Lot’s of news today, as well as some overflow from yesterday, but also lots of fluff and FUD. I’ve tried to weed through some of the clutter for you in today’s list:
Cody Pierce knew right away what he had found, but he wasn’t exactly sure how serious it was. Pierce and his fellow researchers at TippingPoint had spent much of the early part of last year poking around in the ActiveX controls in Windows XP, looking for controls that might be vulnerable.
Alla Bezroutchko released a tool yesterday to do automated XSS testing against webmail clients. It is heavily based off of the cross site scripting cheat sheet, but ties that in with a series of emails that attempt to override the built in validation engines built into various web-mail implementations. I am literally the first to admit that I have never looked at webmail in depth. The only time I did, in the case of Roundcube I didn’t even have to go past the first page (it’s now been fixed).
At the Web 2.0 Expo in San Francisco this week, conference organizers attempted to apply the concepts of Web 2.0 to the conference itself. In addition to the expected sessions and BoF sessions, organizers introduced a concept they called “Web2Open”. Web2Open was to be a participatory, attendee directed and led set of sessions similar to BoF but organized completely by attendees. Like a real life forum, attendees would post ideas in open slots on the Web2Open board with descriptions of the topics they wanted to discuss in the session and other attendees could join in or not as was their wont.
Over the course of part one, we saw how to set up the various computers in our VMware lab. The setup was simple, and even the installation and use of fragrouter fairly pain free. We ended off part one with an attempt at packet fragmentation via fragrouter in an effort to evade Snort. That first attempt failed for Snort did indeed pick up the attack. It had no problem in reassembling the fragmented packets and recognizing the attack for what it was; an RPC bind attempt via the MS03-026 exploit contained in the Metasploit Framework. Fragrouter has quite a few more tricks in its arsenal. If you enter the “./fragrouter –help” command as seen in the screenshot below, you will be shown all of the fragrouter options available to you.
Hey, folks! It’s challenge-time. Tom Liston whipped up this one based on his real-world adventures in the deepest, darkest cubicle jungles of the mid-west. The name? Microsoft Office Space. The game? Figure out how they plan to fool “The Man”. I hope you enjoy this brief excursion into the mind of Tom Liston as much as I did.
In a demonstration set to take place at the CanSecWest security conference in Vancouver Thursday, Juniper’s Barnaby Jack says he will show how this technique could be used to take control of a router, and then inject malicious software on virtually every machine on the network.
Without management software, administrators supporting these sensors must manually retrieve signature updates. I support a small network for one of my customers, for which purchasing this software was not an option. So I developed my own Perl scripts that run on a Solaris box to (1) automate the update discovery and retrieval task, and (2) verify success and send an email notification following the actual update installation. In this article, I will describe the details of these processes, highlighting remote management of a Cisco IPS device via SSH and explaining the integration with the IPS automatic upgrade feature.
This latest shipment of 25 security updates came on the same day that a “pwn-2-own” contest launched at the CanSecWest security conference here in Vancouver. Hackers clustered in hotel rooms were feverishly trying to exploit the two unpatched Macs downstairs in the main conference hall, but Apple hopped on the phone to inform the conference organizers of the security update release. The show’s organizers patched the Macs before they were hacked.
As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn’t RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter: Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend). The hoster of the site has been informed, the owner of the domain and site seems to be located in China.
In this posting I wanted to focus on effectively responding to new threats and vulnerabilities. I am not talking about incident response, attack analysis, or forensics, as these are disciplines that are instantiated once something actually happens. I am referring to how an organization should respond to critical vulnerabilities; especially those with exploit code or attacks occurring in the wild, prior to an incident actually occurring.
Without having to have vendor X,Y,Z`s appliance or application on the network etc, you can simply install the PNLog Agent on your XP machine (sorry no Vista, i`ve refrained for now, due to colleagues screams in the office), create the simple parser, and test the functionality.
I use argus for my daily task, like I mentioned argus client tools are easy to use but hard to master, it is trivial to work with it sometimes. However I believe experience may make you wiser when dealing with complex tools, I really appreciate Hanashi’s work on BIRT for sguil report generation. As Hanashi is working on sancp session data, I’m more of looking into argus flow data. Here’s very short paper that I have written in using argus client tools(ragrep and radump) to perform botnet detection.