Deeper Matter

US Deputy Secretary of Defense confirms virus attack

Article: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain
Author: http://www.defense.gov/bios/biographydetail.aspx?biographyid=171

Related Links:
http://www.wired.com/dangerroom/2008/11/army-bans-usb-d/
http://articles.latimes.com/2008/nov/28/nation/na-cyberattack28

Mozilla does it their way

[i]Thank you Mozilla!

In recent years we have become used to selling our soul for access to useful online services, usually in the form of intimate data. For example, Google’s Chrome browser offers me the ability to synchronise my bookmarks across multiple computers, but the price I have to pay is that I share my surfing habits with a company that earns its money analysing such data.

The new Firefox Sync synchronisation platform from the Mozilla team however, will ensure that the server operators have no access to my data. The bookmarks, form data and other information that is stored is encrypted with a pass phrase, so all that the Mozilla servers see is encrypted gibberish. Because this pass phrase – which is different from my user name and password for my Mozilla account – stays on my local computer, Mozilla has no way to get at the plain text data.

Mozilla has shown that there is an alternative way to the Google way and we have a choice. It’s up to us as users to show that this kind of privacy matters and that we appreciate the choice. So, again, thank you Mozilla. Hopefully in the future there will be more online services that work with a Mozilla-style privacy respecting interface instead of a Google-style information hoarding interface.[/i]

Author: Juergen Schmidt [ju@heisec.de] (Editor in Chief - heise Security)

Related Links:
https://mozillalabs.com/sync/
http://groups.google.com/group/mozilla-labs-weave
https://addons.mozilla.org/en-US/firefox/addon/10868/

yeah, the problem is that Mozilla Sync might be more secure, and I know it is, it’s still as broken as Google Chrome Sync ;D Both are extremely buggy. Chrome sync can suddenly delete the data ;D cool 8) I’ve experienced it twice already, and Firefox Sync crashes Firefox off and on, or refuses to sync etc…There are better and more controllable syncing alternatives. Oh yeah, with Firefox, you can’t even see your own data on the server, it’s also secured against you ;D

Thanks for that Asyn

Microsoft’s Security Development Lifecycle under Creative Commons License

[i]Microsoft is to change the license for its process for developing secure software. In future, the company’s Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on “trustworthy computing”. The resulting programme was intended to make security an integral part of the company’s software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.

David Ladd, Principal Security Program Manager at Microsoft, has announced that the first two documents to be placed under the new license will be a white paper entitled “Simplified Implementation of the Microsoft SDL” and “Microsoft Security Development Lifecycle (SDL) – Version 5.0”, a guide to how the company uses SDL in its product development. These can be expected within the next few weeks. According to Ladd, the company will also be going through other content on the SDL portal and relicensing it as appropriate. SDL tools are not affected by the licensing change, but will continue to use Microsoft licenses.[/i]

Author: Alexander Neumann [ane@heise.de]

Related Links:
http://www.microsoft.com/security/sdl/default.aspx
http://creativecommons.org/licenses/by-nc-sa/3.0/
http://www.microsoft.com/downloads/details.aspx?FamilyID=0baff8e8-ab17-4e82-a1ff-7bf8d709d9fb&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d8e6144-8276-4a62-a4c8-7af77c06b7ac&displaylang=en
http://blogs.msdn.com/b/sdl/archive/2010/08/26/microsoft-sdl-and-the-creative-commons.aspx
http://www.microsoft.com/security/sdl/getstarted/tools.aspx
[German only] http://www.heise.de/developer/artikel/Sichere-Softwareentwicklung-nach-dem-Security-by-Design-Prinzip-403663.html

Anti-Clickjacking
Busting Frame Busting - a Study of Clickjacking Vulnerabilities on Popular Sites

Article: http://seclab.stanford.edu/websec/framebusting/framebust.pdf

Authors: Gustav Rydstedt, Elie Bursztein, Dan Boneh and Collin Jackson


Thanks for the information in the above posts, Asyn. :slight_smile:


PS3 hack source code published

[i]Nearly four years after its launch, hackers have finally succeeded in jailbreaking the Playstation 3 (PS3) game console and circumventing its copy protection system. Just days after Sony obtained an injunction preventing the sale of a USB dongle for jailbreaking the PS3, hackers have now published source code under the name “PSGroove”. This apparently allows a programmable USB development board with an AT90USB microcontroller to be used to circumvent the PS3’s security systems and execute unsigned code. In contrast to the PS3 jailbreak, currently PSGroove can’t be used to illegally copy PS3 games.

The PS3 jailbreak and PSGroove reportedly attack consoles running firmware version 3.41 by simulating a USB hub with six devices on an Atmel microcontroller-based developer board, and sending crafted configuration descriptors to the PS3 when first connected. The descriptor is used by USB devices to indicate how many connections it possesses and whether it has an external power supply. Very long descriptors cause buffer overflows on the PS3, allowing code to be injected onto the stack and executed.

In order to circumvent the copy protection mechanism, the simulated USB hub proceeds through a number of steps and emulates connecting various devices in a specific sequence. In doing so, it triggers a series of buffer overflows allowing it to write various pieces of data and code to the stack. The final step is to execute the code.

Source code for PSGroove is widely available and is currently hosted on GitHub. Developer boards suitable for the hack are available for as little as $18. Publication of the source code appears to have stimulated significant demand for suitable boards – some online shops are already sold out.

Because the attack is specifically tailored to version 3.41, Sony can issue a firmware update to fix the security vulnerability. While the software/firmware updates from Sony are optional, only users with the latest release of the firmware can sign into the Playstation Network (PSN) to buy or play games online. Additionally, some Blu-ray movies and new disc-based games may also refuse to run if the system does not have the latest firmware. This is likely to trigger a new race between hacker attacks and security updates from Sony.[/i]

Authors: Daniel Bachfeld / Hartmut Gieselmann

Related Links:
http://www.youtube.com/watch?v=4jOEbZEkp9A&feature=player_embedded#!
http://www.psjailbreak.com/index.php
http://www.reghardware.com/2010/08/31/sony_modchip_ban/
http://www.atmel.com/dyn/products/tools_card.asp?tool_id=3879
http://www.beyondlogic.org/usbnutshell/usb5.htm
http://github.com/psgroove/psgroove

Microsoft hardening tool with graphical user interface

[i]Version 2.0 of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) offers easier access through a brand new graphical user interface (GUI) and supports new protective functions. EMET gives developers, administrators and users who are willing to experiment the ability to activate certain protective mechanisms in existing binaries, even if a program’s source code isn’t available.

EMET can prevent or mitigate various attack techniques. Microsoft’s Structured Exception Handler Overwrite Protection (SEHOP) feature is designed to prevent (Structured) Exception Handlers (SEH) from being overwritten on the stack or in a data segment. This is in contrast to return addresses being overwritten via buffer overflows and involves attackers executing arbitrary code by redirecting function pointers.

EMET 2.0 is also designed to prevent null-page allocations that can be exploited in connection with null-pointer dereferences. Microsoft’s tool also allows users to enable Dynamic DEP (DDEP) in applications. This allows the Data Execution Prevention feature to be enabled and disabled at run-time.

Compared to the previous version, the latest release includes new Address Space Layout Randomisation (ASLR) and the Export Address Table Access Filtering (EAF) features that prevent injected shell code from accessing certain APIs. However, if the settings are too strict, this can cause some applications to malfunction. The company freely admits in the documentation that some of the protective mechanisms can be bypassed. Microsoft has released a video tutorial for EMET 2.0 to explain the basics as well as the specifics of EMET’s operation.

In case of compatibility issues, selected protective functions can be enabled for individual applications. Vergrößern The toolkit is also designed to harden those applications against attacks that don’t automatically use any of the exploit protection mechanisms available in modern versions of Windows. In early July, security firm Secunia had been criticical of the fact that many third-party applications use neither DEP nor ASLR although these mechanisms can make exploits less effective.

This was also confirmed by independent security experts and exploit writers such as Charlie Miller, Jon Oberheide and Dino Dai Zovi in an interview with Dennis Fisher on Threatpost. The experts said that it is becoming increasingly difficult to exploit traditional security holes, and that the anti-exploit features are one of the reasons for this. Apparently, attackers increasingly need to use a multi-stage approach and also exploit logical flaws to be successful.
[/i]
Author: Chris von Eitzen [crve@h-online.com]

Related Links:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4a8a9171-5a11-4d58-aa34-95c855f69c39&pf=true
http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
http://threatpost.com/en_us/blogs/easily-exploitable-bugs-becoming-precious-commodity-090110
http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx

Update: http://www.h-online.com/security/features/Damage-limitation-Mitigating-exploits-with-Microsoft-s-EMET-1102501.html

Tremendous amount of information, Asyn. Many thanks.

Workaround for ASP.NET server’s encryption vulnerability

[i]In a security advisory Microsoft has confirmed the vulnerability in the process used by ASP.NET applications to encrypt cookies and other session information. In the announcement for the security advisory, Microsoft said it was not, so far, aware of any attacks. However, the security group do encourage users to “review the advisory for mitigations and workarounds”. A blog entry describes how to implement the workarounds and offers a script to help administrator determine whether their ASP.NET applications are vulnerable.

The cause of the problem was highlighted last week by security researchers Juliano Rizzo and Thai Dong who established that there was an issue with how the ASP.NET framework encrypted data. Usually, this uses the Advanced Encryption Standard (AES) in Cipher Block Chaining mode (CBC), but this mode is vulnerable to what are called Padding Oracle Attacks PDF which can allow encrypted data, such as cookies, to be decrypted without the key.[/i]

Author: Alexander Neumann [ane@heise.de]

Related Links:
http://www.microsoft.com/technet/security/advisory/2416728.mspx
http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
http://www.isg.rhul.ac.uk/~kp/padding.pdf
http://www.asp.net/
http://ekoparty.org/juliano-rizzo-2010.php

Update: SharePoint affected by ASP.NET vulnerability
http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

Update #2: Out of Band Release to Address Microsoft Security Advisory 2416728
http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx

Vulnerability exploited by Stuxnet discovered more than a year ago

[i]One of the vulnerabilities exploited by the Stuxnet worm was apparently not all that new. The printer spooler vulnerability was described in an article in the April 2009 edition of hakin9, a Polish publication that is fairly well known in hacking circles. The article, by security specialist Carsten Köhler, was entitled “Print your Shell”. Köhler also published a demo exploit for the vulnerability.

Microsoft fixed a vulnerability in the printer spooler last patch day and stated that Stuxnet was exploiting the vulnerability to spread across networks. Microsoft has also confirmed that the vulnerability in question was indeed that described by Köhler. It is not clear why the vulnerability was ignored for so long. After analysing the Stuxnet worm, Kaspersky and Symantec had stated that the vulnerability was new.

Symantec has published a highly detailed analysis of how Stuxnet manipulates MC7 code in specific Programmable Logic Controller (PLC) modules. Due to the complexity of the worm, many security specialists believe it to be the work of state-sponsored hackers or a state secret service. We may, however, never know which state was involved or what the worm’s target was. The most popular speculation is that it was an attack by Mossad, the Israeli secret service, on the Bushehr nuclear power station in Iran. Certain strings in the worm’s files are reported to give clues to the identity of the author – though in view of the professionalism with which Stuxnet has been developed it would be no surprise if this proved to be a false trail.[/i]

Author: Daniel Bachfeld [dab@ct.de]

Related Links:
http://heshanj.info/articles/25-articles/55-hakin9.html
http://www.computerworld.com/s/article/9187300/Microsoft_confirms_it_missed_Stuxnet_print_spooler_zero_day_
http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
http://en.wikipedia.org/wiki/Programmable_logic_controller
http://www.langner.com/en/index.htm
http://www.bbc.co.uk/news/technology-11388018
http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systems
http://www.tehrantimes.com/index_View.asp?code=227332

Update: Stuxnet brings more new tricks to cyberwar
Stuxnet is able to reinfect previously disinfected Windows systems that are running Siemens STEP 7 industrial automation software by writing itself into the project folders created by the development environment for STEP 7 programmable logic controllers. The worm modifies certain files and saves infected DLLs, some of them encrypted.
http://www.symantec.com/connect/blogs/stuxnet-infection-step-7-projects

Update #2: More Links
http://www.ynetnews.com/articles/0,7340,L-3742960,00.html
http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers
http://www.h-online.com/security/news/item/Stuxnet-strikes-China-1099519.html

Update #3: Symantec’s W32.Stuxnet Dossier (Thanks to Left123)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Update #4: Stuxnet Questions and Answers (Thanks to Pondus)
http://www.f-secure.com/weblog/archives/00002040.html

Update #5: Stuxnet: A Breakthrough
http://www.symantec.com/connect/blogs/stuxnet-breakthrough

Turning the Tables – Part I

Boom… I’ve just taken over a Zeus C&C. I fire up a second, clean VM just to verify… yup it works. Ok, now what?

Article: http://xs-sniper.com/blog/2010/09/27/turning-the-tables/
Author: http://xs-sniper.com/blog/about-billy-rios/

Inside Adobe Reader Protected Mode - Part 1 - Design

[i]This is the first post in a multi-part series about the new sandboxing technology used in the Adobe Reader Protected Mode feature that was announced back in July. We will take a technical tour of the sandbox architecture and look at how its different components operate and communicate in ways that will help contain malicious code execution.

What is sandboxing?

A sandbox is a security mechanism used to run an application in a confined execution environment in which certain functions (such as installing or deleting files, or modifying system information) are prohibited. In Adobe Reader, “sandboxing” (also known as “Protected Mode”) adds an additional layer of defense by containing malicious code inside PDF files within the Adobe Reader sandbox and preventing elevated privilege execution on the user’s system…[/i]

Article: http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html

Authors: Liz McQuarrie, Ashutosh Mehra, Suchit Mishra, Kyle Randolph, and Ben Rogers

Related Links:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html

Pass-the-hash attacks: Tools and Mitigation

[i]Cracking passwords is a tedious, time-consuming business. However, it is often possible to gain access to a service without actually requiring the plain text password – for example, in the context of a single sign-on session, where the hashed password is often sufficient. Using existing tools, it is possible to extract LM and NTLM hashes from the Windows LSASS service, then reimport them – in some case onto other systems – to gain access using someone else’s identity.

In a SANS institute Reading Room paper entitled Pass-the-hash attacks: Tools and Mitigation, Bashar Ewaida examines the principles of the pass-the-hash attack and describes a tested range of tools which can be used to successfully execute such an attack. He also discusses measures for frustrating such attacks. Readers who are familiar with standard attacks on passwords may wish to skim the lengthy first section and zip along to the more interesting stuff which starts in chapter 3.[/i]

Article: http://www.sans.org/reading_room/whitepapers/testing/passthehash_attacks_tools_and_mitigation_33283
Author: Bashar Ewaida

Killing the zombie cookie (evercookie)

How to kill Samy Kamkar’s ‘evercookie’…
Happy killing…!! ;D
asyn

- Google Chrome: http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html

- Firefox: http://www.monirulislam.com/general-web-desktop-application-security-news/how-to-remove-evercookie-from-firefox-3/

- Safari: http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.html

- Safari Mobile: http://singe.za.net/blog/archives/1016-Killing-the-Evercookie-Part2-MobileSafari.html

Related Links:
http://www.h-online.com/security/news/item/The-zombie-cookie-1095232.html
http://samy.pl/evercookie/

Please read nikki605’s post in the CCleaner (Piriform) forum:
Evercookie… Will CCleaner be able to combat this…
http://forum.piriform.com/index.php?showtopic=29862&st=20&p=178641&#entry178641nikki605

Woa, lot’s of good information here! :slight_smile: Thanks for sharing! It should be very useful… ;D

Java replaces Adobe Reader as the most frequent attack target

[i]Microsoft Malware Protection Center (MMPC) monitoring shows a dramatic increase in recent months in the number of attempted attacks on Java vulnerabilities. According to Holly Stewart of MMPC, since the middle of the year about six million attacks were registered attempting to exploit three older Java holes. This exceeds, by a large margin, the number of attacks on Adobe reader, the former leading attack target.

Stewart speculates that Java is now a more tempting target for criminals because, like Adobe’s software, the Java Runtime Environment (JRE) is installed on almost every PC, but most users don’t pay it much attention to it. The majority of these users don’t bother with frequent security updates: one of the holes reportedly being exploited is two years old.

Adobe’s efforts to make Reader more secure may well be proving effective. Among various improvements for Reader, Adobe has introduced the automatic update feature, which could be encouraging criminals to shift their efforts to Java as an attack face. This is supported by Brian Krebs observations. Krebs has determined that many commercially available attack tools for criminals now contain Java exploits and these exploits are now frequently the most successful.

Only recently, Oracle as part of its October Patch Day, updated Java releases. 29 holes spread over versions 6.0, 5.0 and 1.4.2 for all supported platforms were closed. Oracle classified 15 of these vulnerabilities as critical.[/i]

Author: Daniel Bachfeld

Related Links:
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Inside Adobe Reader Protected Mode - Part 2 - The Sandbox Process

We continue our technical tour of Adobe Reader Protected Mode with a closer look at the sandbox process. (Check out part one of this series, if you missed it.) In today’s blog post we will look at all of the different ingredients the Windows operating system provides for a sandbox and see how those ingredients are used in the sandbox process to restrict access.

Article: http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-–-part-2-–-the-sandbox-process.html

Authors: Liz McQuarrie, Ashutosh Mehra, Suchit Mishra, Kyle Randolph, and Ben Rogers

Related Links:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html