X-Force Mid-Year Report 2008

IBM ISS X-Force security and development group released a mid-year report last month discussing all the security trends since the beginning of 2008. The report is 85 pages long and includes a number of charts and graph's, so it's actually an easy read. I would suggest reading it as it gives us at least one commercial companies view on the direction security related threats are headed.

I know very well how statistics can be skewed but the overall direction given in the reports seems to be inline with reports coming from other areas in the field. I wanted to share a few "numbers" I found interesting.

• 45% of all vulnerabilities ranked as "Medium" using the X-Force scoring system.


• 54% of all vulnerabilities ranked as "Medium" using the CVSS scoring system.


• Apple disclosed the most vulnerabilities in the first half of the year.


• Microsoft ranked 3rd and Linux ranked 10th in disclosures behind Apple.


• Microsoft ranked 1st, Apple 3rd by the highest number of public vulnerabilities.

I would like to know what you get out of the report. Please post your feedback in the comments.

DEFCON 16 CD of Presentations

Quick post for those that want the CD of all the presentations given at DEFCON 16. This info is from the Edge I-Hacked website.

File: defcon16.iso
Size: 734537728
MD5: 04F944946A3AA4B6B9C6C2E738D0B9D0
SHA1: 6F63D4E58B71D6F161793699E9DB131B75D4A8D7

Its packed full of the slides OF ALL the talks, along with the software used to hack Joe Grand?s Defcon16 Badge

Experimental Mail Server Analyzer Online

Dan Kaminsky the security researcher that discovered the latest DNS vulnerability has posted a new tool to test DNS servers used by Mail Servers. I wrote about his DNS Checker a month ago see that post here. This is another tool to see what DNS your mail services are using. I tested it with my mail accounts and everything looks to be good. The DNS vulnerability scope is larger then just DNS servers lots of key parts of the web hook into DNS like email, SSL certificates, FTP and more. If your note sure if your email is safe check out the tool here. Let me know in the comments if your email fails the test so others are aware and can take precautions.

Like everything else malware can be a hit or miss.

I was reading at MX Logic about another malware flood. This time it's a fake email from FedEx. Here is the description from MX Logic.

The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered. It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).

Sample subject lines that we have seen in our Threat Operations Center include:

You Have A Package!!!
Tracking N <fake tracking number>

Links to all the software from DEFCON 16

Rob Fuller has posted links to all the software from DEFCON 16 on his blog that you can get to from here [Updated link to the official DEFCON archive]. I think all of them are interesting but a few I might try to introduce in some of my classes. In no real order of preference be sure to check out.

• Beholder


• The Middler


• Marathon Tool


• Grendel Scan


• iKat

Anatomy of a malware scam

I see from my Google Analytic's that lots of you are interested in my post on the Antivirus malware scam going around. I read a great post today from The Register about the "Anatomy of a malware scam" that uses the Antivirus 2009 malware for the basis of the whole article.

I wanted to give those looking for more information about what is "under the hood" of a scam like this the link. I warn you it is very long and detailed post so if you really aren't that curious about the technical aspects of the scam I would skip it. For those of you that do read it out let me know in the comments what you thought about it.

SQL Injection for Dummies

I have been working on a article/lecture about SQL Injection for a class I am teaching. Today I found a post on Hackanoia about SQL Injection attacks on IIS/ASP platforms. I am working on one that focuses on the LAMP stack since that is the dominant platform on the Web.

What is nice about this article is that many business websites are using the IIS/ASP model for enterprise and commercial web applications. Since I'm working in a different direction I wanted to provide a link to this great post.

It tells you everything you need to setup your test environment and how to go about testing. I would suggest anyone interested in SQL Injection attacks to check out this article and let me know what you think. I am new to web pen-testing but the post seems complete. If you have a chance to follow it please post your comments below. If you have other sites that cover SQL Injection or other Injection Flaws please post them in the comments.

Related:

• Defending against SQL injections


• Blind SQL injections for dummies

Samurai Web Testing Framework

Last week I had a student ask me about website pen-testing programs. I told him about a new framework I had heard about called Samurai Web Testing Framework. Samurai WTF is a Live-CD that uses Ubuntu as the host OS. It comes preloaded with several popular programs that are used for testing websites and web applications.

I haven't had much time to investigate this tool but it seems like BackTrack for Web Testers. I have to say from a themes point of view I really like the "samurai" and "Edo" splash screens and wallpaper I think it adds some nice details.

You can visit the main website here and download the first version of the Live-CD here. You will need to login as User "samurai" and Password "samurai" I got lucky on my second try logging in. Once you login the README gives you the user name and password. I thought that was funny...

I would like to have time to try this out but I don't see that happening anytime soon. I would really like to hear from anyone using this tool. If you do download it and try it out please post comments on what you think about it. I will post a follow-up when I have the time.

Antivirus 2009 and Search Strings to Get Infected

Antivirus 2009

Over the last few weeks a wave of Trojans have been spreading across the Internet. I have been hearing and reading a lot about the Antivirus 2009 Trojan that has been infecting users. If your not current on what the Antivirus 2009 Trojan is you can get a full description about it on the Trend Labs Malware Blog.

I had first heard personal accounts of the malware from a student. Users he supports had been infected with it and since it was so new he had a hard time finding a tool to remove it. You can read his post here and here on how he was able to remove it.

UNetbootin

Last night in class I mentioned a program I use to install Linux and other security tools onto a USB drive. None of my students had hear about UNetbootin before so I thought maybe it would be good for me to bring it to the foreground for my readers.

Per the UNetbootin website:

UNetbootin allows for the installation of various Linux/BSD distributions to a partition or USB drive, so it's no different from a standard install, only it doesn't need a CD. It can create a dual-boot install, or replace the existing OS entirely.

I learned about UNetbootin six months ago from Linux.com. As a Linux geek I thought it was worth a try. I play with a lot of distributions and this tool makes it easy to switch between distro's. I also like that it has some security tools available as well. You can use it to install BackTrack, Ophcrack, NTpasswd, etc. I'm sure by now you can see that this is a really great program.

I hope that this post helps to get the word out about UNetbootin. You can get more information and download the software from the UNetbootin website.

Fun with Metasploit Framwork and ISR-evilgrade 1.0.0

I am currently updating my Metasploit Framwork labs for one of my class. Metasploit Framwork always seems to be a hit with my students. While searching for new lab ideas, that are both useful to learn and easy enough for everyone to follow, I came across a post on the Metasploit blog about ISR-evilgrade 1.0.0.

I know this is old news to most of my readers since it was release over a month ago, but its new for me and I'm guessing for many of my students as well.

The description on the ISR website:

ISR-evilgrade v1.0.0

It's is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates.

I don't want to spoil the lab for my students but for those interested here are some links to get you started. You can visit the ISR website and check out the Readme, Presentation and Demo.

Excellent Study "Cold Boot Attacks on Encryption Keys"

One of the current hot topics in security is the implementation of disk encryption to protect sensitive and personal information. This is obviously better then no security at all but even disk encryption has it's weakness.

I was doing research for a lecture on "Cold Boot Attacks" when I found this study done at the Princeton University, Center for Information Technology Policy. This is one the best studies on the subject I have found thus far. If you haven't read much about "Cold Boot Attacks" this would be an excellent primer.

I have included the YouTube video and the Abstract for quick access to there website but I do recommend you read the full research paper provided for all the details from the CITP website.

Checksum software for Windows

If you download a lot of software, I hope you verify the checksum of the files before you install them. Developers that publish files usually will create a checksum of the program and post a copy of the checksum in the download package or below the download link.

For example if you download a distribution of Linux, lets say Ubuntu, before you install that desktop or server software you want to know that you have an authentic copy. It is possible that maybe the copy you downloaded has been modified and could have Spyware, Malware or Trojan hidden in the software.

It's also possible the software you think you downloaded is something else completely. Maybe instead of Ubuntu you downloaded a pirated copy of Windows Vista. Now that would really make me mad. What if you installed that copy of Windows Vista...your system would really be screwed. :P

Microsoft to share details on vulnerabilities

One of the most popular security tips is to keep your software patched. In a production environment this is harder then you might think. Each time a patch is release its purpose is to fix a problem. That problem can either be fixed by modifying code or adding code. This change to software code can cause other software (third-party programs) to stop functioning or create new vulnerabilities or problems.

To avoid the possibility of introducing new vulnerabilities or problems most businesses do patch testing in a lab environment. That is when usually a company downloads the latest patches and test it on non-production nodes of like systems (test nodes or backup server not production server). The goal of the testing is to see if the patch breaks anything or introduces other security or non-security related issues. Most times loading a patch doesn't cause issues. Other times it can bring a system to it's knees.