Suggested Blog Reading – Tuesday/Wednesday July 24th/25th, 2007

ReadAck! I completely forgot to release a SBR yesterday!

Here’s the list:

Offensive Security Wireless Attacks – Backtrack WiFu – A new training offering presented by Offensive Security.

“Offensive Security Wireless Attacks”, also known as “BackTrack WiFu” is a course designed for penetration testers and security enthusiasts who need to learn to implement various active and passive Wireless (802.11 2.4 GHz) attacks. The course is based on the Wireless Attack suite – Aircrack-ng
The course was designed by Thomas d’Otreppe and Mati Aharoni in an attempt to organise and summarise today’s relevant WiFi attacks. This course will kick-start your WiFu abilities, and get you cracking WEP and WPA using the latest tools and attacks in no time!

Cisco & VMWare – The Revolution will be…Virtualized? – I like the idea but I wonder if this might be too far ahead of its time.

This is interesting for sure and if you look at the way in which the demand for flexibility of software combined with generally-available COTS compute stacks and specific network processing where required, the notion that Cisco might partner wThis is interesting for sure and if you look at the way in which the demand for flexibility of software combined with generally-available COTS compute stacks and specific network processing where required, the notion that Cisco might partner with VMWare or a similar vendor such as SWSoft looks compelling. Of course with functionality like KVM in the Linux kernel, there’s no reason they have to buy or ally…

Certainly there are already elements of virtualization within Cisco’s routing, switching and security infrastructure, but many might argue that it requires a refresh in order to meet the requirements of their customers. It seems that their CEO does.

Attribute-Based Cross-Site Scripting – Interesting topic to check out.

A couple of weeks ago I posted sections from one of our WhiteHat customer newsletters that focused HTTP Response Splitting. Newsletters are one way we keep customers informed of important industry trends and improvements to the Sentinel Service. Judging from the blog traffic and comments it was well received. So this time I’ll highlight Attribute-Based Cross-Site Scripting, which Arian Evans (WhiteHat’s Director of Operations) has been spending a lot of R&D time to get working properly. Enjoy.

Really Simple Reversing (RSR) – This is quite cool.

This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.

It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.

Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.

BIND cache poisoning vulnerability details released – You should probably check this out if you have any BIND servers in your realm of responsibility.

Amit Klein wrote about a paper he just released with details about a BIND 9 cache poisoning issue. This is one of the problems addressed by the latest version of BIND 9.

The very brief summary: BIND prior to version 9.4.1-P1 did not use a strong algorithm to create DNS transaction IDs. As a result, one can derive the next transaction ID BIND will use by knowning the last few transaction IDs. In this case, up to 15 queries are used.

Once the attacker knows the “state” of the targets BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries.

Enterprise Visibility Architect – I like the concept but I”m not sure that an organization is going to create a new role that sits between the resources listed in the article and the CISO/CTO/CSO. Only time will tell.

I suggest that enterprises consider hiring or assigning a new role — Enterprise Visibility Architect. The role of the EVA is to identify visibility deficiencies in existing and future POAD and design solutions to instrument these resources.

How to Create a Security Team for $4.95, Plus Tax – Great article!

In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.

That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.

(IN)SECURE Magazine Issue 12 – The new issue of (IN)Secure Magazine is out.

Dr. Morena – Firewall Configuration Testing Tool – Another tool to add to your belt.

Dr.Morena is a tool to confirm the rule configuration of a Firewall.

The configuration of a Firewall is done by combining more than one rule. Sometimes a rule configuration may reside in a place other than the basic rule configuration place. In such a case, it is difficult to confirm whether it is an intended configuration by the system administrators. (Is an unnecessary hole open, or is a necessary hole open?).

We prepare a computer which has two network interface for this tool. Then, each network interface is connected to each of the network interfaces on both sides of the Firewall. The packet the source IP address and the destination IP address is forged and sent to the Firewall from one network interface. The packet which passed through the Firewall is confirmed in the other network interface. The rule of the Firewall is confirmed from the packets which passed through the Firewall, and the packets which didn’t pass.

Scroll to top