Info Sec News, Jan 19, 2009

Secure Coding and Application Dev
What is probably the most significant security news item of the past week is the release of SANS and Mitre of their Top 25 errors and how to fix them. It’s been said that around 85% of criminal activities on the net stem from the current crop of Top 25 flaws. The Top 25 list is divided into three broad categories namely: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses.

The PDF version of the Top 25 is available here.

The Software Assurance Forum for Excellence in Code (SAFECode) has made two publications available to help eliminate the Top 25 errors, its Guide to the Most Effective Secure Dev Practices in Use Today, and Software Assurance: An Overview of Current Industry Best Practices.

---

Social Engineering
A rehash of old tactics can be seen in an E-mail purportedly from Northwest Airlines (but actually carries a zipped trojan file), and malware spreading websites that claim US President elect Obama won’t be taking the oath of office on the 20th. This just strengthens the argument that your personnel and their security awareness training are now your first line of defense, and not your perimeter firewall.

This is related to the fake Christmas and holiday greetings that been sent every year for the past few years, which was seen again this past Christmas.

---

Malware
The Downadup (also known as Conficker) Worm versions A, B and C that exploits what Microsoft released an out of band patch for in late October ’08, and weak Admin passwords, is said to have infected an “amazing” 9 million PC’s according to F-Secure researchers. If you’re wondering how they got to this astonishing figure, check out F-Secure’s Blog.

(PC World) UK Ministry of Defence Stung by Rapidly Spreading Virus

---

Secure deletion, reuse or disposal
According to new research led by Craig Wright, it just takes one re-write to securely wipe the data from a hard drive. This talks about a complete sector by sector overwrite of a hard drive.

Articles on this can be found on Heise Security and SecurityFocus. The paper was presented at the Fourth International Conference on Information Systems Security (ICISS) in Hyderabad, India and can be purchased here.

---

Encryption
Heise Security has published an in depth article on how modern cryptological attacks are done in their article, “Cheap Cracks“.

---

Patches and Change Management
Oracle released fixes for 41 different flaws this month and Microsoft released a single patch that closed three flaws.

(Heise Security) Numerous security updates from Oracle
(Heise Security) Microsoft closes three holes in Windows
Microsoft issues patches for ‘nasty’ Windows bugs

A vulnerability in SAP GUI has also been found and a patch has been released and is available to registered SAP users.

---

Other InfoSec News:
In relation to the Anonymization article I wrote about a few days ago, the makers of Tor has announced that their software has zero known bugs.

(Computerworld) Two big, bad botnets gone, but replacements step up

(Computerworld) Critical security projects escape the budget ax

(Heise Security) Banking details can be stolen through a new JavaScript exploit

(Computerworld) Six Worst Internet Routing Attacks

(GO San Angelo.com) US Air Force planning to train hundreds yearly in cyber warfare skills

(Information Week) Thief Steals Sony Ericsson Prototypes

The Windows 7 Beta Team has removed the 2.5 million download limit as stated in the Windows 7 Blog. People can get the Beta until January 24.

Secunia Advisories

---

Tips:

(Computerworld) How to Secure your Vista PC in 10 easy steps

(Computerworld Blog) Removing malware from an infected PC

The Windows Security Blog has announced a new Beta called Sundance that could help secure Windows and Office 2007 installations.

In relation to what I wrote about around a month ago regarding wireless networks, the crack in the WPA protocol only affects the TKIP version and not AES, so the solution is to simply switch from TKIP to AES as is detailed in this article from Search Security.com, “Cracks in WPA? How to continue protecting Wi-Fi networks“.

(PC Magazine) The Top Tech Tips of 2008 Part 1

(PC Magazine) The Top Tech Tips of 2008 Part 2

Advertisement

SPAM drops, DDoS Attacks, Whitepapers

There’s apparently been a huge drop in SPAM after two ISPs were cut off.
Stories from Washington Post, and BBC. Brian Krebs of the Wash Post also talks about this in his Security Fix Blog.

---

More ISPs are allocating resources for DDoS attacks according to Arbor Network’s 2008 Worldwide Infrastructure Security Report. A related article is on ZDNet and an article on Vunet talks about ISP’s fear on IPv6 threats.

A study by Google, presented at the RIPE Meeting in Dubai reports that France and Russia are ahead in IPv6 .

---

Security Focus reports that, “Anti-malware testing group releases standards“, and they can be downloaded here.

---

SANS will also have a Webcast on Understanding the WPA/WPA2 Break.

Since we’re on the topic of webcasts, SourceBoston’s 2008 Conference from March of this year have been up on Blip.tv for a while now. They have great presentations on Incident response, Secure Coding, etc.

---

And since I enjoyed Schneier’s essay on, “The Psychology of Security“, I just thought that InfoSec professionals would find it funny that the Washington Times reports that Paranoia is on the rise :).

---

SC Magazine Whitepaper Roundup

Top five strategies for combating modern threats – is anti-virus dead?
By: Sophos Plc.
Today’s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce. Organizations need innovative approaches to protect the web, email servers and endpoint. This paper discusses the security implications of modern…

Complying with the Payment Card Industry’s Data Security Standard
By: DeviceLock, Inc.
The Payment Card Industry Data Security Standard (PCI DSS) was drawn up in order to reduce leakage and inappropriate use of credit card information. It contains over 100 clear information security requirements for all companies who process, store or transfer data about cardholders: banks, processing…

Addressing the Operational Challenges of Administrative Passwords
By: ManageEngine
Enterprises making use of various IT systems (servers, devices, applications etc.) face numerous challenges due to the proliferation of administrative passwords (also called as privileged passwords). This white paper discusses the problems associated with administrative password proliferation with…

Tripwire PCI DSS Solutions- Automated, Continuous Compliance
By: Tripwire, Inc.
Find out step-by-step what it takes to become compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), and how Tripwire can help your company achieve and maintain PCI compliance.

Malware Security: Taking the Botnet Threat Seriously
By: FireEye, Inc.
How does malware continue to infiltrate networks? Primarily because traditional defenses only address the threat in pieces and parts, which leaves gaps in the enterprise security infrastructure. Meanwhile, malware has become organized to form massive ‘botnets’ (networks of compromised…

ComputerWorld Technical Briefing: Mission-Critical Security – The Threat from Within
By: PacketMotion
We all know blind spots are bad for drivers but are you aware of how potentially disastrous they can be for IT security professionals? Take a few minutes to review this Computerworld report and you’ll get a clear picture of both the problem and the solution!.

Automating Code Reviews: How to Manage Application Risk on a Shrinking Budget
By: Veracode
In a tightening economy many organizations are faced with a “do more with less” mandate on their budgets and their security strategies. On-demand application security testing offered as an outsourced service – based on binary analysis and multiple scanning technologies…

Database Auditing Tools and Strategies
By: Sensage
Learn about a new set of software tools that provide low overhead audit collection with storage, alerting and reporting capabilities. This paper details the trade-offs and strategy of each option.

Info Sec News: Nov 11, 2008

Maybe we should revisit our Cybercrime Bill, which hasn’t been approved and is in our congress for a second reading after a scant 8 years. Why? because Pakistan’s version of the bill, includes cyber-terrorism being punishable by death.

If you’re interested on articles on the Philippine version of the Cybercrime bill, there’s one from MB.com.ph from Nov 2007 by Melvin Calimag, “Cybercrime Law for RP long overdue.” Another article by the same author came out in April of this year on, “NBI exasperated over delay of cybercrime bill, hits CICT.”

News about the former Intel employee who works for AMD, that stole information with an estimated cost of over $1 billion in R&D development, can be found in CNET, and USA Today.

“A New York man has been charged with aiding the alleged leader of the hacking gang accused of stealing more than 40 million credit and debit card numbers from stores owned by TJX Companies and other companies.” reports this article from The Register.

On the Mobile Security front, a researcher says Google’s Android may not need antivirus software. Btw, older versions of G1’s software were vulnerable to an exploit that allows telnet root access discussed here and here.

The New York Times reports that DDOS attacks have been growing more potent, increasing from around half a megabit 7 years ago, to around 40 gigabits.

Three people pleaded guilty to hacking Citibank ATM cards who were able to steal $2 million in a span of four months. Maybe Manny Pacquiao should think about learning how to hack when he retires, especially since the Philippines has no Cybercrime bill, hehehe 🙂

Two Los Angeles traffic engineers admitted to hacking related to contract negotiations. Aren’t we just happy in Manila that our traffic light system uses 60’s technology? 🙂

The Financial Times and SC Magazine US, have reported to computers that were breached in the White House. The prime suspect are Chinese hackers.

Other News:

Security experts reveal details of WPA hack, their 12 page paper can be downloaded in pdf format here.

Vietnamese teams won the first and second prizes in a contest called “Capture The Flags”, part of the Hack in the Box Security Conference 2008 (hackinthebox.org) in Kuala Lumpur, Malaysia in late October

Australian Federal Police have launched a high-level investigation into a security breach involving confidential Australian diplomatic cables and police documents that were left in open files on a computer and read by guests at a hotel in Nepal.

Wouldn’t our government employees wish they have a DRP Site like this on in Bermuda?

A former prison inmate has been arrested and charged with hacking the facility’s computer network, stealing personal details of more than 1,100 prison employees and making them available to fellow inmates.

Wireless Hacking part 2

Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

For the history buffs, there is a A Brief History of Wireless Security from SecurityUncorked.com. CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

News from SC Magazine US, SecurityFocus.com and Heise Security just came out that WPA can now be cracked in around 15 minutes.

The SecurityFocus.com news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog WillHackforSushi.com and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.

Using Nmap to detect rogue Wireless Access Points

Pauldotcom interviewed Gordon “Fyodor” Lyon (the Nmap dude) back in Sept 24. Check out the transcript of the interview here.

Direct audio download of the show can be found here.

If you use Nmap, Paul Asadoorian, GCIA, GCIH (who started the website), also released a script for the new version of Nmap (4.76) here.

Other wireless tools you can use can be found in the Top 5 Wireless Tools page of the insecure.org site. The likes of Kismet, NetStumbler, Aircrack-ng, Airsnort and KisMac are all there.

I am both amazed and appalled by the current state of wireless security in the Manila area. Although its probably better than when Van Hauser checked it out back in 2004, users still aren’t aware of how dangerous it is to pass off confidential or private information using wireless access points. Back in June 2008, Inquirer posted this on the FBI warning wi-fi users.

Recent articles regarding cracking of Wireless Access Points using Nvidia cards can be found in SCmagazineUK and Heise Security.

A dated (May 2007) blog on WPA cracking might be interesting to you, an even older video (2005) with a really annoying soundtrack can also be found online. You may also want to check this out.

On the lighter side, I found two articles on hacking for smartbro. Here and here. One of which should be reserved for April fools, the other for more adventurous people.

---

Speaking on wireless security and its problems, here’s a 36 minute video from the IT Briefing Center on
The Evolution of the Wireless Enterprise: Networking in a World Without Wires sponsored by Motorola. It talks about the cost savings of going wireless, additional benefits of going wireless and there’s a case study they cite on using wireless for the healthcare industry.

---

On a totally different topic, and since I can’t get enough of web app security (aside from security metrics), here’s a 25 minute podcast by Gartner, sponsored by IBM entitled, “Stay Ahead of the Hackers: Strategies to Protect your Web Applications – and Your Organization“.

---

Gartner also has a 27 minute video on “Using Secure Remote Management to Drive the Convergence of IT Operations and Security Compliance” also from the IT Briefing Center.