the process, Adobe is working on a new update mechanism, the company’s senior manager for corporate communications, Wiebke Lips, said.

Having a sandboxed version of Flash Player for every major browser, not just Chrome and Firefox, is also important, if Adobe wants cybercriminals to lose interest in its product. “We are currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer,” Lips said.

However, because Internet Explorer has a completely different plug-in architecture than Chrome and Firefox, namely ActiveX, developing a sandboxed Flash Player version for it requires a different approach, Lips said. Nevertheless, the current version of Flash Player supports Protected Mode in Internet Explorer 7 or later on Windows Vista and Windows 7.

I’d like to see them implement a much better and more user-friendly update system for Flash player, so when the update comes out more users get it ASAP.

Also, this is only for Firefox and the largest target for malware peddlers is Internet Exploder Explorer – so they better get that version sorted out soon too.

Source: Network World

I can’t see any real corporate use for Twitter, so they won’t be pushing the security aspects of it in terms of the application. Perhaps it’s just an equity play and has nothing to do with Twitter, or perhaps they have another offering up their sleeves which isn’t public yet.

Twitter may be planning to boost its mobile security options with the acquisition of Whisper Systems, a company that offers security products for Android phones.

Whisper Systems’ offerings include WhisperCore, software that enables full disk encryption as well as management tools for Android phones. It’s free for individual users while enterprise customers pay for the software. Other Whisper Systems products include text encryption, voice encryption, firewall software and encrypted backup.

In a blog post about the acquisition, Whisper Systems didn’t say much about what Twitter might be planning to do with the technology. “Now that we’re joining Twitter, we’re looking forward to bringing our technology and our expertise into Twitter’s products and services,” the company wrote on the blog.

It said that Whisper Systems software will continue to be available but that during a transition period the company will take the products and services offline. In a forum on Whisper Systems’ website, people who are apparently unaware of the acquisition are already wondering why they can’t download products. Twitter did not reply to a request for comment about its plans for the technologies.

The only path I can see, obvious path that is, would be for Twitter to integrate the encryption technology offered by WhisperCore into the official Twitter apps – making them more secure in both storing data locally and in transmitting data over insecure networks.

I don’t see how it really offers any value though, it’s not like anyone is actually sending anything important out over Twitter – apart from the odd DM (Direct Message) I would imagine.

It’ll be interesting to see what direction they take though and if we can actually find out why this acquisition took place.

WhisperCore has a number of features designed to make up for security shortcomings in Android. For instance, WhisperCore users can selectively revoke permissions that an app requests while allowing the user to still use the app.

The software also includes a feature aimed at thwarting someone who has stolen a phone from determining the phone’s unlock code based on finger smudges on the screen. Some Android phones display rows of dots and a user unlocks the phone by dragging a finger over certain dots in a set pattern. An attacker might be able to recreate the pattern by examining finger smudges on the screen. WhisperCore displays unlock numbers in a column, so an attacker doesn’t know in which order the user hits the numbers to unlock the phone.

Earlier this year Whisper Systems released a software development kit so that developers could start building some WhisperCore features into their applications.

Few other companies are doing full disk encryption for Android, although there are many other companies taking other approaches to securing Android phones. Companies like 3LM and Good Technology offer mobile security services for enterprises. In addition, mobile device management products from companies including Sybase, BoxTone, Zenprise, Mobile Iron and Fiberlink let IT managers set basic policies like password requirement and remote wipe, and offer additional security capabilities.

The other whacky idea could be to make Twitter into a dual-functioning security product – I don’t really see how that would work though. Social Networking + Device security = confused users.

If anyone has any bright ideas as to why you think this deal took place, do drop them in the comments section below.

Source: Network World

Or perhaps some of you already use something totally web-based like Hushmail, the story is that researchers in Germany have managed to develop a JavaScript implementation of OpenPGP that allows you to both encrypt and decrypt messages purely in the webmail interface with Google Chrome and Gmail.

Pretty neat eh?

Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages.

Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with Gmail.

According to its developers, GPG4Browsers is a prototype, but it supports almost all asymmetric and symmetric ciphers and hash functions specified in the OpenPGP standard.

The OpenPGP specification uses public key cryptography to encrypt and digitally sign messages and other data. It is based on the original PGP (Pretty Good Privacy) program and is most commonly used for securing email communications.

Setting up a PGP variant to work with a particular email client on a local computer can prove troublesome for less technical users, not to mention that it’s not portable. A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.

The benefits of a JavaScript-based implementation that runs inside the browser is that it doesn’t require a dedicated email client or other software installed on the computer.

I have to admit, setting up key based e-mail cryptography to work seamlessly…is not for the faint of heart. Even for the more technical user, it can be quite a pain in the arse.

That’s a pretty high entry barrier for the average Joe and stops pretty much everyone else from encrypting their emails. Something more seamless (and totally portable) like this JavaScript implementation could open up key-based e-mail encryption for the masses.

At the moment, GPG4Browsers only works in Google Chrome and is not available for download from the Chrome Web Store. However, if the name is any indication, the extension will be ported to other browsers in the future.

Users interested in giving it a try must download it manually and install it as an unpacked extension. This can be done from the Tools > Extension page by checking the “Developer mode” box and clicking on “Load unpacked extension.”

The current release is limited by the fact that it cannot generate private keys, although the menu for doing this is present, so the feature will most likely be implemented in the future.

Importing public and private keys works fine and when browsing on Gmail a black lock icon is displayed in the address bar. Clicking on it will open a dialog for composing an encrypted or a digitally signed message.

Similarly, when an encrypted message arrives in the Gmail inbox, the browser asks users if they want to open it with GPG4Browsers. The extension can decrypt messages signed with GnuPG (GNU Privacy Guard), a popular open source PGP implementation, but only if data compression isn’t used.

The GPG4Browsers source code is available under a GNU Lesser Public License so the tool can be easily improved to support additional webmail providers. The developers also provide documentation which explains the available APIs.

An OpenPGP JavaScript implementation offers convenience and portability, but also has some downfalls. “Since memory-wipe of private data and validation of a secure execution environment cannot be achieved in JavaScript this implementation should not be used in environments where the confidentiality and integrity of the transmitted data is important,” the developers warned.

Which means, in basic terms, don’t use this kind of implementation on any machines that might be infected with malware etc. Which in a way to me renders it useless, the only reason I’d be using a web-based OpenPGP implementation is because I’m using a public or unfamiliar machine and I STILL want to encrypt my e-mail.

If I’m using my own e-mail, I’ll be using a proper software based encryption tool anyway. So I guess it may offer slightly more protection that sending completely plain text e-mail, but it’s certainly not a totally secure e-mail encryption solution.

As JavaScript progresses and gets more powerful however, things may change and this may well become a viable alternative to software based e-mail encryption.

Source: Network World

It’s come quite a long way and the authors are happy to announce that MagicTree version 1.0 has been released and is available for download.

MagicTree is a productivity tool for penetration testers. It allows consolidating data coming from various security tools, query and re-use the data and generate reports. It’s aim is to automate the boring and the mind-numbing work, so you can spend your time hacking.

Version 1.0 includes a lot of bug fixes and a number of new features, such as:

• Support for Acunetix data import
• Support for W3AF data import
• Support for OpenVAS 4 XML format
• Importing data from flat text files
• Simplified manual creation of ports
• Copy/paste and drag and drop support for tree nodes, table view data, queries and tasks
• mt:sort() custom XPath function for sorting data, such as findings, in TableView and reports
• More sophisticated auto-creation of tree nodes. We now support netblocks in various formats (192.168.1.1/24 , 192.168.1.0-192.168.1.255, 192.168.1.0/255.255.255.0), DNS names, IP addresses and URLs.
• Search in output files panel
• Creating cross-references by drag and drop
• Better support for KDE and XFCE desktop environments on Linux. View in Browser and opening reports now works on both.

The full changelog is available here – ChangeLog-1.0.txt

You can download MagicTree v1.0 here:

MagicTree-1.0-build1615.jar

Or read more here.

The author notified me of a new version that was recently released with quite a few additions. For those not familiar with it, Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

Changes in V2.0

The major changes in v2.0 is the addition of a code analysis module which comes with Android and iOS rules, an editor for the checklist questions and the ability to create/edit/remove code analysis rules.

• Fixed verify report button bug. It used to make the app crash if the report path field was empty because it didn’t check if it was empty before trying to use the field value.
• Delete profile functionality added on the “view profiles” tab. Some users requested this functionality.
• Removed hard coded filesystem paths and database names/locations from the code and make them configuration items.
• Data editor for both principles and checklist guidance sections. This allows users to customise the guidance using their own languages, guidance text etc.
• Increase the max size value of the text boxes on the principles guidance tab to allow more information to be entered by users.
• More accurate error on the profile creation tab – specify exactly what fields have been missed rather than listing all.
• Added “About” form with info, license, credits etc
• Regular expressions expanded to include a wider range of characters including non English characters.
• Turn the “other” language box red if the user clicks save with the other check box ticked but not language entered on the create and view profile tabs.
• Metrics tab now “returns” if only one app is available rather than trying to load all graphs and throwing a separate error for each one.

The author is always interested in feedback and has integrated a lot of it into v2.0 of Agnitio, if you want to give some suggestions/bug reports or whatever after using the tool you can do so via the Security Ninja blog here, or on Twitter @securityninja.

You can download Agnitio v2.0 here:

Agnitio v2.zip

Or read more here.

• Detect Malware present on your website
• Audit your web site for security issues
• Avoid getting blacklisted by Google
• Keep your web site content & data safe
• Get alerted to suspicious hacker activity

It has an easy to user interface, it picks up all kinds of issues such as malware, reverse shells like c99, obvious stuff like outdated Plugins and WordPress core, weak passwords, bad configurations (including .htaccess config) and much more.

Each alert is well explained and will help you to solve any issues the system finds on your blog/site.

The great value with this for me is once you are subscribed, you will be automatically alerted of new issues by email as and when they occur. This will help you keep your website secure and will let you know immediately if any issues develop.

They’ve even released two WordPress plugins which you can find here:

WP Security Scan & Secure WordPress

You can check out the website here and sign up for a free account to test it out:

http://www.websitedefender.com/

They are on Twitter too @WebsiteDefender & Facebook.

The odd thing is the app can’t scan the filesystem of the device due to the iOS sandbox – but it can scan remotely hosted files (e-mail attachments, files in your Dropbox account and on on).

It’ll be interesting to see what kind of response this app gets and if people will be interested in purchasing it.

A French security company known for its Mac OS X antivirus software today released the first malware-scanning app for the iPhone and iPad and iPod Touch. Intego’s VirusBarrier for iOS has been approved by Apple, and debuted on the App Store Tuesday for $2.99.

Because iOS prevents the program from accessing the file system or conducting automatic or scheduled scans — as do virtually all Mac and Windows antivirus software — VirusBarrier must be manually engaged, and then scans only file attachments and files on remote servers, said Peter James, a spokesman for Intego.

“Because of the sandbox, you can’t scan the file system,” said James. “Since you don’t see the iOS file system, the only things you can scan are attachments sent by email or files in, say, your Dropbox folder.”

Unlike software written for Android — such as Lookout, from the San Francisco-based company by the same name — VirusBarrier cannot scan apps for possible infection. When an email attachment is received by the iPhone, iPad or iPod Touch, the user can intercede by calling on VirusBarrier, which then scans the file for possible infection before the file is opened or forwarded to others.

“We’ve had enterprise customers say that although they know you can’t do a full system scan of an iPhone, they don’t like the fact that files go through these devices and end up on a Mac or Windows PC,” said James. “They want their users to be able to check that an attachment is safe.”

It also can’t scan apps for possible infection, which is kind of weak – but I guess it’s supportive of the walled garden approach implemented by Apple. Seen as though all official apps are vetted by Apple there shouldn’t be any infections anyway (unless the user executed a JailBreak their device).

Symantec did make some kind of push into the iOS market in October 2010, but I’m not sure what came of it – Symantec Expands Security Products To Cover Android & iOS.

With the whole model Apple is running on the iOS platform – there honestly isn’t that many vectors for attack.

He characterized VirusBarrier for iOS as a way for iPhone and iPad users to prevent their hardware from spreading malware. “You don’t want your iPhone becoming a ‘Typhoid Mary,’” James said.

VirusBarrier for iOS can scan email attachments in a variety of formats, including Microsoft’s Word, Excel and PowerPoint; PDF documents; JavaScript files; and Windows executables, those files tagged with the .exe extension. It can also scan files in a Dropbox folder, those stored on MobileMe’s iDisk, or files downloaded via the iOS version of Safari. The scanning engine and signatures — the digital “fingerprints” used to detect malware — in VirusBarrier for iOS are identical to those used by Intego’s Mac OS X product line.

VirusBarrier for iOS lets iPhone and iPad users run on-demand scans of email attachments before those files are opened or forwarded.

“It’s important that people understand what [VirusBarrier] can and cannot do,” said James, pointing to the malware scanner’s limitations. “Although there is no malware written for iOS today, if attackers do try to exploit the [recent] PDF vulnerability, this is something we can scan for.”

James was referring to the still-unpatched vulnerability in iOS that can be exploited through a malicious PDF document, one of two bugs used last week to “jailbreak” an iPhone , iPad or iPod Touch. VirusBarrier for iOS can be downloaded to an iPhone, iPad or iPod Touch from Apple’s App Store. It requires iOS 4.0 or later.

You can check out the app on Apple’s App Store here:

VirusBarrier By Intego

Basically the purpose of the app seems to more towards halting malware application on the iPhone – rather than preventing the device itself getting infected. You can read a lot more about it on the App Store description.

Source: Network World

Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:

1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.

2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.

3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.

4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET’s graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.

5. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

You can download EMET v2.1 here:

EMET Setup.msi

Or read more here.

The framework is shipped with about 300 tests grouped in 9 testing modules:

• clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
• testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
• badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
• fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
• multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.
• evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
• shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
• denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
• pcapReplay: enables to replay pcap files

It is easily configurable and could integrate new modules in the future.

There are basically 6 types of tests:

• socket: open a socket on a given port and send the payloads to the remote target on that port.
• command: send command to the remote target with the subprocess.call() python function.
• scapy: send special crafted payloads based on the Scapy syntax
• multiple failed logins: open a socket on port 21/tcp (FTP) and attempt to login 5 times with bad credentials.
• client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
• pcap replay: enables to replay traffic based on pcap files

The official documentations is available here: pytbull documentation.

Changes/Improvements in V1.1

• Issue #2 fixed (test number incrementing twice just after the last test from multipleFailedLogins test)
• Issue #3 fixed (pcapReplay module not present in the checks on STDOUT)
• Code factoring in pytbull.py
• Timing options are now in parameters (config.cfg)
• Automatically checks and informs if a new version is available (use PROXY section in the configuration file if needed)
• New basic checks: Checks that paths are valid
• SVN tags added in source code

You can download pytbull here:

pytbull-1.1.tar.bz2

Or read more here.

That’s a good thing because it’s had some horribly effective vulnerabilities revealed lately. It managed to package up a massive bundle of patches for 64 vulnerabilities in Windows, Office and a few other software packages.

So if you’re running any Windows installations anywhere, make sure you get your Windows Update on ASAP and get those patches downloaded.

Microsoft has patched a record 64 vulnerabilities in Windows, Office and five other software packages, many of which allowed attackers to remotely install malware on end user machines.

The most important fixes addressed a vulnerability in the Internet Explorer browser that was exploited in last month’s Pwn2Own contest. Although details were kept confidential, hackers have begun exploiting the critical flaw in real-world attacks, Microsoft warned. The use-after-free vulnerability affects versions 8 and earlier of the Microsoft browser.

The other top priority should be updates that patch critical vulnerabilities in the way Windows handles networking requests using the SMB, or Server Message Block, protocol. By sending malformed packets, attackers can remotely install malware on vulnerable machines with no user interaction required.

Researchers have warned that the flaw could be exploited to install self-replicating worms in much the way a similar vulnerability from 2008 did. Even after Microsoft issued an emergency patch for the flaw, it still opened the door to the Conficker Worm, which commandeered millions of machines.

If you remember back in March we reported on Day One At Pwn2Own Takes Out Microsoft Internet Explorer and Apple Safari, they’ve fixed that flaw – which has been exploited in the wild.

I think Pwn2Own does play an important role in the security industry and really helps get some nasty bugs patched up. Of course I don’t think any of us are using Internet Explorer anyway…but still – a lot of people are.

Even on this site 18.3% of visitors are still using some version of IE (with the majority using 8, then 7 then 9 with 6 thankfully in 4th place).

The monster patch batch also included relief for another flaw in all supported versions of Windows that Google has said was being exploited by “politically motivated” attackers against activists. The MS11-026 update fixes the way Windows parses webpages containing MIME-formatted content.

Microsoft also introduced two tools that are designed to thwart malware attacks. One extends a protection known as Office File Validation to older versions of Office. The feature, which was previously available only to users of Office 2010, helps users to identify malicious Office files by scanning and validating them before they are opened.

The second tool is an update to the winload.exe component that helps flag device drivers that have been booby-trapped to install malware.

The patches were released in 17 bulletins, nine of which carried a rating of “critical,” a designation typically reserved for vulnerabilities that can be remotely exploited to install malware or expose sensitive user data. The remaining eight bulletins were rated “important.”

If you just wanna get down to the details of the patches and what was released, you can read the summary from Microsoft here:

April 2011 Security Bulletin Release

Also check this out:

Assessing the risk of the April security updates

And of course SANS always has a useful recap:

April 2011 Microsoft Black Tuesday Summary

Source: The Register