Here are some of the alternatives
http://www.secwatch.org/exploits/http://inj3ct0r.com/ A Milworm clone
Friday, July 10, 2009
End of Milworm
A very sad day for information security professionals. One of the web sites that helped many incident responders, security researchers, PenTesters, and script kiddies alike is shutting down.
Here are some of the alternatives
Here are some of the alternatives
Friday, July 3, 2009
Twitter security problems
Are you a twitter user? If yes, you need to consider the many worms and other issues that affect twitter, here are some of the recent ones.
http://www.twitpwn.com/2009/07/motb-01-multiple-vulnerabilities-in.html
http://blogs.zdnet.com/security/?p=3451
Apart from the many worms and exploits listed above, as early as last month it's SSL page was using MD5 hashing with RSA encryption, it has been corrected now. If you remember, back in December 2008, a group of researchers identified a problem with MD5 collision, which affects SSL sites signed with MD5 hash. The exact problem is described in the Microsoft security blog,
"An MD5 hash collision allows a malicious user to potentially generate a rogue certificate derived from a valid one. This user can then impersonate a valid site or person since both certificates look legitimate because the certificate hashes are the same. An attacker will have to lure a user to initiate an SSL/TLS connection, then the certificate will be validated by the client and it will seem valid. Thus, the user will think that it is establishing a safe connection with site or person when in fact it is connecting with the attacker."
Another method to verify this is using the "SSL Blacklist" Firefox add-on
http://www.twitpwn.com/2009/07/motb-01-multiple-vulnerabilities-in.html
http://blogs.zdnet.com/security/?p=3451
Apart from the many worms and exploits listed above, as early as last month it's SSL page was using MD5 hashing with RSA encryption, it has been corrected now. If you remember, back in December 2008, a group of researchers identified a problem with MD5 collision, which affects SSL sites signed with MD5 hash. The exact problem is described in the Microsoft security blog,
"An MD5 hash collision allows a malicious user to potentially generate a rogue certificate derived from a valid one. This user can then impersonate a valid site or person since both certificates look legitimate because the certificate hashes are the same. An attacker will have to lure a user to initiate an SSL/TLS connection, then the certificate will be validated by the client and it will seem valid. Thus, the user will think that it is establishing a safe connection with site or person when in fact it is connecting with the attacker."
Another method to verify this is using the "SSL Blacklist" Firefox add-on
Tuesday, June 9, 2009
Secunia PSI
Check my earlier post on this topic.
Secunia PSI is one of my favorite programs, a new release is out with some new features, check it out
Secunia PSI is one of my favorite programs, a new release is out with some new features, check it out
Tuesday, June 2, 2009
Information Security Policies
While doing some research, I came across this Cisco study.
There are two interesting policy findings,
So, what are the reasons for it? In my view there are many possibilities,
There are two interesting policy findings,
- Majority of businesses (77 percent) have security policies in place.
- More than half of the employees surveyed admitted that they do not always adhere to corporate security polices.
So, what are the reasons for it? In my view there are many possibilities,
- Policies are not defined correctly
- Users are not able to understand it
- It is not aligned with the business processes
- It does not have management's and business leader's buy-in
- It is not communicated properly
- There are no monitoring mechanisms in place to verify compliance
- There are no action taken in case of policy violations
Sunday, May 17, 2009
Useful cheat sheets
Here is a collection of cheat sheets. I find them extremely useful
Windows command line cheat sheet http://www.sans.org/resources/sec560windows_command_line_sheet_v1.pdf
TCP/IP Cheat Sheet http://www.sans.org/resources/tcpip.pdf?ref=3871
Tcpdump cheat sheet http://planetozh.com/download/refcards/tcpdump.pdf
Linux Security Quick Reference http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf
Oracle Security Cheat Sheet http://www.red-database-security.com/wp/oracle_cheat.pdf
Nmap & Nessus Cheat Sheet http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf
Google Hacking and Defense Cheat Sheet http://www.sans.org/mentor/GoogleCheatSheet.pdf
SQL Injection Cheat Sheet http://ha.ckers.org/sqlinjection/
Cross Site Scripting Cheat Sheet http://ha.ckers.org/xss.html
Web application Cheat Sheet http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
XSS Cheat Sheet http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Intrusion Discovery Cheat Sheet Windows http://www.sans.org/resources/winsacheatsheet.pdf
Intrusion Discovery Cheat Sheet Linux http://www.sans.org/resources/winsacheatsheet.pdf
Windows looking for compromise http://www.ucl.ac.uk/cert/win_intrusion.pdf
Checking Unix / Linux for compromise http://www.ucl.ac.uk/cert/nix_intrusion.pdf
DDoS incident response cheat sheet http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.pdf
Security incident survey http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.pdf
Memory analysis cheat sheet http://computer.forensikblog.de/files/cheatsheet/Memory%20Analysis%20Cheat%20Sheet.current.pdf
Forensic analysis cheat sheet http://forensics.sans.org/community/downloads/retrieve.php?file=handout.pdf
Windows command line cheat sheet http://www.sans.org/resources/sec560windows_command_line_sheet_v1.pdf
TCP/IP Cheat Sheet http://www.sans.org/resources/tcpip.pdf?ref=3871
Tcpdump cheat sheet http://planetozh.com/download/refcards/tcpdump.pdf
Linux Security Quick Reference http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf
Oracle Security Cheat Sheet http://www.red-database-security.com/wp/oracle_cheat.pdf
Nmap & Nessus Cheat Sheet http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf
Google Hacking and Defense Cheat Sheet http://www.sans.org/mentor/GoogleCheatSheet.pdf
SQL Injection Cheat Sheet http://ha.ckers.org/sqlinjection/
Cross Site Scripting Cheat Sheet http://ha.ckers.org/xss.html
Web application Cheat Sheet http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
XSS Cheat Sheet http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Intrusion Discovery Cheat Sheet Windows http://www.sans.org/resources/winsacheatsheet.pdf
Intrusion Discovery Cheat Sheet Linux http://www.sans.org/resources/winsacheatsheet.pdf
Windows looking for compromise http://www.ucl.ac.uk/cert/win_intrusion.pdf
Checking Unix / Linux for compromise http://www.ucl.ac.uk/cert/nix_intrusion.pdf
DDoS incident response cheat sheet http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.pdf
Security incident survey http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.pdf
Memory analysis cheat sheet http://computer.forensikblog.de/files/cheatsheet/Memory%20Analysis%20Cheat%20Sheet.current.pdf
Forensic analysis cheat sheet http://forensics.sans.org/community/downloads/retrieve.php?file=handout.pdf
Saturday, May 9, 2009
Help create a safe Internet
Similar to security within an organization or security within a community, security within the Internet is also everyone's responsibility. Individuals must understand various cyber threats to protect not only himself, his family, and friends but the whole community. Recently stumbled upon a great site that gives security solutions for everyone that uses the Internet. The site, mysecurecyberspace is sponsored by Carnegie Mellon CyLab.
Perimeter protection using Juniper Firewalls
I am re-publishing one of my earlier papers on Juniper Firewalls, even though this talks about an older version, the features are still relevant today.
Perimeter protection using Juniper Firewalls
In this information age where worms, viruses and various other Internet attacks proliferate, securing the perimeter becomes more and more critical for any organization. This paper looks at an economical solution for a small organization to protect the perimeter.
The solution presented in this paper involves the use of low end Juniper Firewalls.
Internet attacks are performed in a variety of ways and Juniper Firewalls provide protection for many of these attacks, below is a brief description of various ways an attacker may try to intrude into an organization’s network.
Juniper Firewall can reject all Ping requests after a specified threshold.
Juniper Firewall can detect and drop the scan attempts after a specific threshold. The Firewall can also detect and stop the scans with various options like SYN-FIN, no flags, all flags etc.
Juniper Firewalls can be configured to drop this kind of packets.
Juniper Firewall can prevent such attempts by assigning thresholds that limit the number of permitted session from a source IP and to a destination IP. It can also be configured to use SYN proxy to identify and drop incomplete sessions. Similar protection can be configured to protect from ICMP and UDP flood attacks.
Apart from these protections, the Juniper Firewall can also protect against OS specific attacks like Ping of Death, WinNuke and Teardrop attacks
Juniper Firewall examines the data payload of all HTTP packets, if it identifies a malicious URL it blocks that packet from passing through the firewall. The Firewall can also be configured to look at fragmented packets.
Juniper Firewall can be configured to block incoming spyware, adware, keyloggers, and related malware to prevent it from penetrating the organizations perimeter.
Juniper Firewall supports both integrated and external web filtering
With the Deep Inspection enabled, the Juniper Firewall scans the packet for patterns that match those defined in one or more groups of attack signatures or protocol anomalies, which you can either define yourself or download to the security.
Conclusion
Firewalls are the first line of defense for organizations that do not own the perimeter Routers and care must be taken to configure the device to properly ward off various attacks. Even though securing the perimeter is an integral part of Information security, organizations should practice Defense-In-Depth strategy where security is provided in layers to protect the various information assets.
Perimeter protection using Juniper Firewalls
In this information age where worms, viruses and various other Internet attacks proliferate, securing the perimeter becomes more and more critical for any organization. This paper looks at an economical solution for a small organization to protect the perimeter.
The solution presented in this paper involves the use of low end Juniper Firewalls.
Internet attacks are performed in a variety of ways and Juniper Firewalls provide protection for many of these attacks, below is a brief description of various ways an attacker may try to intrude into an organization’s network.
- Ping Sweeps
Juniper Firewall can reject all Ping requests after a specified threshold.
- Port Scanning
Juniper Firewall can detect and drop the scan attempts after a specific threshold. The Firewall can also detect and stop the scans with various options like SYN-FIN, no flags, all flags etc.
- IP options scanning.
- IP spoofing attacks.
Juniper Firewalls can be configured to drop this kind of packets.
- Denial-Of-Service attacks.
Juniper Firewall can prevent such attempts by assigning thresholds that limit the number of permitted session from a source IP and to a destination IP. It can also be configured to use SYN proxy to identify and drop incomplete sessions. Similar protection can be configured to protect from ICMP and UDP flood attacks.
Apart from these protections, the Juniper Firewall can also protect against OS specific attacks like Ping of Death, WinNuke and Teardrop attacks
- Malicious URL protection
Juniper Firewall examines the data payload of all HTTP packets, if it identifies a malicious URL it blocks that packet from passing through the firewall. The Firewall can also be configured to look at fragmented packets.
- Virus scanning
- Spyware protection.
Juniper Firewall can be configured to block incoming spyware, adware, keyloggers, and related malware to prevent it from penetrating the organizations perimeter.
- Web filtering
Juniper Firewall supports both integrated and external web filtering
- Deep Inspection
With the Deep Inspection enabled, the Juniper Firewall scans the packet for patterns that match those defined in one or more groups of attack signatures or protocol anomalies, which you can either define yourself or download to the security.
Conclusion
Firewalls are the first line of defense for organizations that do not own the perimeter Routers and care must be taken to configure the device to properly ward off various attacks. Even though securing the perimeter is an integral part of Information security, organizations should practice Defense-In-Depth strategy where security is provided in layers to protect the various information assets.
Wednesday, May 6, 2009
McAfee threat report
McAfee released their first quarter threat report. Here are some of the important data from the report,
So, what's the best way to deal with malicious traffic from these countries? If your organization can afford to block traffic from these countries or select countries, block the whole IP address range at the external Router or Firewall level. Always use "supernets" while blocking to make sure that the Firewall or Router uses the resources efficiently.
To get more information on the IP addresses allocation and whois lookup, use the following links
http://www.iana.org/assignments/ipv4-address-space/
http://ws.arin.net/whois/
http://ripe.net/
http://wq.apnic.net/apnic-bin/whois.pl
http://www.lacnic.net/cgi-bin/lacnic/whois
http://www.afrinic.net/cgi-bin/whois
http://ip-to-country.webhosting.info/book/print/5
- McAfee TrustedSourceT recently has observed malware-laden email and spam originating from a variety of government agencies and banking institutions in Russia.
- The top 10 countries dominate in spam production, contributing nearly 70 percent of the total and far outdistancing the other 200-plus countries in the world. Tope 10 countries are US, Brazil, India, South Korea, China, Russia, Turkey, Thailand, Romania, and Poland.
- The top seven countries hosting websites with a malicious reputation are also in the top 10 hosting phishing, spam, and malware/spyware sites.
So, what's the best way to deal with malicious traffic from these countries? If your organization can afford to block traffic from these countries or select countries, block the whole IP address range at the external Router or Firewall level. Always use "supernets" while blocking to make sure that the Firewall or Router uses the resources efficiently.
To get more information on the IP addresses allocation and whois lookup, use the following links
http://www.iana.org/assignments/ipv4-address-space/
http://ws.arin.net/whois/
http://ripe.net/
http://wq.apnic.net/apnic-bin/whois.pl
http://www.lacnic.net/cgi-bin/lacnic/whois
http://www.afrinic.net/cgi-bin/whois
http://ip-to-country.webhosting.info/book/print/5
Friday, April 24, 2009
Spending Budget wisely
Where would you put your security budget? On client side security, buy a new end point protection or NAC because you know that there are plenty of client side exploits and users are one of the weakest links or you would rather put that dollar on a new database monitoring tool? In this difficult economic conditions it is very important to understand where to put your money.
The new Verizon data breach report provides some of these answers. Here is some relevant data,
Report shows that for the big computer crime cases in 2008, the vast majority involved data from servers (Online Data 94% of cases). In only 17% of all cases were End-User Systems involved in any part of a target. In only about 1% of cases (one case out of 90, Figure 16) were End-User Systems part of the attack pathway. The very same data, when viewed by the percent of records lost, shows that 99.9% of records were taken from servers, while just 0.01% of the records were taken from End-User systems.
At the end of the day, organizations should identify the risk and determine where and how they should spend the money.
The new Verizon data breach report provides some of these answers. Here is some relevant data,
Report shows that for the big computer crime cases in 2008, the vast majority involved data from servers (Online Data 94% of cases). In only 17% of all cases were End-User Systems involved in any part of a target. In only about 1% of cases (one case out of 90, Figure 16) were End-User Systems part of the attack pathway. The very same data, when viewed by the percent of records lost, shows that 99.9% of records were taken from servers, while just 0.01% of the records were taken from End-User systems.
At the end of the day, organizations should identify the risk and determine where and how they should spend the money.
Thursday, March 12, 2009
SQL Injection #1 attack vector
The new WHID report notes that SQL Injection was the #1 attack vector in 2008. One interesting snippet from the report is shown below, it shows that the #2 attack vector is "unknown". What does it tell us? The organizations that reported the incident had no clue how the incident happened and the number one reason for that could be that there is no instrumentation to look at the attack traffic and malicious behavior. Monitoring is the key here, good logging and understanding the normal behavior of business related traffic goes long way in understanding the threats and identifying incidents. Another reason for this could be the inability of the internal staff to identify attack vectors and decode malicious traffic.
Attack / Vulnerability Used %
SQL Injection 30%
Unknown 29%
Cross-Site Scripting (XSS) 8%
The full report is available here
Attack / Vulnerability Used %
SQL Injection 30%
Unknown 29%
Cross-Site Scripting (XSS) 8%
The full report is available here
Subscribe to:
Posts (Atom)
