There have been some massive hacks recently due to Flash -

- Hackers Exploiting Latest Adobe Flash Bug On Large Scale
- Adobe Patches Latest Flash Zero Day Vulnerability
- Adobe Promises Patch For Flash 0-day Being Used In Targeted Attacks

Those 3 were all in 2011!

Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.

“The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach,” said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. “Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities.”

In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far.

Adobe decided to implement sandboxing in Adobe Reader back in 2010 in order to counter the large number of exploits that targeted the product and its users. The technology was built into Adobe Reader X (10.0) and is based on the same sandboxing principles that Google used when developing Chrome.

Later that same year Adobe also launched a sandboxed version of Flash Player for Chrome and promised to explore the possibility of doing the same for other browsers. The new sandboxed Flash Player for Firefox, which works with Windows Vista and Windows 7, is the result of those efforts.

They have been talking about sandboxing for a long time and did mention they wanted to sandbox Adobe PDF Reader too, Chrome has had great success with it’s sandbox model and I’m sure many more software vendors will follow suit.

It’s good to see this approach with the web becoming an extremely dangerous place and more and more commerce is moving online, this gives us a deadly mix of poor security and lots of money floating around.

Critical Flash Player vulnerabilities have regularly been exploited to infect computers with malware during the past several years. Along with Java and Adobe Reader, Flash Player is one of the most attacked software applications, because its vulnerabilities can usually be exploited by simply visiting a malicious website.

“Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X,” Uhley said. “We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.”

However, the success of this version at deterring cybercriminals from writing Flash Player exploits in the future will largely depend on how quickly it gets adopted. In order to speed up the process, Adobe is working on a new update mechanism, the company’s senior manager for corporate communications, Wiebke Lips, said.

Having a sandboxed version of Flash Player for every major browser, not just Chrome and Firefox, is also important, if Adobe wants cybercriminals to lose interest in its product. “We are currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer,” Lips said.

However, because Internet Explorer has a completely different plug-in architecture than Chrome and Firefox, namely ActiveX, developing a sandboxed Flash Player version for it requires a different approach, Lips said. Nevertheless, the current version of Flash Player supports Protected Mode in Internet Explorer 7 or later on Windows Vista and Windows 7.

I’d like to see them implement a much better and more user-friendly update system for Flash player, so when the update comes out more users get it ASAP.

Also, this is only for Firefox and the largest target for malware peddlers is Internet Exploder Explorer – so they better get that version sorted out soon too.

Source: Network World

This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

The sources supported are:

• Google – emails,subdomains/hostnames
• Google profiles – Employee names
• Bing search – emails, subdomains/hostnames,virtual hosts
• Pgp servers – emails, subdomains/hostnames
• Linkedin – Employee names
• Exalead – emails,subdomain/hostnames

New Features

• Time delays between requests
• XML and HTML results export
• Search a domain in all sources
• Virtual host verifier
• Shodan computer database integration
• Active enumeration (DNS enumeration,DNS reverse lookups, DNS TLD expansion)
• Basic graph with stats

Examples

Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:

./theharvester.py -d microsoft.com -l 500 -b google

Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

You can download theHarvester here:

theHarvester-2.1_BH2011_Arsenal.tar

Or read more here.

This version includes lots of goodies, including:

• A new light-weight RPC implementation (No more XMLRPC)
• High Performance Grid (HPG) — Combines the resources of multiple nodes for lightning-fast scans
• Updated WebUI to provide access to HPG features and context-sensitive help
• Accuracy improvements and bugfixes for the XSS, SQL Injection and Path Traversal modules
• New report formats (JSON, Marshal, YAML)
• Cygwin package for Windows

New plugins

• ReScan — It uses the AFR report of a previous scan to extract the sitemap in order to avoid a redundant crawl.
• BeepNotify — Beeps when the scan finishes.
• LibNotify — Uses the libnotify library to send notifications for each discovered issue and a summary at the end of the scan.
• EmailNotify — Sends a notification (and optionally a report) over SMTP at the end of the scan.
• Manual verification — Flags issues that require manual verification as untrusted in order to reduce the signal-to-noise ratio.
• Resolver — Resolves vulnerable hostnames to IP addresses.

IF you want a slightly more detailed description of what’s changed you can check here, or view the ChangeLog.

You can download Arachni v0.4 here:

Windows – arachni-v0.4.0.2-cygwin.exe
Linux – arachni-v0.4.0.2-cde.tar.gz

Or read more here.

It’s mostly targeted at the UK though, worms of these type usually are geographically limited as they are targeting bank information – it’s better to go after a certain niche of users.

45,000 isn’t a huge number though considering the latest stats say there are over 30 millions Facebook users from the UK alone.

A bank account-raiding worm has started spreading on Facebook, stealing login credentials as it creeps across the site, security researchers have revealed.

Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms that the malware has already stolen 45,000 Facebook passwords and associated email addresses. Experts from Seculert, who found the controller node, have supplied Facebook with a list of all the stolen credentials found on the server. Most of the victims are from either the UK or France.

Ramnit differs from other worms, such as Koobface, that have used Facebook to spread because it relies on multiple infection techniques and has only recently extended onto social networks. Koobface, by contrast, only uses Facebook or Twitter to spread.

“Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities,” Aviv Raff, CTO at Seculert, told El Reg.

“We suspect that they use the Facebook logins to post on a victim’s friends’ wall links to malicious websites which download Ramnit,” he added.

There was indeed Koobface some time back, but that was purely on Facebook – the danger with worms like Ramnit is that Facebook is only 1 of the vectors they are using to spread.

It’s a good job researchers got hold of one the command and control nodes – or this could have gotten a whole lot messier. Facebook has been pretty good lately blocking malicious strings and clamping down on worms as soon as they show up.

Ramnit first appeared in April 2010. By last July variants of the malware accounted for 17.3 per cent of all new malicious software infections, according to Symantec. A month later Trusteer reported that flavours of Ramnit were packing sophisticated banking login credential snaffling capabilities – technologies culled from the leak of the source code of the notorious ZeuS cybercrime toolkit at around the same time.

The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms in order to gain remote access to corporate networks, Seculert warns.

The move onto Facebook by the miscreants behind Ramnit seems designed primarily to expand the malware’s distribution network and infect more victims.

“We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware’s reach,” Seculert concludes, adding that capturing the login credentials of Facebook accounts creates a means to attack more sensitive accounts that happen to use the same email address and password combination.

“The cyber-criminals are also taking advantage of the fact that people usually use the same passwords for different web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks,” it said.

The Ramnit outbreak on Facebook follows the November outbreak of an earlier worm that tried to infect victims with a variant of ZeuS.

The scary part is that the latest version of Ramnit can bypass two factor authentication! I’m not exactly sure how it does that, but it seems to have snagged a lot of features from the source code leak of ZeuS.

I would agree with the article though, people do tend to re-use passwords, they trust things shared on Facebook and it’s a good platform to spread malware rapidly.

Source: The Register

To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.

SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.

Features

• Insecure renegotiation testing
• Scanning for weak strength ciphers
• Checking for SSLv2, SSLv3 and TLSv1 versions
• Server certificate information dump and basic validation
• Session resumption capabilities and actual resumption rate measurement
• Support for client certificate authentication
• Simultaneous scanning of multiple servers, versions and ciphers

For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can read here.

You can download sslyze here:

sslyze-0.3_src.zip

Or read more here.

I can’t see any real corporate use for Twitter, so they won’t be pushing the security aspects of it in terms of the application. Perhaps it’s just an equity play and has nothing to do with Twitter, or perhaps they have another offering up their sleeves which isn’t public yet.

Twitter may be planning to boost its mobile security options with the acquisition of Whisper Systems, a company that offers security products for Android phones.

Whisper Systems’ offerings include WhisperCore, software that enables full disk encryption as well as management tools for Android phones. It’s free for individual users while enterprise customers pay for the software. Other Whisper Systems products include text encryption, voice encryption, firewall software and encrypted backup.

In a blog post about the acquisition, Whisper Systems didn’t say much about what Twitter might be planning to do with the technology. “Now that we’re joining Twitter, we’re looking forward to bringing our technology and our expertise into Twitter’s products and services,” the company wrote on the blog.

It said that Whisper Systems software will continue to be available but that during a transition period the company will take the products and services offline. In a forum on Whisper Systems’ website, people who are apparently unaware of the acquisition are already wondering why they can’t download products. Twitter did not reply to a request for comment about its plans for the technologies.

The only path I can see, obvious path that is, would be for Twitter to integrate the encryption technology offered by WhisperCore into the official Twitter apps – making them more secure in both storing data locally and in transmitting data over insecure networks.

I don’t see how it really offers any value though, it’s not like anyone is actually sending anything important out over Twitter – apart from the odd DM (Direct Message) I would imagine.

It’ll be interesting to see what direction they take though and if we can actually find out why this acquisition took place.

WhisperCore has a number of features designed to make up for security shortcomings in Android. For instance, WhisperCore users can selectively revoke permissions that an app requests while allowing the user to still use the app.

The software also includes a feature aimed at thwarting someone who has stolen a phone from determining the phone’s unlock code based on finger smudges on the screen. Some Android phones display rows of dots and a user unlocks the phone by dragging a finger over certain dots in a set pattern. An attacker might be able to recreate the pattern by examining finger smudges on the screen. WhisperCore displays unlock numbers in a column, so an attacker doesn’t know in which order the user hits the numbers to unlock the phone.

Earlier this year Whisper Systems released a software development kit so that developers could start building some WhisperCore features into their applications.

Few other companies are doing full disk encryption for Android, although there are many other companies taking other approaches to securing Android phones. Companies like 3LM and Good Technology offer mobile security services for enterprises. In addition, mobile device management products from companies including Sybase, BoxTone, Zenprise, Mobile Iron and Fiberlink let IT managers set basic policies like password requirement and remote wipe, and offer additional security capabilities.

The other whacky idea could be to make Twitter into a dual-functioning security product – I don’t really see how that would work though. Social Networking + Device security = confused users.

If anyone has any bright ideas as to why you think this deal took place, do drop them in the comments section below.

Source: Network World

sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use (I can think of) of MySQL functions. It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit. Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server.

It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..

What’s New

Starting with version 0.7, sqlsus now supports time-based blind injection and automatically detects web server / suhosin / etc.. length restrictions.

• Added time-based blind injection support (added option “blind_sleep”, and renamed “string_to_match” to “blind_string”).
• It is now possible to force sqlsus to exit when it’s hanging (i.e.: retrieving data), by hitting Ctrl-C more than twice.
• Rewrite of “autoconf max_sendable”, so that sqlsus will properly detect which length restriction applies (WEB server / layer above). (removed option “max_sendable”, added options “max_url_length” and “max_inj_length”)
• Uploading a file now sends it into chunks under the length restriction.
• sqlsus now saves variables after each command, so that forcing it to quit (or killing it) will not discard the changes that were made.
• Added a progress bar to inband mode, sqlsus now determines the number of rows to be returned prior to fetching them.
• get db (tables/columns) in inband mode now uses multithreading (like everything else).
• clone now uses count(*) if available (set by “get count” / “get db”), instead of using fetch-ahead.
• In blind mode, “start” will now test if things work the way they should, by injecting 2 queries : one true and one false.
• sqlsus now prints what configuration options are overridden (when a saved value differs from the configuration file).

You can download sqlsus 0.7.1 here:

sqlsus-0.7.1.tgz

Or read more here.

Features

• Map a web aplication.
• Show all links and forms params as confortable format.
• Save results with some formats: text, cvs, html, raw (for parsing with bash script) and wfuzz script.
• Detect common vulnerabilites of web application.
• Filter web information retaining only what is important.
• Many other features you can find very useful.

You can download GoLISMERO here:

GoLISMERO_last.zip

Or read more here.

The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much

Finally it’s out of BETA and RC and there’s now a stable core for the codebase.

New in v1.1

• Considerably increased performance by implementing gzip encoding
• Enhanced embedded bug report system using Trac’s XMLRPC
• Fixed hundreds of bugs
• Fixed critical bug in auto-update feature
• Enhanced integration with other tools (bug fixed and addedmore info to the file)

You can download w3af v1.1 here:

w3af-1.1.tar.bz2

Or you can read more here.

And well even then, it’s not totally safe as apparently you can farm out your CAPTCHA cracking (those the fail the automated attempts) to India for a few dollars. It does help cut down on sign-ups and bot spam – but it’s certainly not fool proof.

The report just reinforces my stance proving that 13 out of 15 popular captures could be cracked with automated software.

Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated.

Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has been used for several years to prevent automated sign-ups to webmail accounts or online forums in order to block spam bots. Surfers are typically asked during a registration process to identify distorted letters as depicted in an image. A variety of other approaches – including pictures of cats, audio clips and calculus puzzles – have been applied to the problem over the years.

Cybercrooks have responded to the challenge posed by CAPTCHAs by devising techniques that typically involve semi-automatically signing up for new accounts, while relying on the human cogs in 21st century sweatshops – typically located in India – to solve the CAPTCHA puzzles themselves.

The Stanford team, by contrast, looked at whether it was possible to fully automate the process of breaking CAPTCHAs. Their techniques including removing deliberately introduced image background noise and breaking text strings into single characters for easier recognition. The team built an automated tool, called Decaptcha, that applied these various tricks. The approach was partially inspired by techniques used to orientate robots in unknown environments.

It’s interesting to see an academic take on this subject though as it’s usually the realm of blackhats and hobbyists. I’m sure with a fair bit of science they did an excellent job at removing the ‘noise’ that most CAPTCHA systems tend to add to the image to try and foil automatic solving.

I’m also glad to see reCAPTCHA once again stood up well to automated cracking, you’d have to rely on the sweatshops to get past that.

The worst seems to be Authorize.net from VISA – which is surprising and also sad as it’s dealing with banking.

Decaptcha was turned against the challenge response CAPTCHAs used by 15 high-profile websites, enjoying excellent bowling figures against the majority.

For example, Visa’s Authorize.net payment gateway CAPTCHA was defeated 66 per cent of the time. eBay’s CAPTCHA was sidestepped 43 per cent of the time. Lower, but still workable, bypass rates were achieved against Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two CAPTCHA systems that consistently thwarted Decaptcha during the tests.

Authorize.net and Digg have both switched to reCAPTCHA since these tests were run, Computerworld adds.

In a research paper (PDF), the Stanford team suggest several approaches towards making CAPTCHAs harder to beat, including making the length of a text string changeable and randomising character font and size. Lines in the background of CAPTCHAs might also prove effective. In addition, the Stanford team highlighted features that are ineffective against automated attacks but may counter the activities of humans.

The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel, who previously developed techniques for breaking audio CAPTCHAs, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.

Fortunately both Authorize.net and Digg have switched to reCAPTCHA since this report came out making them safer, it’s probably a case of responsible disclosure by the Stanford scientists.

It’s definitely worth a read if you have anything to do with CAPTCHA implementation and especially relevant if you are thinking of developing your own rather than just using something like reCAPTCHA.

You can grab the full report here:

text-based-captcha-strengths-and-weaknesses.pdf

Source: The Register