Monday, May 25, 2009

Around The Horn vol.1,107

—Happy Memorial Day! Semper Fi!

Orange.fr compromised - 245,000 clear text passwords exposed?

By Rik Ferguson on SQL Injection

Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)   It looks like HackersBlog have come out of retirement, and with a bang. (see here for an earlier interview I did with HackersBlog)   They have posted a couple of stories this month, one regarding a SQL injection [...]

Facebook phising using Belgium (.be) domains, (Sun, May 24th)

This is not new or exciting, but as we have received several reports during the weekend (thanks to a ...(more)...

Analyzing malicious PDF documents, (Sun, May 24th)

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it see ...(more)...

IIS admins, help finding WebDAV remotely using nmap, (Sun, May 24th)

If you are concerned about the recent unpatched IIS 6.0 WebDav Remote Auth Bypass vulnerability (CVE ...(more)...

IT Managers Feel Pressured to Relax Security Policies (May 20, 2009)

According to a recent survey of 1,300 IT managers, 86 percent said they were being pressured by company executives, marketing departments, and sales departments to relax web security policies to allow access to web-based platforms such as Google Apps.......

GAO Report Says Federal Agencies Still Have Security Control Deficiencies (May 21, 2009)

According to a report from the US Government Accountability Office (GAO), all but one of the 24 major government agencies have weak data access control in their information security programs.......

Deleted Photos Do Not Always Disappear Right Away (May 21, 2009)

Researchers have found that photos posted on social networking websites are sometimes available even after users have deleted them.......

Defense Lawyer in Palin eMail Hacking Case Says Messages Already a Matter of Public Record (May 20, 2009)

A lawyer on the defense team for David Kernell, the Tennessee college student accused of illegally accessing the emails of Alaska Governor and then-vice-presidential candidate Sarah Palin, says that a judge had already declared Palin's emails to be a matter of public record.......

Malware Infects Computers at US Marshals Service and FBI (May 21, 2009)

Part of the computer system at the US Marshals Service was shut down Thursday morning after malware was detected.......

Missing Hard Drive Holds Clinton Presidency Data (May 19 & 20, 2009)

Federal investigators are looking into the disappearance of a hard drive from the US National Archives facility in College Park, Maryland.......

Java Flaw Still Unpatched in OS X (May 19 & 20, 2009)

In December 2008, Sun Microsystems warned of a flaw in its Java virtual machine that could be exploited to execute code on vulnerable computers.......

Adobe to Establish Regular Security Updates (May 20 & 21, 2009)

Adobe has announced that it will institute a quarterly security update schedule for its Reader and Acrobat products to harden code and improve its response to reported security flaws.......

Laptop Stolen From Car Holds UK Soldiers' Data (May 20, 2009)

A laptop computer stolen from a parked car near Edinburgh holds personally identifiable information of thousands of soldiers.......

Former Texas State Lottery Employee Arrested for Alleged Data Theft (May 20, 2009)

A man who used to work for the Texas state lottery has been arrested and charged with possession of personally identifiable information of 140 lottery employees and winners.......

Ball State Server Breach Not Due to IIS Flaw (May 21, 2009)

Ball State University network administrators now say that a computer security breach at the Muncie, Indiana school was due to misuse of an authorized Ball State user account and not to an exploit of a known zero-day privilege elevation vulnerability in Microsoft's Internet Information Services (IIS) web server, as was previously reported.......

Interesting Opportunities for both AJAX Technologies and Hacking Communities

XMLHttpRequest, the backbone of Web 2.......

HP Remote Graphics Software (RGS) Sender Running Easy Login, Unauthorized Access

Coppermine Photo Gallery Cross-Site Scripting

MyBB Cross-Site Scripting Vulnerability

TIBCO SmartSockets Stack Buffer Overflow Vulnerability

Microsoft PowerPoint Integer Overflow Vulnerability

Remote exploitation of an integer overflow vulnerability in Microsoft Corp.'s PowerPoint could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs during the parsing of two related PowerPoint record types. The first record type is used to specify collaboration information for different slides. One of the fields in this record contains a 32-bit integer that is used to specify the number of a specific type of records that are present in the file. This integer is used in a multiplication operation that calculates the size of a heap buffer that will be used to store the records as they are read in from the file. The calculation can overflow, resulting in an undersized heap buffer being allocated. By providing a large value for the record count, and inserting enough dummy records, it is possible to trigger a heap based buffer overflow.

From Facebook to Twitter, Tips for Dealing With Phishers

Phishers using Twitter and Facebook is nothing new, but the security community expects it is only a matter of time before social networks are used as a launch pad for phishing attacks against enterprises. Here are a few tips to keep in mind when talking to your employees about phishing.
- Two of the Webs most popular social networks, Facebook and Twitter, made the news last week when they were hit with phishing scams. Despite the publicity, most phishers targeting enterprise data are not hooking victims via social networks - at least not yet. "Weve yet to respond to an incident wher...

Defender's Dilemma vs Intruder's Dilemma

By Richard Bejtlich

This is a follow-up to my post Response for Daily Dave. I realized I had a similar exchange three years ago, summarized in my post Response to Daily Dave Thread. Since I don't seem to be making much progress in this debate, I decided to render it in two slides.
First, I think everyone is familiar with the Defender's Dilemma.

The intruder only needs to exploit one of the victims in order to compromise the enterprise.
You might argue that this isn't true for some networks, but in most places if you gain a foothold it's quickly game over elsewhere.
What Dave and company don't seem to appreciate is that there is a similar problem for attackers. I call it the Intruder's Dilemma.

The defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.
What's interesting about this reality is that it applies to a single system or to a collection of systems. Even if the intruder only compromises a single system, the variety of indicators available make it possible to detect the attacker. Knowing where and when to look, and what to look for, becomes the challenge. However, as the scope of the incident expands to other systems, the probability of discovery increases. So, perversely, the bigger the incident, the more likely someone is going to notice.
Whether or not you can actually detect the intruder's presence depends on the amount of visibility you can achieve, and that is often outside the control of the security team because the security team doesn't own computing assets. However, this point of view can help you argue why you need the visibility to detect and respond to intrusions, even though you can't prevent them.

Response for Daily Dave

By Richard Bejtlich

Recently on the Daily Dave mailing list, Dave Aitel posted the following:
...The other thing that keeps coming up is memory forensics. You can do a lot with it today to find trojan .sys's that hackers are using - but it has a low ceiling I think. Most rootkits "hide processes", or "hide sockets". But it's an insane thing to do in the kernel. If you're in the kernel, why do you need a process at all? For the GUI? What are we writing here, MFC trojans? There's not a ton of entropy in the kernel, but there's enough that the next generation of rootkits is going to be able to avoid memory forensics as a problem they even have to think about. The gradient here is against memory forensics tools - they have to do a ton of work to counteract every tiny thing a rootkit writer does.
With exploits it's similar. Conducting memory forensics on userspace in order to find traces of CANVAS shellcode is a losing game in even the medium run. Anything thorough enough to catch shellcode is going to have too many false positives to be useful. Doesn't mean there isn't work to be done here, but it's not a game changer.

Since I'm not 31337 to get my post through Dave's moderation, I'll just publish my reply here:
Dave and everyone,
I'm not the guy to defend memory forensics at the level of an Aaron Walters, but I can talk about the general approach. Dave, I think you're applying the same tunnel vision to this issue that you apply to so-called intrusion detection systems. (We talked about this a few years ago, maybe at lunch at Black Hat?)
Yes, you can get your exploit (and probably your C2) by most detection mechanisms (which means you can bypass the "prevention" mechanism too). However, are you going to be able to hide your presence on the system and network -- perfectly, continuously, perpetually? (Or at least as long as it takes to accomplish your mission?) The answer is no, and this is how professional defenders deal with this problem on operational networks.
Memory forensics is the same. At some point the intruder is likely to take some action that reveals his presence. If the proper instrumentation and retention systems are deployed, once you know what to look for you can find the intruder. I call this retrospective security analysis, and it's the only approach that's ever worked against the most advanced threats, analog or digital. [1] The better your visibility, threat intelligence, and security staff resources,
the smaller the exposure window (compromise -> adversary mission completion). Keeping the window small is the best we can do; keeping it closed is impossible against advanced intruders.
Convincing developers and asset owners to support visibility remains a problem though.
Sincerely,
Richard

No comments:

Post a Comment

My Blog List