Who's Online
There are currently, 76 guest(s) and 12 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
SecureAnchor Weekly Newsletter
Posted on Saturday, 03 November 2007 @ 11:39:42 EDT
Contributed by cdupuis
| Topic: SANS
| | | November 2007 | Vol 11, Issue 1 | | | 
| Security in the News
Your source for up to date security headlines | | | | | Greetings! | |  Hello....
I hope everyone had a great Halloween celebration.
A few of you have asked for USB drives with the PointSec Port Protector tool installed on it. I am receiving them any day now.
As soon as I recieve them I will send them out. I ordered a few extra so if you want one just ping me and let me know. They are free of charge of course!!
Have a great weekend.
Eric | | Another European State Wants to use Trojans Against Criminals | |
The Austrian Police want to infect criminals' computers with Trojans, presumably to somehow conduct surveillance on the criminals. The Austrian minister of justice, Maria Berger, and the Interior Minister, Gunther Berger, have come up with this brilliant proposal to allow police to conduct surveillance with Trojans with a warrant issued by a judge.
Geoff Sweeney of Tier-3, said, "I'm sure the Austrian Secret Service would develop some pretty ingenious software to infect users' PCs, but there is a real danger that the package could leak into the hacker community.... That scenario would create a serious free-for-all on the industrial espionage and identity theft front as legitimate Trojans are redirected to create an even more hostile environment for organizations to defend against."
While the governments may feel that it is akin to tapping phone lines, the situation is quite different in that phone users have no anti-tapping capabilities marketed to them.
Earlier this year, in a blog, Mikko Hypponen of F-Secure addressed the situation in the following manner: "How should anti-virus companies react to the existence of such malware? Detect it? Avoid detecting it on purpose? Avoid detecting hacking software used by governments of which country? Germany? USA? Israel? Egypt? Iran?"
None of the governments which have decided to pursue the Trojan option have explained how the Trojans would be protected. Also problematic is the situation in which the Trojans are reverse engineered and deployed by criminals.
Graham Cluley of Sophos stated bluntly, "The anti-virus companies aren't going to turn a blind eye to state-endorsed Trojan horses. We're going to add detection for them just like any other spyware. So, if the cybercops think they can give us a funny handshake, a wink and buy us a pint for not adding detection for the Trojan they're using to spy on their suspect, they're mistaken... The reason why we take that policy is that we can't know if the Trojan has been placed there by the cops or a criminal. It's unlikely that the Trojan will say 'Copyright (c) FBI 2007.'"
The bigger question still becomes, how will the malware be delivered? If it's through email, will the bad guy need a POP account? If they know so much about the suspect, why not sniff his wireless traffic, or monitor the land line (or cable connection or fiber connection)? Don't they know how to monitor from the ISP like the U.S. does? And if they are going to break into the dwelling or office to put the spyware on, because the bad guy might know enough to not open attachments from strangers, why not install some other type of surveillance option? It's like those guys who said they need to monitor the communications hubs which have overseas communications routing through waypoints on U.S. soil; how do they ensure that the bad guys' communications pass through the telecom center in the U.S.? If the good guys know enough or have enough pull to make that (the communications route) happen, why don't they specifically intercept the traffic at a different point.
There is obviously more to the story than they are telling.
| | 
| | | | | Storm Worm Has Retaliatory Capability | | Researchers who have learned useful information about the Storm Worm are reluctant to publish their findings. This is for the reason that the worm knows when users who are not members of the botnet try to connect to the command and control centers of the botnet, and when they do, the Storm worm botnet retaliates with DDoS attacks which can knock the researchers off the Internet for days.
The worm also knows when a researcher downloads multiple copies of the worm, and launches DDoS in those cases also.
Josh Corman, host-protection architect for IBM/ISS, recently led a session on network threats at Interop. He said, "As you try to investigate [Storm], it knows, and it punishes. It fights back." This is the reason that researchers are reluctant to publish their findings. "They're afraid. I've never seen this before. They find these things but they never say anything about them."
Another recently discovered ability of the Storm worm is the ability to interrupt applications as they boot up and either terminate the processes or allow the applications to load, but disable their functionality. This means that an anti-virus application could appear to be running but in fact be non-functional, or in Mr. Corman's parlance, "brain-dead." He said, "It's running, but it's not doing anything. You can brain-dead anything."
Estimates of the size of the botnet that the Storm worm controls vary wildly, from in the hundreds of thousands to 50 million. Mr. Corman said he thinks there are between 6 and 15 million bots on the botnet. And these computers are used infrequently, meaning that those with the right connections can lease the botnet for their aims, or the owners of the botnet can extort money directly from the businesses they threaten to knock off the Internet.
Mr. Corman said, "It's getting more serious the more I look at it. I'm more concerned not so much about where Storm is today, but where it is going." | | Vonage Flaws | | A press release from Sipera reads, "Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user's phone service with a 'registration replay attack,' then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of 'ringing the phone off the hook' which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams."
The same press release also noted that European provider Globe 7 suffered similar vulnerabilities with their online account access system.
Infonetics Research reports that by 2010, half of small organizations and 67% of large organizations in North America will be using VoIP products and services.
| | Free Firefox Plug-Ins to Test Web Applications | | Nischal Bhalla, founder of the Canadian company Security Focus, have developed a set of exploit tools to test, from within the browser, for Web app vulnerabilities. The 'ExploitMe' suite includes tools for cross-site scripting (XSS) and SQL injection attacks, two of the most common vulnerabilities exhibited by Web sites.
Oliver Lavery, principal consultant with Security Compass and one of the developers said that, "We actually plugged it [the tools] right into the browser logic so it sees things the way the browser does."
Mr. Bhalla, speaking of other tools which are freely available for hacking Web sites, such as Paros Proxy, Burp Suite and WebScarab, "They intercept requests, and tend to do XSS on the basis of the data they collect. They emulate a browser, which is where problems happen with detection. Ours is tied into the browser."
As Mr. Lavery explains, "Because cross-site scripting exists within the browser, it's harder to detect" with tools working outside the browser.
This approach also gets a blessing from Metasploit creator HD Moore, who said the browser-based approach makes it easier for security researchers to detect bugs in sites which are "heavy on client-side scripting."
Mr. Moore warns that there are also risks, saying, "It becomes really easy for a malicious operator to subvert your tool for their own use. Any hacking-specific extensions should be kept disabled, it's just too easy to make a mistake."
However, the advantages are tremendous. As Mr. Moore says, "The browser already does the hard work of processing JavaScript, negotiating SSL, loading Flash and handling authentication. All the plug-in needs to do is leverage the existing data. Stand-alone Web assessment tools have to reinvent the wheel when it comes to processing Web pages and acting like a 'real' user. This is a hard job and because of it, many of the stand-alone tools do a poor job when the site in question is heavy on client-side scripting."
There are other possible problems with embedding the tool as a plug-in when it comes to interacting with databases or other services. Mr. Moore explains, "Additionally, automation is difficult when the entire toolkit lives within a browser. A single, unhandled JavaScript alert could stall the tool indefinitely."
Security Compass chose to write the tools to Firefox because, as Mr. Bhalla explains, "It lets you write plug-ins to it more easily." | | | | McAfee and Symantec Security Flaws Remediated | | Symantec emailed customers of its DeepSight threat a warning about the Symantec Altiris Deployment Solution, The problem stems from a local privilege escalation vulnerability found in the software. This software deploys and manages servers, desktops, notebooks, thin clients and handheld devices from a central location in Windows environments.
The email warned that the Aclient process fails to properly drop privileges before executing external files. In this way, "an attacker can use the browser function to view or execute arbitrary files with 'system' privileges." Of course, successfully exploiting this vulnerability results in the attacker taking control of the machine.
The fix and the instructions for download are at the Symantec Security Response Web site.
McAfee: Secunia discovered a vulnerability in McAfee E-Business Server which attackers can exploit to cause a heap-based buffer overflow via a specially crafted authentication packet.
According to Secunia advisory SA26372, "The vulnerability is caused due to an integer overflow within the e-Business administration utility service when parsing authentication packets. Successful exploitation allows execution of arbitrary code."
Secunia recommends users update to E-Business Server 8.5.3 for Solaris or E-Business Server 8.1.2 for Linux/HP-UX/AIX.
| | Social Engineering: MySpace Cofounder Older Than He Claims | | Tom Anderson, cofounder of MySpace, was born in November 1970, which makes him almost 37, not the 32 he currently claims on his MySpace profile, according to documents reviewed by Newsweek. He claimed to be 27 when he launched MySpace in 2003, although it appears he was actually 32.
Some might say that he lied for commercial gain, as when he founded the site, he may have thought his age would have been more of an issue when attempting to appeal to the demographic which put MySpace on the map. | | Symantec Mail Security Vulnerabilities | | Three Secunia advisories address "highly critical" vulnerabilities in Symantec Mail Security for SMTP, Exchange and Domino which can cause denial of service or compromise targeted machines. There are no known exploits in the wild at the time of the advisories, according to Secunia.
Advisory SA27429 describes multiple vulnerabilities in Symantec Mail Security for Exchange due to flaws in third-party file viewers. A buffer overflow can result from a successful attack. Secunia was not aware of any patches and users would disable scanning of message content in the interim.
Secunia advisory SA27388 describes similar vulnerabilities in Symantec Mail Security for Domino and advised the same precautions as above.
Secunia advisory SA27367 indicates a similar flaw in Symantec Mail for SMTP. In this case, however, Symantec fixed the flaws with Patch 181 and 182 for version 5.0.1.
| | New Password Cracking Chip | | Elcomsoft, a Moscow-based software company, has developed software to take advantage of the parallel processing capabilities of graphical processing units (GPUs), to raise the speed of password cracking by a factor of 25. Elcomsoft has filed for a U.S. patent to protect the technique.
The technique cuts the time to crack the toughest passwords, such as a Windows Vista password, from months running on a single CPU, to just three to five days. Other passwords which may have taken hours or days to crack, now are cracked within minutes.
Elcomsoft used an $800 GeForce 8800 Ultra graphics card, made by nVidia for these advances.
nVidia spokesperson explained the speed increase due to parallel processing by way of analogy in searching for words in a book. "A [normal computer processor] would read the book, starting at page 1 and finishing at page 500. A GPU would take the book, tear it into 100,000 pieces, and read all of those pieces at the same time."
nVidia released the SDK for its graphics hardware in February 2007. The software development kit goes by the name CUDA, and allows programmers to program the GPU directly.
The demand for massively parallel processing extends across several disciplines, especially science and engineering. Mr. Humber said, "[CUDA] is a huge thing for the oil and gas industry, for the financial sector and for scientists." | | Record Industry Pressuring ISPs to Monitor and Cancel P2P Users (U.K.) | | Disagreement in the U.K., as the music industry is pushing for British ISPs to monitor their users and kick P2P file sharers computers (and users) off the Internet entirely.
Apparently ISPs in the U.K. do not get protection regarding the content traveling across their networks. | | | | | Our mission is to keep your business focused by helping you navigate the sea of security threats you face on a daily basis. Secure Anchor provides creative solutions that keep you ahead of the attacks and provide peace of mind that your critical assests are securely anchored. In addition we are busy developing software solutions to meet the threats of tomorrow. End your newsletter with a kick -- consider a postscript to reinforce one of the key product or service benefits. Sincerely, Eric Cole
Secure Anchor | | | | 
Come see Dr. Cole present information you can directly apply when you go back to work, at an upcoming SANS event. Previous attendees from companies like Johnson and Johnson, Disney, Citibank, DOD and others have said that his was the best training they have every taken and Dr. Cole is a riveting and amazing instructor. | | | | |
| |
Login
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
|
replica watches (Score: 1)
by replicahandbag on Friday, 23 July 2010 @ 22:50:34 EDT
(User Info | Send a Message) | Overall, unless you Jaquet droz watches [www.thefirstwatches.com]are extremely rich and materialistic, swiss watches [www.thefirstwatches.com] could be a excellent IWC for sale [www.standardwatch.com]selection for you regardless of Jaquet droz for sale [www.standardwatch.com]whether you may be a style Maurice Lacroix for sale [www.qualityfirstwatch.com]worshiper or someone who just movado for sale [www.qualityfirstwatch.com]want to look good, specifically replica watches [www.poperwatches.com] if you have other priorities for Longines replica [www.poperwatches.com] your hard earned money.Callers to croum replica [www.poperwatches.com] Crimestoppers, 0800 555111, are not designer handbags [www.thetotebag4u.com]asked their names and they can valentino bags [www.thetotebag4u.com] qualify for cash rewards. There are prada replica handbags [www.thelacebags.com]various Air jordan shoes are available replica handbags [www.thelacebags.com] for you now. Which you Marni handbags [www.marisabags.com]maybe like :Air jordan 1,one day dior handbags [www.marisabags.com] I want to buy Air jordan 7, dooney & bourke handbags [www.marisabags.com]Something about Air jordan valentino handbags [www.mylacebags.com]8, you can buy what you love, the Air Juicy Corture handbags [www.mylacebags.com]jordan 5 is beauty,I like Air jordan handbags tods [www.mylacebags.com]6 too. jordan shoes for sale. |
|
|
Re: SecureAnchor Weekly Newsletter (Score: 1)
by zhouyun on Saturday, 04 September 2010 @ 00:21:32 EDT
(User Info | Send a Message) |
|
|
|
|
Main Library Area 
COBIT© Standard 
10.2.2 Vs 10.2.7
