ThreatExpert Blog has an excellent write up on the Gimmiv.A worm

Yesterday Microsoft release a security patch for a critical vulnerability. It seems a worm has been found exploiting this vulnerability in the wild. If you head over to the ThreatExpert Blog you can find a full write-up on this worm and how it's using this critical vulnerability to exploit systems.

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.

If you run Snort IDS here is a link to rules that block this vulnerability.

People will always be the weakest link in security.

Yesterday morning I stopped in the local Starbucks to get some coffee. I noticed when I arrived a customer that was unpacking a laptop bag and getting situated. While I was waiting in line after ordering my drink, the same customer passed me heading into the restroom. After I got my coffee I started to head out the door. I noticed that the customer had booted their laptop and had a Citrix session running with Outlook open. I looked around and realized that the customer was still in the restroom. I decided to take a few minutes and sit down across the room and observe. I noticed that the laptop had a 3G data card plugged in, so I am guessing that was the data connection the customer was using, not the WiFi hotspot.

Lets evaluate the situation. We have a company that's IT people need to provide remote access to its users. They want to keep full control of their data, so they go the thin-client route and use Citrix. They also must provide the 3G card I am guessing as well. But after all that a user boots the laptop, I'm guessing VPNs into the company, authenticates through the thin-client, launches Outlook and then takes a health break without locking the system.

Review: SANS Pen Test Webcast Part 1

Yesterday was the SANS Webcast on ?Combining Network, Web App and Wireless into the Ultimate Penetration Test,? I had registered to catch it live but my lunch break disappeared under a pile of deadlines. Today I was able to catch the archive of the presentation.

The focus of the webcast was as the title describes, using combined methods and attack vectors during a penetration test. Sometimes depending on the client requirements, a pen test will be requested but with a very limited scope. For example they might only want their wireless network tested or a public facing web application. Usually due to either lack of interest or cost some companies will not get the full Monte? I think this is bad because the results provided from the pen test are only part of the picture. I think that if a business is going to have a pen test conducted it should cover all the potential attack vectors. Otherwise a business might have a false sense of security.

NoScript ClearClick Warning (aka Clickjacking)

I was on Google Video just now checking out the OWASP.TV videos from the conference in NYC, when I got a "ClearClick Warning" from NoScript. I know that NoScript added Clickjacking support but this was the first time I had seen a warning. I checked the page with Firebug and didn't anything wrong. I am guessing it was a false positive but now I'm just curious. Has anyone else seen the "ClearClick Warning" and if so was it a correct or a false positive? Post your feedback in the comments.

Metasploit 3.2 drops commercial license restriction

It seems that Metasploit 3.2 will be sporting a BSD 3-Class license. That basically means that MSF can be forked or modified and repackaged and sold by commercial entities. The 3-Class license basically means that the source code and binaries keeps the copyright but they can't say the mutant product is endorsed by HD.

DarkReading has an article about it and one of the ideas tossed around is Core Impact integrating MSF into their tool. Aside from the thousands of dollars that Core cost, the lack of reporting functionality is one of the reasons MSF is kept in the shadows with researchers and pen-testers. MSF is awesome and I'm a big fan of it and look forward to all it's bastard children. But, if someone can take MSF and create some awesome reporting tools that would rock. I have always thought someone should build some reporting plug-in's for MSF maybe someone will now.

I would like to know what you think about the MSF license change in the comments.

Book Review: Fuzzing | Brute Force Vulnerability Discovery

I really enjoyed reading Fuzzing. The book has a ton of really great information. The majority of the content I was interested in pertained to the application and web application fuzzing. The book starts with a background on vulnerability discovery methods. It then covers the different methods and types of fuzzer?s.

The good stuff starts in the second part of the book on, "targets and automation." The chapter on "web application and server fuzzing automation" has some interesting ideas I hadn?t considered. I also liked the chapters on network protocol fuzzing on Windows and UNIX.

Throughout the book it shares tools, code and examples available for download from the fuzzing.org website. I have been working a lot recently with Samurai Web Testing Framework Live-CD creating some video tutorials, that I hope to release soon, and I used some of the examples in the book. I also played with a little C# and created the generic fuzzing tool that was given in the book. I am adding some features to work in a few class activates I would like to implement.

Overall I think the book is great for anyone that is in development, system administration or pen-testing. I learned a lot and I think others would to, but be warned this book is intense. I spent about 8 or 9 weeks with this book because every time I learned something new I wanted to try it out.

If you have read this book or others like it I would like to read your comments.

Clickjacking PoC was released yesterday.

Yesterday a PoC of the Clickjacking exploit was released. Today Adobe released a workaround to fix the Clickjacking vulnerability in Flash. Here is a video of the PoC.

httpv://www.youtube.com/watch?v=gxyLbpldmuU

Since I shared this with my students last month I wanted to share the details now that they have been made public. The whole Clickjacking exploit has had a lot of people on edge. I even had a student that thought his site was effected by Clickjacking. He sent me the Flash files and it was actually a CSRF. I will post a summary of what the problem was and how I was able to identify it in a future post.

If you aren't already, now would be a good time to add-on NoScript and Flashblock in your Firefox browser. Make sure you "forbid <IFRAME>" in the NoScript configuration. I would also make sure you keep any cameras and/or microphones diconnected when not in use to play it safe.

UPDATE: More details from one of the founders of Clickjacking.

Jumping on the bandwagon "EPIC FAIL" OK not really...

I make a conscious effort not to blog on topics that others have already discussed, unless they impact me directly. So to add to the pile of "FAIL" account resets, which I refuse to call "hacks," I have another one to add.

Yesterday, I tried to login to an online software stores but I couldn't remember the password. Not a problem I clicked the "forgot password" link. I get to the part that allows me to write a message explaining the problem. I write them that I can't remember the password for the account and that the email address on file isn't valid, since I have switched ISP's. I give them my new email address and ask nicely that they update it so I can reset my password. The new email address has the same name as the old address but with a different domain.

Well I get an email today that they updated my account, changed my email address (which is also the login) and set a temporary password. WTF?

Let me go over this again slowly. I email the company and say my email address on file is old. I give them a new email address. They reset the account and send me the temp password? No verification, no last 4 digits of my social, no secret question, nothing.

Now true once logged in someone would still need to pay for the software ordered. But, what if I had an open line of credit? In my case I get academic pricing so you get Windows for $200 I get it for $5. That would be worth creating a fake free email account and trying to get access?

Anyways not sure this fits the "EPIC FAIL" but I've always wanted to write that. Something I have taken away from all of this is I am now checking all my important online accounts to see what the "forgot password" procedure is and contacting those with weak challenges and verification. I guess my first stop will be my software store.

I would liket to know if anyone else has tried to see how easy it is to "reset" their own personal accounts? Post in the comments if you have any tips on improving the "forgot password" procedure.

fwknop: Single Packet Authorization and Port Knocking

Port Knocking is something I consider to be, "security through obscurity," so I haven't really paid any attention to it aside from mentioning it in my lectures when it comes up. I see to many flaws in the idea to even consider it feasible.

Today in one of my feeds I read a post over at Darknet about an implementation on Port Knocking that uses SPA and integrates with iptables and ipfw. Now I can say it has my attention, for at least the 15 minutes that lasts. You can get more info on fknop, which stands for "FireWall KNock OPerator" on the CypherDyne site. It's a Perl script that was release back in 2004. I know using SPA with Port Knocking isn't new but it's new to me.

If you get Hacki9 Magizine, fwknop was discussed in the September issue. Which is the reason it has been brought back into the light. Per the Port Knocking Website you can find about 50+ implementations of Port Knocking.

The author of the tool is Michael Rash a Security Researcher and the guy who wrote "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort", No Starch Press. fwknop and a few others implementation will be added to my "round-to-it folder" of things to demo.